SAN DIEGO, CALIFORNIA: Websense security researchers have uncovered new evidence of ongoing, advanced cyber-attacks targeting technology and financial services companies in the Asia-Pacific region.
The recent revelation of a new Internet Explorer 0-day (CVE-2013-3893) focused on attacks against select Japanese companies. New research by the Websense Security Labs reveals several new discoveries, including:
* In the last few days, Websense has intercepted new targeted attacks on Japanese financial firms, using the IE exploit.
* A command and control server (C&C) used in these zero-day attacks has now been documented as part of an attack against a Taiwanese technology company as early as July 1, 2013, predating the first acknowledged IE zero-day attack by six weeks.
* This also indicates the attackers are conducting ongoing campaigns across the region. Commonalities in the series of attacks link these episodes to the Operation DeputyDog and Hidden Lynx attack crew(s).
* The Hidden Lynx hackers-for-hire crew has allegedly committed multiple data-stealing attacks against businesses dating back to 2009. At the moment, they appear to be focused on targeting Asia Pacific companies.
Executive summary
* We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry hosted on a Taiwanese IP address.
* Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan.
* Commonalities in C&C infrastructure, domain registrations, exploit techniques and malware link this threat actor to the Operation DeputyDog and Hidden Lynx attack crew.
* This alleged hackers-for-hire crew has committed ongoing attacks against businesses, stealing vital information, allegedly dating back to 2009.
* Our telemetry indicates that these attacks have enough variations to indicate that different high-profile attack teams may be using the same tool sets.
* Websense has protected our customers from the CVE-2013-3893 exploit observed in the wild using real-time analytics that have been in place for nearly three years.