Lessons to be learnt from the Anthem attack

By : |July 30, 2015 0

MUMBAI, INDIA: In February 2015, cyber espionage experts targeted Anthem—the second largest health insurance provider in the US.

Asserting the development, Joseph Swedish, President and CEO, Anthem, said in a statement posted on the company website, said, Anthem was the target of a very sophisticated external cyber-attack.

The hackers gained access to Anthem’s computer system and stole information including names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data of 80 million customers, Swedish said.

A new cyber espionage group is targeting enterprises with malware infections named Black Vine. In the last three years, it has targeted two percent of the Indian organizations, making India the six most impacted countries globally.

The malware may have gone unnoticed had the Anthem breach not come to light in February 2015.

Symantec believes that the breach is believed to be the work of a well-resourced cyber espionage group which Symantec calls Black Vine.

Anthem wasn’t Black Vine’s only target. Symantec says that Black Vine operations have been occurring since 2012. Its targets include gas turbine manufacturers, large aerospace and aviation companies, healthcare providers, and more.

How Black Vine works?
The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.

The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.

In its campaigns, Black Vine compromised legitimate websites that were of interest to its targets in order to serve exploits to the sites’ visitors. If the zero-day exploits successfully worked against the vulnerable software on the victim’s computer, then they dropped Black Vine’s custom malware, providing the attackers with remote access to the computer. In addition to watering-hole attacks, Black Vine also sent spear-phishing emails that disguised its threats using technology-themed lures.

Black Vine India Infograph

(Click on the infographic to view)

The impact:
Symantec observed Black Vine using three types of custom malware throughout its campaigns: Hurix and Sakurel (both detected as Trojan.Sakurel), and Mivast (detected asBackdoor.Mivast).

All three threats can perform the following actions:
• Open a back door
• Execute files and commands
• Delete, modify, and create registry keys
• Gather information from the infected computer

Symantec analysis suggests that Black Vine is well resourced, as the group is capable of frequently updating and modifying its malware to avoid detection.

The Elderwood connection:
During analysis, Symantec noticed that Black Vine used certain zero-day exploits at the same time that other attack groups used them. The other campaigns have been previously investigated by Symantec, such as one by Hidden Lynx.

While these campaigns included the same zero-day exploits, they delivered different payloads unique to each attack group. The fact that these different adversaries simultaneously used the same exploits suggests that they all have access to a common zero-day exploit distribution framework.

Symantec first researched the Elderwood platform in 2012 and observed how it has been continuously updated with the latest zero-day exploits ever since.

All of the campaigns that leveraged Elderwood’s zero-day exploits have been attributed to attackers based in China. Contextually, other reports too suggest that some of the actors involved in Black Vine’s activity may have had connections with a Beijing-based IT security firm called Topsec, Symantec alleges.

Black Vine’s targets are spread across several regions, based on the IP address locations of the compromised computers. The vast majority of infections affected companies in the US, followed by China, Canada, Italy, Denmark, and India.

Black Vine’s attacks to date delivered exploits for the following zero-day vulnerabilities, primarily through watering-hole attacks:
Microsoft Internet Explorer ‘CDwnBindInfo’ Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792)
Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)

Black Vine has compromised companies in aerospace, healthcare, energy (gas & electric turbine manufacturing), military and defense, finance, agriculture and technology verticals.

Black Vine is a formidable, highly resourced attack group which is equipped to conduct cyber espionage against targeted organizations. Based on our records of its past campaigns, Symantec believes that Black Vine’s malicious activity will continue.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.