1 / 17

The Elderwood Project

The Elderwood Project. Brian Bowlby CompNet. Review of material on Symantec website ( www.symantec.com ) http ://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood- project.pdf

deacon-bean
Download Presentation

The Elderwood Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Elderwood Project Brian Bowlby CompNet

  2. Review of material on Symantec website (www.symantec.com) http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf http://www.symantec.com/connect/blogs/how-elderwood-platform-fueling-2014-s-zero-day-attacks

  3. What is the Elderwood Project (also called the Elderwood Platform)? A set of zero-day exploits that have been engineered and packaged in a “consumer-friendly” way to allow non-technical people to easily attack their targets. Name Elderwood comes from source code variable used by the attackers

  4. What are zero-day exploits? Exploits that exist in the initial release of a software package Often unknown to the programmer(s) May be known, but too expensive or time consuming to correct Generally, serious vulnerabilities are rare (8 identified in 2011)

  5. Which zero-day exploits are included? • Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779) • Adobe Flash Player Remote Code Execution Vulnerability(CVE-2012-1535) • Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) • Microsoft XML Core Services Remote Code Execution Vulnerability(CVE-2012-1889)

  6. Newer packages include exploits of these vulnerabilities • Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) • Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324) • Adobe Flash Player and AIR Remote Code Execution Vulnerability (CVE-2014-0502)

  7. How are these vulnerabilities exploited? Two methods for propagating their payload • Spear-phishing Attach an infected document in an email message • Watering hole attack Visitors of a web site are infected

  8. A third possibility – a combination of the above Send target user an email with a link to an infected website Link can be unique for that user

  9. Who is Behind Elderwood? High degree of technical sophistication – able to exploit many different vulnerabilities Once packaged, less technical groups can mount actual attacks – perhaps different group for each target Attacks are targeted – no mass email campaigns Attackers are patient – may lie in wait for several months before adding malicious code

  10. Components of Elderwood

  11. Targets Defense – Companies that manufacture components for top-tier defense contractors NGOs and human rights groups (Amnesty International) Finance, Energy, Education and Government

  12. Recent Timeline of Elderwood Attacks

  13. Groups using the Elderwood Platform

  14. Takeaway Lessons Apply the latest patches/updates to your software Don’t open attachments unless you’re sure of the source Be careful when clicking on links in email messages Check that URL matches “printed” one http://fake.name.com

  15. Thanks / Questions?

More Related