Menu
Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

The group has been stealing confidential information from large companies worldwide for the past three years

The hackers that targeted Twitter, Facebook, Apple and Microsoft developers two years ago have escalated their economic espionage efforts as they seek confidential business information and intellectual property they can profit from.

The group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.

After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. However, its attacks resumed in 2014 and have since intensified, according to separate reports released Wednesday by Kaspersky Lab and Symantec.

Symantec has identified 49 different organizations in over 20 countries that have fallen victim to the Morpho group since 2012. The majority of them were from the technology, pharmaceutical, commodities and legal sectors and were based in the U.S., Canada or Europe.

Kaspersky identified additional companies compromised by the group that are involved in Bitcoin cryptocurrency, investments, healthcare, real estate, merger and acquisition deals, as well as individual users.

The absence of government or diplomatic corps victims and other details led researchers from the two security vendors to the conclusion that the Morpho group is most likely not sponsored by a nation state. Instead, it's probably a highly sophisticated cybercrime gang that knows how to exploit the business information it obtains for financial gain, for example by selling it to the highest bidder or by profiting from it on the financial markets.

The group has used at least two zero-day exploits so far, one for Flash Player and one for Java, and also had access to a digital certificate stolen from Taiwanese electronics manufacturer Acer that it used to sign its malware programs. This suggests that the attackers have access to high-value intrusion tools and techniques.

When it targeted developers from technology and Internet companies in 2013 the group launched its attack from a compromised iOS development forum using a Java zero-day exploit. This technique of compromising a website that's visited by multiple intended targets is called a watering hole attack.

That same year the Morpho group used the same method with multiple discussion forums, including expatforum.com, forum.samdroid.net, emiratesmac,com, mygsmindia.com, and a Jihadist discussion board that's now closed, researchers from Kaspersky said in a blog post. The attack vector for the 2014 and 2015 attacks is not yet known, but there are clear indications that a Web-based exploit kit with a zero-day Flash Player exploit was used, they said.

If successful, these Web-based exploits install a custom computer backdoor developed by the group that has versions for Windows and Mac OS X. The attackers then use additional custom hacking tools to move laterally through the network and compromise additional computers, servers and other devices.

According to Symantec's researchers, the Morpho attackers often target regional offices of their intended victims and then move through their internal networks to access their additional locations and headquarters.

The attackers appear to be well informed about the companies they attack and the information they're searching for.

"In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly use them to send counterfeit emails," the Symantec researchers said in a blog post. "The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents."

In one case, the attackers compromised a Physical Security Information Management (PSIM) system, gaining access to door locks and CCTV camera feeds.

It's not clear where the group is based. According to Symantec, some, if not all of the group's members are fluent in English, which is evident from the malware's code. However, Kaspersky also found one string in Romanian and one in Russian in the command-and-control procedures.

Peaks of activity were observed on the malware's command-and-control servers that correspond with U.S. typical working hours. This could mean that some attackers are based in the U.S., but could also be because the majority of victims are from the U.S. and Canada, forcing attackers to work during that time interval.

"Morpho is a disciplined, technically capable group with a high level of operational security," the Symantec researchers said. "Having managed to increase its level of activity over the past three years whilst maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Microsoftsecuritydata breachtwitterExploits / vulnerabilitiesmalwarekaspersky labFacebookAppleintrusionsymantec

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments