Wednesday, December 10, 2014

TURLA components for Linux discovered

People from Kaspersky discovered two Turla components designed for Linux.
For people who don't know Turla, a short introduction:   

Turla is a so called APT [= advanced persistent threat].  APT was the buzzword of the security industry this year.  

APT's are cyberattacks in which an attacker gains unauthorized network access and wants to stay undetected for obvious reasons (data theft, sabotage, spying).  Some of these APTs are targeted towards a specific target (e.g. Proximus, some government agency, ...). This is obviously pretty worrisome.

Turla was primarily targeted at the governments and embassies of a number of former Eastern Bloc countries but was found on computers in more than 45 countries. The attacks are probably still ongoing as we speak. 

During a browser session of a user,  the attackers could use a backdoor to do almost everything with the infected computer (eg. copy sensitive files,  install other malware, ...).  The communication was masked as web requests from the browser. Turla remained undetected for almost 4 years and is considered state-sponsored.   Several clues point to Russia.

The way victims were infected is also peculiar: they used two strategies to infect the victim with another malware Trojan.Wipbot:

  • spear phishing emails:  the attacker forges mails.  They appear to come from what the victim considers a trusted source (someone in the company, a trusted partner, ...)
  • a watering hole attack :  the attacker infects a website which the victim is known to visit, via a zero day exploit in Java, Flash  or Internet Explorer, the malware is delivered to the victim. The malware was only delivered to certain IP ranges, once again to avoid unnecessary detection.  According to Symantec,  least 84 (!!) legitimate websites (including government websites) were serving this exploit in 2012.   

Probably Wipbot had to verify if the machine was a possible target.  It then was used to download Turla.  You can read more in-depth info here.  Turla itself had a plug-in mechanism to install extra's when necessary. 

This almost reads like a thriller, don't you think?

Now Kaspersky discovered Linux users are also targeted.  The exploits they use are not known at the moment.  Obvoiusly no root privileges are necessary to transfer your files to Moscow.  

APTs are detected e.g. by analysing all traffic using big data techniques to find patterns or by sandboxing suspicious traffic.   Sandboxing [=first checking this possible threat in a secure container ] can be tricky as some malware has sandbox detecting algorithms.   
  
To use zero day exploits in your "projects" isn't that hard, companies like Vupen sell these.  

More reading about this Linux threat:
http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-trojan-may-have-infected-victims-for-years/

No comments:

Post a Comment