Malware alert: Red October is back as Cloud Atlas/Inception

Red-locksRed October/Cloud Atlas/Inception may sound like a mediocre weekend in a provincial cinema, but is in fact an “extremely sophisticated” new malware framework that has been targeting institutions around the world via a Swedish Cloud service provider.

Researchers from Blue Coat Labs reported the discovery of the multi-layered malware last week, naming it “Inception” after the 2010 Christopher Nolan film of the same name. According to Blue Coat, Inception’s targets have included: “Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials.”

Ars Technica, meanwhile, reports that Kaspersky was undertaking investigations of its own. Kaspersky called the malware “Cloud Atlas”, declaring it an update of the Red October cyber espionage operation that targeted embassies worldwide in 2012.

Whatever you call it, it’s a considerable threat.

According to Kaspersky, the top five targeted countries are Russia, Kazakhstan, Belarus, India and the Czech Republic. Blue Coat reports that other affected countries include Romania, Venezuela, Mozambique, Paraguay and Turkey – and SC Magazine reports that it is likely that Inception/Cloud Atlas is also targeting organisations in the UK.

Discovery

Microsoft published information about an RTF (Rich Text Format) vulnerability (CVE-2014-1761) in March, which was already being exploited. Two other RTF vulnerabilities were already known to be exploited (CVE-2010-3333 and CVE-2012-0158), so Blue Coat researchers “followed the usage” of this new vulnerability “with interest”, eventually identifying “a malware espionage operation that used both the CVE-2014-1761 and CVE-2012-0158 vulnerabilities to trigger execution of the malicious payload, and which leveraged a Swedish cloud service, CloudME, as the backbone of its entire visible infrastructure.”

Blue Coat explained further: “Command & Control traffic on the Windows platform is performed indirectly via a Swedish cloud service provider using the WebDAV protocol. This hides the identity of the attacker and may bypass many current detection mechanisms. The attackers have added another layer of indirection to mask their identity by leveraging a proxy network composed of routers, most of which are based in South Korea, for their command and control communication. It is believed that the attackers were able to compromise these devices based on poor configurations or default credentials.”

Mobile devices running iOS, BlackBerryOS or Android are all thought to be at risk – and the threat is unlikely to go away. As Kaspersky warns: “when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces.”

Remediation

Inception spreads via phishing. If you’re concerned about your employees’ susceptibility to phishing attacks, you’d do well to consider IT Governance’s Employee Phishing Vulnerability Assessment. It will identify potential vulnerabilities among your employees and provide recommendations to improve your security, enabling you to have a broad understanding of how you are at risk, and what you need to do to address these risks.

DailySentinel-blog