Microsoft Zero-Day Attacks Tied To Group Responsible For Bit9 Breach

In new research published this weekend, the security firm said it detected an attack campaign called 'Operation DeputyDog" that began in August and is targeting organizations in Japan. The group behind the campaign is using the same command and control infrastructure used in the attack on Bit9, FireEye said. Other clues tie the group to the Bit9 breach, including callbacks to the remote server from the rootkit dropped on Bit9's systems, according to the researchers.

"While these attackers have demonstrated previously unknown zero-day exploits and a robust set of malware payloads ... it is still possible for network defense professionals to develop a rich set of indicators that can be used to detect their attacks," the researchers wrote in their analysis of the attack campaign.

[Related: In Wake Of Data Breach, Bit9's New CSO Is Shoring Up Security Defenses ]

Microsoft rushed out a temporary fix Sept. 17 to address the Internet Explorer zero-day vulnerability being exploited by the attackers, as reports quickly began to emerge that attacks had been detected in Japan. The software maker said its engineers are working on a permanent security fix to address the coding error.

Waltham, Mass.-based Bit9 in February revealed that attackers had breached its systems and stole digital code-signing certificates to attack at least three of its customers. At the time, the stolen certificates could be used to whitelist malware, enabling it to run unimpeded. The security firm said it revoked the certificates and updated its software following the breach.

In a recent interview with CRN, newly hired Bit9 CSO Nick Levay said the company is undergoing a number of infrastructure improvements to better protect its sensitive systems, including additional security staff and bolstered incident response procedures.

Investigators pinpointed the start of the Bit9 breach as a SQL injection attack, a common Web-based hacking technique that targets the back-end system that services company websites. Once they gained access, the attackers established a foothold and inserted the Hikit rootkit, which uses a virtual network adapter to covertly monitor incoming packets and communicate with the command and control server, according to Mandiant, which provided analysis of Hikit.

The FireEye researchers said they noticed a unique fingerprint used in the attacks. "Operation DeputyDog" refers to artifacts left by the software tool used to create the malware, the firm said. The malware was hosted on a server in Hong Kong. Once a system is infected, the malware contacts a host in South Korea where a secondary payload is located, FireEye said.

PUBLISHED SEPT. 23, 2013