Darkhotel Deploys Zero-Day From Hacking Team

Uploaded on 2015-08-31 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

The Darkhotel cyberespionage crew keeps adding to its bag of tricks: New evidence from Kaspersky Lab shows that the group seems to have latched on to some of the zero-day vulnerabilities exposed by the Hacking Team data dump last month.

Known best for breaking into Wi-Fi networks in luxury hotels to target very high profile corporate and government executives, the team has long depended on zero-day and half-day vulnerabilities to strike its targets.

According to Kaspersky, Darkhotel has gone through half a dozen or more zero-days targeting Adobe Flash Player in the past year, investing considerable funds to beef up a quiver meant to hit the proverbial bulls eyes. But it isn't above striking when opportunities like the breach of Hacking Team present themselves. “Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website, and this time it appears to have been driven by the Hacking Team leak," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014. Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally."

The Korean group initially focused 90 percent of its efforts targeting victim organizations in Japan, Taiwan, China, Russia, and Hong Kong. But over the past year it has expanded its geographical reach to North Korea and South Korea, Russia, Bangladesh, Thailand, India, Mozambique, and Germany.

Darkhotel depends on dogged persistence on the social engineering front. For example, if a Darkhotel spear phisher is sending out a fake schedule file with malicious payloads, he'll send one in February with a naming convention that uses the current date, and then send another one in May with the same naming convention and a new one to match the date.

Additionally, the group has leaned on stolen certificates on an ongoing basis. Kaspersky says it believes the crew maintains a stockpile of these stolen certs in order to use them in their downloaders and backdoors to evade detection. "Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates. In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates," according to Kaspersky. "Not only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing. "

Dark Reading

 

 

 

« Seamless Technology Is a Gift for Cybercriminals
Hacking For Cause: Growing Cyber Security Trend »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

Markel International

Markel International

Markel International is an international insurance company which looks after the commercial insurance needs of businesses. Specialist services include Cyber Risk insurance.

SISA

SISA

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive and corrective cybersecurity solutions.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

TechCERT

TechCERT

TechCERT is Sri Lanka’s first and largest Computer Emergency Readiness Team (CERT).

LATRO Services

LATRO Services

LATRO Services is a complete solution provider to discover, locate, and eliminate telecom fraud.

CybeReady

CybeReady

CybeReady’s Autonomous Platform offers continuous adaptive training to all employees and guarantees significant reduction in organizational risk of phishing attacks.

Lightship Security

Lightship Security

Lightship Security is an accredited Common Criteria and FIPS 140-2 IT security testing laboratory that specializes in test conformance automation solutions and IT product security certifications.

Baxter Clewis Consulting

Baxter Clewis Consulting

Baxter Clewis are cyber security and compliance experts. We provide Security Consulting, IT Assurance, and Technical Security services.

Qohash

Qohash

With a focus on data security, Qohash supports security, compliance and optimization use cases enhancing your risk management process.

TekSynap

TekSynap

TekSynap is a full spectrum Information Technology services provider to federal government agencies.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

MoogleLabs

MoogleLabs

MoogleLabs leverage AI/ML, Blockchain, DevOps, and Data Science to come up with the best solutions for diverse businesses.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Persistent Systems

Persistent Systems

Persistent Systems are a trusted Digital Engineering and Enterprise Modernization partner, combining deep technical expertise and industry experience to help our clients.

Cybercentry

Cybercentry

Cybercentry is a specialist information security, data protection and cyber security consultancy.