On Tuesday September 17, 2013, Symantec’s Security Response organization published a whitepaper report on Hidden Lynx, a Chinese APT group of professional hackers with advanced capabilities. Evidence suggests that Hidden Lynx is a Chinese state sponsored hacker group with affiliations to “Operation Aurora”. This group was responsible for the compromise of security firm Bit9’s digital code-signing certificate, used to sign 32 pieces of malware. They have been involved in a number of operations over the last four years.
The group offers a “hackers for hire” operation that is tasked with retrieving information from a wide range of corporate and government targets. They are a highly efficient team who can undertake multiple campaigns at once, breach some of the world’s best-protected organizations, and can quickly change their tactics to achieve their goal.
They usually attack using multiple customized Trojans designed for specific purposes. Backdoor.Moudoor is used for larger campaigns and has seen widespread distribution, while Trojan.Naid is reserved for special operations against high value targets. The group uses cutting-edge attack techniques which makes this team stand out from other major attack groups. Symantec has been actively tracking this group since as early as 2009.
The Hidden Lynx group has been in operation since at least 2009 and appears to be a professional organization that offers a “hackers for hire” type service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals. The members of this group are experts at breaching systems.
Their method for exploitation and pay-to-order targeted attacks involve a two-pronged strategy using two Trojans designed for each purpose:
- Team Moudoor distributes Backdoor.Moudoor, a customized version of “Gh0st RAT”, for large-scale campaigns across several industries. The distribution of Moudoor requires a sizeable number of people to both breach targets and retrieve the information from the compromised networks.
- Team Naid distributes Trojan.Naid, the Trojan found during the Bit9 incident, which appears to be reserved for more limited attacks against high value targets. This Trojan was leveraged for a special operation during the VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. This Trojan was also found as part of “Operation Aurora” in 2009.
Much of the attack infrastructure and tools used during these campaigns originate from China. The group makes use of regular zero-day exploits. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The Hidden Lynx group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.
Since November 2011, hundreds of organizations worldwide have been targeted by the Hidden Lynx group.
Top 10 organizations targeted by the Hidden Lynx group since November 2011.
Countries/Regions targeted by the Hidden Lynx group since November 2011.
This broad range of targeted information would indicate that the attackers are part of a professional organization. They are likely tasked with obtaining very specific information that could be used to gain competitive advantages at both a corporate and nation state level.
The financial services sector has been identified as the most heavily targeted industry overall. There is a tendency to target specific companies within this sector. Investment banks and asset management agencies account for the majority of organizations targeted within this industry.
Attacks against Government Contractors
In attacks that have targeted all levels of government from local to national level, this group has repeatedly attempted to infiltrate these networks. Attacks against government contractors and, more specifically, the defense industry indicate that the group is in pursuit of confidential information and suggests that the group had been working for nation states.
WHAT ARE THEY CAPABLE OF?
The Hidden Lynx group’s advanced capabilities are clearly demonstrated in three major campaigns. In the VOHO campaign, they showed how they could subvert Bit9’s established trust models. In the FINSHO campaign, they managed to get advanced knowledge of a zero-day exploit and in the SCADEF operation, they undertook supply chain attacks to succeed in their campaign.
Despite the exposure of the Hidden Lynx Chinese APT Hacker group, Symantec believes they will continue their activities. Symantec will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like Hidden Lynx.
SOC DETECTION CAPABILITIES:
For customers with MSS IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring for these vulnerabilities once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
COMPONENTS AND DETECTION
- Backdoor.Moudoor – MSS Detection
- [MSS URL Detection] Backdoor.Moudoor Command and Control Communications
- Backdoor.Moudoor – Vendor Detection
- Symantec SEP/AV - Backdoor.Moudoor
- Trojan.Naid – MSS Detection
- [MSS URL Detection] Possible Trojan.Naid HTTP Request (Vector: CVE-2013-1493)
- [MSS URL Detection] Trojan.Naid Malware Callbacks
- Trojan.Naid – Vendor Detection
- Symantec SEP/AV - Trojan.Naid
- Trojan.Hydraq – MSS Detection
- MSS Hot IP Detection - Possible Trojan.Hydraq Traffic
- MSS Hot IP Detection - Trojan.Hydraq C&C Server
- MSS Hot IP Detection - Trojan.Hydraq Data Exfiltration Site
- MSS Hot IP Detection - Trojan.Hydraq Traffic
- Trojan.Hydraq – Vendor Detection
- SSIM - Possible Hydraq Activity
- Symantec SEP/AV - Trojan.Hydraq
- Snort/SourceFire - Trojan.Hydraq - Beaconing activity
- Trojan.Hikit – MSS Detection
- [MSS URL Detection] Backdoor.Hikit Command and Control Communications
- Trojan.Hikit – Vendor Detection
- Symantec SEP/AV - Trojan.Ascesso
- Backdoor.Vasport – MSS Detection
- [MSS URL Detection] Backdoor.Vasport Command and Control Communications
- Backdoor.Vasport – Vendor Detection
- Symantec SEP/AV - Backdoor.Vasport
- Backdoor.Boda - MSS Detection
- [MSS URL Detection] Possible Backdoor.Boda (“LadyBoyle”) Request to Command and Control
- Backdoor.Boda – Vendor Detection
- Snort/SourceFire - ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign
- Symantec Endpoint Protection (SEP) IPS Signatures:
- Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544 3 detected
- Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544 attack blocked
- Web Attack: MSIE Same ID Property CVE-2012-1875 attack blocked
- Web Attack: MSIE MSXML CVE-2012-1889 2 attack blocked
- Web Attack: MSIE MSXML CVE-2012-1889 3 detected
- Web Attack: MSIE MSXML CVE-2012-1889 detected
- Web Attack: Java CVE-2012-1723 RCE 2 detected
- Web Attack: Java CVE-2012-1723 RCE attack blocked
- Web Attack: Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability 3 attack blocked
- Web Attack: Oracle Java Type Confusion Attack CVE-2012-1723 4 detected
- Web Attack: Java CVE-2013-1493 RCE 2 attack blocked
- Web Attack: Java CVE-2013-1493 RCE attack blocked
- McAfee AV: Viral Signatures:
MITIGATION STRATEGIES AND RECOMMENDATIONS:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including Enterprise-Wide security monitoring from Edge to Endpoint.
- For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
- Ensure all operating systems and public facing machines have the latest security patches, and antivirus software and definitions up to date.
- Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
- Ensure staff is educated on Social Engineering and Phishing techniques.
WHAT TO EXPECT FROM MSS:
Symantec MSS SOC security analysts will continue to diligently monitor, analyse, and validate any events indicative of Hidden Lynx activity:
- Possible or suspect activity may be notified at a lower severity
- MSS will continue to perform ongoing refinement of detection
- MSS will continue to reach out to clients that may have had historical indicators of compromise unveiled due to new data
We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services