Mitigating “IceFog” – another targeted attack group from China


On Sep. 25th Kaspersky Labs unveiled “IceFog”, a Chinese “for hire” group of Cyber attackers. Let’s take a deeper look.

First off, IceFog clearly demonstrates how customized and targeted cyber-attacks have become over the past few years. For example, the IceFog group exploited a vulnerability in HWP document files, which are used by Hangul word processor. This distinct word processing application is used mainly in South Korea, Japan and Taiwan, making this targeted attack all that more specific and customized.

Curiously, the attackers have also developed a “Hit&Run” attack method of action, which enables them to perform the assault swiftly with a target in mind, basing their operation on mission intelligence collected by the attackers regarding the network locations and specific users. This method again exemplifies how targeted these attacks have become – not just regarding the victim, but also regarding the specific information that the attackers seek to obtain.

This method of action has also allowed the “IceFog” group to get in and out of a certain network with the information they sought after in a very short matter of time, substantially reducing the risk of getting caught. The group has not yet been stopped, however, and is still operating with various versions of their botnet, on various targets, proving the method of action is a successful one.

In fact, today, the “IceFog” botnet deploys tools which enable the botnet to collect user passwords and hashes, Internet Explorer saved passwords and Outlook e-mail accounts and passwords. These credentials enable the attackers to collect sensitive documents, connect to other targets in the network, and execute MSSQL queries directly on servers in the network, enabling  the attackers to take hold of the information they are after.

Fortunately, there is an antidote. An effective way to protect passwords and other credentials is to employ CyberArk’s  Privileged Session Management (PSM) Suite. PSM prevents sensitive passwords from ever reaching the user endpoint, preventing the attackers from collecting the passwords through their malware. With PSM, users access their target machines or accounts through a proxy, where all the activity is monitored and limitations can be enforced.

In addition, CyberArk’s Sensitive Information Management (SIM) Suite is a highly relevant solution for protecting sensitive documents against threats such as this. The SIM Suite protects documents by placing them in a highly secure Digital Vault (instead of unsecure endpoints and file-shares) and granularly limiting the access rights to specific users. In addition, all activity in the Vault is monitored and available for auditing, thus making it possible to discover irregular activity and prevent further damage.

For more information regarding the “IceFog” attacks, see the informative report published by Kaspersky Labs: “the “IceFog” APT: a tale of a cloak and three daggers”. The study addresses methods of action taken by the attacking group and includes a full attack analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *

You must be logged in to post a comment.