17
The Elderwood Project Brian Bowlby CompNet

The Elderwood Project

Embed Size (px)

DESCRIPTION

The Elderwood Project. Brian Bowlby CompNet. Review of material on Symantec website ( www.symantec.com ) http ://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood- project.pdf - PowerPoint PPT Presentation

Citation preview

Page 1: The  Elderwood  Project

The Elderwood Project

Brian BowlbyCompNet

Page 3: The  Elderwood  Project

What is the Elderwood Project (also called the Elderwood Platform)?

A set of zero-day exploits that have been engineered and packaged in a “consumer-friendly” way to allow non-technical people to easily attack their targets.

Name Elderwood comes from source code variable used by the attackers

Page 4: The  Elderwood  Project

What are zero-day exploits?

Exploits that exist in the initial release of a software package

Often unknown to the programmer(s)

May be known, but too expensive or time consuming to correct

Generally, serious vulnerabilities are rare (8 identified in 2011)

Page 5: The  Elderwood  Project

Which zero-day exploits are included?

• Adobe Flash Player Object Type Confusion Remote Code

Execution Vulnerability (CVE-2012-0779)

• Adobe Flash Player Remote Code Execution Vulnerability(CVE-2012-1535)

• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)

• Microsoft XML Core Services Remote Code Execution Vulnerability(CVE-2012-1889)

Page 6: The  Elderwood  Project

Newer packages include exploits of these vulnerabilities

• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)

• Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)

• Adobe Flash Player and AIR Remote Code Execution Vulnerability (CVE-2014-0502)

Page 7: The  Elderwood  Project

How are these vulnerabilities exploited?

Two methods for propagating their payload

– Spear-phishing

Attach an infected document in an email message

– Watering hole attack

Visitors of a web site are infected

Page 8: The  Elderwood  Project
Page 9: The  Elderwood  Project

A third possibility – a combination of the above

Send target user an email with a link to an infected website

Link can be unique for that user

Page 10: The  Elderwood  Project

Who is Behind Elderwood?

High degree of technical sophistication – able to exploit many different vulnerabilities

Once packaged, less technical groups can mount actual attacks – perhaps different group for each target

Attacks are targeted – no mass email campaigns

Attackers are patient – may lie in wait for several months before adding malicious code

Page 11: The  Elderwood  Project

Components of Elderwood

Page 12: The  Elderwood  Project

Targets

Defense – Companies that manufacture components for top-tier defense contractors

NGOs and human rights groups (Amnesty International)

Finance, Energy, Education and Government

Page 13: The  Elderwood  Project
Page 14: The  Elderwood  Project

Recent Timeline of Elderwood Attacks

Page 15: The  Elderwood  Project

Groups using the Elderwood Platform

Page 16: The  Elderwood  Project

Takeaway Lessons

Apply the latest patches/updates to your software

Don’t open attachments unless you’re sure of the source

Be careful when clicking on links in email messages

Check that URL matches “printed” one http://fake.name.com

Page 17: The  Elderwood  Project

Thanks / Questions?