Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online

Monday, May 20, 2013

Steve Ragan

A58bf865b185e0e3f665473bf8f3ca6d

Researchers at Trend Micro have discovered a new espionage campaign, called SafeNet, which has targeted more than 100 countries since it was established. The campaign itself is straightforward, with the use of email as a means to gain initial access, but notable too as it remained undetected for so long.

While investigating SafeNet, Trend Micro’s Nart Villeneuve wrote in a whitepaper that there were two attack campaigns, each targeting a specific set of organizations. In the first campaign, it was determined that Safenet snared 243 unique victims in eleven countries. The second campaign logged 11,563 victims in 116 countries.

These numbers are based on the IP data that was discovered on the Command and Control (C&C) servers used by the attackers, so the actual count may be smaller Trend Micro noted. However, India, the U.S., China, Pakistan, and the Philippines were the top five victims based on IP data, followed by Russia, Brazil, Romania, and Saudi Arabia.

“While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear,” Villeneuve said in a blog post.

Based on the whitepaper, the data collected supports an attacker somewhere in Asia given that on both C&C server logs, administrator access came from China, Hong Kong, and South Korea a majority of the time.

The malware used in the campaign was designed to steal data, but it could be quickly modified to offer additional functionality. In a whitepaper supporting the SafeNet research, it was reported that tools used to extract saved passwords from Internet Explorer, Firefox, as well as Remote Desktop Protocol credentials discovered.

“Ongoing cyber-espionage campaigns have been successfully infiltrating targets worldwide, many of which have been active for years. However, the amount of public exposure, especially of noisier and larger campaigns, has been increasing,” the whitepaper concludes.

“Perhaps due to their success, these campaigns’ operators intensified their operations, causing them to be increasingly visible. But smaller campaigns are beginning to emerge; these use small clusters of C&C servers and new malware as well as attack fewer targets.”

Trend Micro, in the first release of their report, called this campaign SafeNet. Shortly after the research was released, the whitepaper was taken offline, and the campaign was renamed to Safe, which it most certainly isn’t.

As it turns out, it would seem that SafeNet, Inc., a data protection firm in Maryland, took offence to the name given to the espionage campaign. It is unfortunate that Trend Micro had to alter their research and add the disclaimer that “...there is no connection between this attack and SafeNet, Inc. ...”

It isn’t as if a serious practitioner within the world of InfoSec would have assumed the names were related. So the fact that such a warning was required is insulting.

A full copy of the modified report is available here.

11230
Post Rating I Like this!
Default-avatar
mike lines The malware used in the campaign was designed to steal data, but it could be quickly modified to offer additional functionality. In a whitepaper supporting the SafeNet research, it was reported that tools used to extract saved passwords from Internet Explorer, Firefox, as well as Remote Desktop Protocol credentials discovered. https://oddstar.co/
1425814842
Default-avatar
mike lines Perhaps due to their success, these campaigns’ operators intensified their operations, causing them to be increasingly visible. But smaller campaigns are beginning to emerge; these use small clusters of C&C servers and new malware as well as attack fewer targets. https://simpleaccounting.sg/simbiz/
1426078543
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.