FireEye Labs Releases Threat Intelligence Highlights for Q3 2013

APT Attacks Continue as Nation-State Threat Actors Launch Targeted Attacks For Economic and Political Gain

FireEye Labs, the threat research and analysis group of FireEye, (NASDAQ: FEYE), today announced a summary of key findings in the global threat landscape for the third quarter of 2013. FireEye Labs provides proactive threat intelligence reports and continuous monitoring through the Oculus service, the industry’s first global, real-time continuous protection platform.

“Today's cyber threat landscape is rapidly evolving. Nation-state military operations and other highly motivated adversaries are launching well-funded, extremely sophisticated, and highly targeted attack campaigns,” said Zheng Bu, senior director of FireEye Labs. “We’re seeing more attacks targeting specific industries or geographic regions, such as the Deputy Dog attack on Japanese targets.” 

“Economically motivated attacks are also on the rise, often repurposing tools and techniques originally developed by nation-states for politically motivated attacks,” added Bahman Mahbod, senior vice president of engineering at FireEye. “This ‘re-sale’ of advanced malware means that garden variety cybercriminals can launch broad attacks on businesses that are undetectable by signature-based security solutions. Finally, we are detecting vulnerabilities in widely downloaded mobile applications that could be used to access corporate networks. We believe more mobile threats like this will be discovered in the near future.”

Recent Findings from FireEye Labs

Leveraging visibility into the global threat environment and advanced forensics capabilities, FireEye Labs:

  • Presented an in-depth, technical analysis of common evasion tactics used by advanced malware to thwart detection by file-based sandbox solutions at the annual Black Hat USA conference. The FireEye® Threat Prevention Platform, with the purpose-built FireEye Multi-Vector Virtual Execution™ (MVX) engine at the core, is designed to be resistant to evasion techniques.
  • Uncovered a coordinated effort by the Chinese to steal American drone technology. The hacking operation, originally known as Operation Beebus, was conducted by a group known as the “Comment Crew,” and is one of the most recent signs of the ambitions of China’s drone development program.
  • Published a report describing the unique international and local characteristics of cyber attack campaigns waged by governments worldwide. Titled “World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks,” the report also discusses future changes to the cyber security landscape, including the emergence of new nation-state actors.
  • Outlined new attacks using Poison Ivy, the malware remote access tool (RAT) that was used in the 2011 RSA SecureID compromise. Requiring little technical savvy, RATs are particularly dangerous in that they offer unfettered access to compromised machines. Additionally, they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering. Leveraging open source security tools, FireEye also released Calamine, a free toolset to help organizations detect and monitor Poison Ivy infections.
  • Discovered a campaign that leveraged the new zero-day exploit CVE-2013-383 that was announced by Microsoft in early September. This campaign, labeled ‘Operation Deputy Dog’ began as early as August 19, 2013 and appears to target organizations in Japan. Analysis based on the FireEye Dynamic Threat Intelligence cluster shows that the campaign leveraged a command and control infrastructure similar to the infrastructure used in an attack on Bit 9.
  • Detailed new activity by the attackers behind December 2012 breach of the New York Times’ computer network. The attackers were identified by FireEye technology alliance partner Mandiant as members of a massive spying operation in China. In activity detected in early August, the attackers appeared to be mounting fresh assaults that leveraged new and improved versions of their malware.
  • Revealed a class of mobile threats in a popular ad library included in multiple Android™ apps that have been downloaded more than 200 million times. This ad library is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. It also contains various vulnerabilities that enable attackers to turn its aggressive behaviors against users. Since discovery, several of the apps have been removed from Google’s app stores, and others have updated the ad library to the latest version, which fixes many of the security issues.

More information on the evolving threat environment is available on the FireEye blog at http://www.fireeye.com/blog/.

About FireEye Labs

FireEye Labs is the threat research and analysis division of FireEye, Inc. This team of more than 40 security experts continuously monitor and analyze threats detected by more than 1 million virtual machines deployed by more than 1,300 customers. The resulting threat intelligence is anonymized and distributed throughout the FireEye customer community via the FireEye Dynamic Threat Intelligence™ (DTI) cloud to provide rapid protection from emerging attacks. FireEye Labs also researches newly discovered vulnerabilities and emerging zero-day attacks and delivers early warning alerts to customers in targeted industries through the Oculus service.

About FireEye, Inc.

FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,300 customers across more than 40 countries, including over 100 of the Fortune 500.  

Media Contact

Bill Bode

Highwire PR

FireEye@highwirepr.com

415-963-4174 x49

# # # 

© 2013 FireEye, Inc. All rights reserved. FireEye, FireEye Multi-Vector Virtual Execution, and FireEye Dynamic Threat Intelligence are registered trademarks or trademarks of FireEye, Inc. in the United States and other countries. Android is a trademark of Google Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.