A flurry of “zero-day” attacks around the world this year could have a common origin in the “Elderwood” attack platform, says a new report by security company Symantec. The platform is a “consumer-friendly” package that enables non-technical attackers to use zero-day exploits against their targets without requiring the advanced skills usually associated with hackers.
A zero-day attack is a hack that exploits vulnerabilities in an application or application release that is so new those vulnerabilities haven’t yet been patched or even discovered by the software maker or broader IT community.
While Elderwood has been known for a number of years, 2014 has been especially active, Symantec says. “Within just one month at the start of 2014, the Elderwood platform was used to exploit three zero-day vulnerabilities, proving that this exploit set is still a formidable threat,” the company says.
Symantec says its latest research suggests that instead of a single group, several groups may be using Elderwood. “The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.”
Symantec offers two scenarios. In the first, a single parent group oversees a number of subgroups, each of which is responsible for attacking a particular industry, such as defence, IT and human rights, which have been heavily targeted. In an eerily corporate-sounding model, the parent organization collects and distributes zero-day exploits to the subgroups.
The second model also postulates the existence of a central group, but in this case it’s a distributor or supplier selling exploits to a number of different, unconnected groups, each with its own agenda.
“Based on our evidence… it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups,” Symantec says. “This alone is a sign of the level of resources available to these attackers.”
Any way you slice it, it seems that organizations using the Elderwood platform are more sophisticated than your average attacker. Deep pockets would be required to purchase exploits from a central distributor. And if the exploits are developed in-house instead, that suggests a high level of technical skill. “These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves,” Symantec says.
Symantec (Nasdaq: SYMC) has observed a repeated pattern where attack groups use Internet Explorer and Flash zero-day exploits to deliver the same malware families. And the attacks share some common implementation characteristics.
“This evidence indicates that there is a greater level of communication between attack groups than if the exploits were simply being reverse-engineered,” Symantec says. “Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated. They present a serious threat to potential targets.”