Zero day attack barrage in 2014 linked to 'Elderwood' platform

Zero day attack barrage in 2014 linked to 'Elderwood' platform

Summary: Symantec flagged a platform called Elderwood in 2012 that was used to launch a series of zero day attacks and now it appears to be back. Think of Elderwood as a factory that simplifies exploits and makes them criminal friendly.

SHARE:
TOPICS: Security
5

Symantec researchers say that a flurry of zero day attacks in 2014 have been linked to the Elderwood platform, which is a set of exploits that are packaged so they can be used by non-technical crooks.

Think of Elderwood as a factory that simplifies exploits and makes them criminal friendly. It lowers the bar for the technical skills required to make an attack and naturally attacks more criminals. Symantec said the exploits are more "consumer friendly."

Elderwood is just another example of how security defenses haven't kept up with the marketplaces, scale, and technologies like the cloud that hackers have deployed.

Symantec flagged Elderwood back in 2012, but now the platform has been used to launch three zero-day vulnerabilities in the first month of 2014. Symantec noted in a blog post:

Initially, our research suggested that the Elderwood platform was being used by a single attack group. Our latest research leads us to believe that several groups could be using this platform. The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.

Symantec goes on to speculate on the attackers who use Elderwood as well as the entity behind it. There could be one parent group with subgroups targeting specific industries such as defense, supply chain, financial services and human rights. It's hard to pin the zero day exploits of 2014 all on one group, but Symantec does a nice job of connecting dots in its post.

symc elderwood

 

Researchers at Symantec continued:

It seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups. This alone is a sign of the level of resources available to these attackers.

If the exploits are being purchased from a third-party distributor, the purchasing organization must have substantial financial resources to pay for the exploits. If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so.

The bottom line is that enterprises may just need a new mousetrap. The bad guys seem to have the defenses outgunned on many fronts.

More:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • MS Internet Explorer and Adobe Flash Player zero-days

    What's an enterprise to do?

    I, for one, would like to see Microsoft make Enhanced Security Configuration for Internet Explorer available as an option on Windows client OSs.

    P.S. Nice to see Java (specifically, the Java web browser plug-in) out of the limelight for a change. :)
    Rabid Howler Monkey
    • IE, Flash, Java, Reader

      Between IE, Flash, Adobe Reader, and Java, the amount of potential vulnerabilities is absolutely astounding. Those 4 apps are pretty much standard as "required" for nearly all businesses. I'm not sure if those applications can ever be secured.

      After all the recent Java exploits, we attempted to disabled Java, but quickly found way way too many business, banking, governmental sites, etc. still require Java. The platforms for secure viewing, printing, and paid access to information all use Java. What's MUCH worse, is that every single one of those sites requires that they be whitelisted as a trusted site in Java, and frequently IE as well as they don't follow the requirements for signed code, aren't properly coded for Java's current security model, etc. The management nightmare of dealing with that in the 150 organizations we support over 5000 desktops - to give you an idea... Just for Java security exceptions since the rollout of 7u55 our calls have gone from maybe 2 a day to over 200 a day. Hopefully that settles down as the exception lists grow and we work on automatically deploying that exception list to all our managed desktops.

      Add to this that many of of the core line of business apps require that security be "dumbed down" in various places such as disabling UAC, bussiness and government sites require disabling protected mode in IE and Adobe, etc. etc.

      I love the calls for people to switch to alternative platforms. As someone with a passion for Linux, using it myself in various capacity since 1993, there is no way we could switch more than perhaps 0.2% of our user-base to it or anything else. The business requirements still require Windows - MS Office, IE, Windows only core line of business applications, etc.

      Worse, their business partners ALSO pretty much dictate that our clients use Windows in one way or another. Good luck telling Bank of America, Aetna, Anthem, Wells Fargo, the US Government and other fortune 100 companies that they should allllllll change to allow their partners and clients to use open source OS's and technologies.
      NixRocks
  • MS Internet Explorer and Adobe Flash Player zero-days

    What's an enterprise to do?

    I, for one, would like to see Microsoft make Enhanced Security Configuration for Internet Explorer available as an option on Windows client OSs.

    P.S. Nice to see Java (specifically, the Java web browser plug-in) out of the limelight for a change. :)
    Rabid Howler Monkey
  • attacks = attracts?

    "naturally attacks more criminals"
    gfeier
  • Am I the only one that finds this ironic?

    Ed Bott says open source is broken, and Larry Seltzer is calling for a ban on open-source because of 1 flaw, and all this time, for at least 2 years now, there has been an 'IE exploits made easy' store on the Internet.
    anothercanuck