Elderwood Platform is still providing Zero-Day exploits

Experts at Symantec have discovered that behind the Elderwood Platform there is a still active group which is providing Zero-Day exploit used recently.

Do you remember the Elderwood  project? It was September 2012 when Symantec security firm published an analysis that demonstrate the link between a series of cyber attacks against more than 30 companies and the cyber espionage campaign conducted on Google three years before, so-called Operation Aurora.

The sophisticated attacks originated in China and hit dozens of organizations, including Adobe Systems and Juniper Networks. Later rumors revealed that other companies were targeted, including Morgan Stanley, Northrop Grumman and Yahoo.

Aurora attack is one of the most complex operation due to the capability of attackers who used several 0-day exploits included one related the popular IE Explorer.

According the security firm Symantec the hackers behind Op Aurora had the knowledge of various  0-day vulnerabilities too, and at least four of them were used in the attacks against different industries in 2012 op Elderwood.

Today further investigations made by Symantec into an exploit kit known as “Elderwood” demonstrate that the attackers using it may be more diverse and well funded than has been believed.

“Initially, our research suggested that the Elderwood platform was being used by a single attack group. Our latest research leads us to believe that several groups could be using this platform. The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.” reports a blog post from Symantec.

Symantec experts suspect that several hacking groups are using Elderwood platform, probably its developer is still active and is selling the platform or Elderwood hackers are developing exploits for their own in-house teams.

“he attack groups are separate entities with their own agendas. These groups all have contact with a single zero-day exploit supplier which delivers the exploits to the groups at the same time. The supplier may give certain groups preferential treatment, offering zero-day exploits to some attack groups a few days before others.,” Symantec wrote.

Symantec identified a sub-group called “Hidden Lynx” who targets mainly defense industry and Japanese users, Vidgrab” is targeting Uyghur dissidents in the western China region, “Icefog” hit manufacturing firms, while “Sakurel” focused on aerospace companies.

Early 2014, the Elderwood exploit kit contained three zero-day vulnerabilities, one for Flash (CVE-2014-0502) and two for Internet Explorer (CVE-2014-0322 and CVE-2014-0324) and Flash exploit and CVE-2014-0322 were hosted on the same server, and used by all four groups demonstrating the link between the groups and the platform.

“Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated. They present a serious threat to potential targets.” concludes Symantec.

Pierluigi Paganini

(Security Affairs –  Elderwood, zero-day)