Zero day attack barrage in 2014 linked to 'Elderwood' platform

Symantec flagged a platform called Elderwood in 2012 that was used to launch a series of zero day attacks and now it appears to be back. Think of Elderwood as a factory that simplifies exploits and makes them criminal friendly.

Symantec researchers say that a flurry of zero day attacks in 2014 have been linked to the Elderwood platform, which is a set of exploits that are packaged so they can be used by non-technical crooks.

Think of Elderwood as a factory that simplifies exploits and makes them criminal friendly. It lowers the bar for the technical skills required to make an attack and naturally attacks more criminals. Symantec said the exploits are more "consumer friendly."

Elderwood is just another example of how security defenses haven't kept up with the marketplaces, scale, and technologies like the cloud that hackers have deployed.

Symantec flagged Elderwood back in 2012, but now the platform has been used to launch three zero-day vulnerabilities in the first month of 2014. Symantec noted in a blog post:

Initially, our research suggested that the Elderwood platform was being used by a single attack group. Our latest research leads us to believe that several groups could be using this platform. The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.

Symantec goes on to speculate on the attackers who use Elderwood as well as the entity behind it. There could be one parent group with subgroups targeting specific industries such as defense, supply chain, financial services and human rights. It's hard to pin the zero day exploits of 2014 all on one group, but Symantec does a nice job of connecting dots in its post.

symc elderwood


Researchers at Symantec continued:

It seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups. This alone is a sign of the level of resources available to these attackers.

If the exploits are being purchased from a third-party distributor, the purchasing organization must have substantial financial resources to pay for the exploits. If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so.

The bottom line is that enterprises may just need a new mousetrap. The bad guys seem to have the defenses outgunned on many fronts.