It has been a rough few months for the National Security Agency, and specifically for its director, Gen. Keith Alexander. The leaks of details of NSA surveillance programs by former contractor Edward Snowden have taken over the news cycle this summer and put the agency’s business out in the open. Then, when Alexander spoke at Black Hat last month, he was heckled and booed as he defended the NSA’s programs. Now, there’s a petition, on the White House’s own Web site, to have Alexander removed from his position.
The petition is on the We the People section of the White House site, which allows citizens to create petitions to address a specific issue. If a petition receives enough support, it will be reviewed by the White House. The petition to remove Alexander was posted Aug. 20 and seeks to have him removed from his position as director of the NSA because the agency “has lost its way under his leadership”. Citing the recent stories in the Washington Post about the agency’s alleged collection of data on Americans, the petition is seeking 100,000 signatures.
“As the Washington Post reports, General Alexander’s NSA is an agency which flagrantly disregards privacy rules and oversteps its legal authority on a regular basis,” the petition says.
“Historically, directors of the agency have been replaced on average every 4 years. Alexander has held his post for an unprecedented 8 years. We believe this has contributed to the lack of objectivity and custodial oversight. The agency has lost its way under his leadership, and it is time for a change.”
Alexander has been under fire from all directions in recent months as the leaks from Snowden have mounted and questions about the NSA’s surveillance programs have followed. In June, Alexander was called before the Senate Appropriations Committee to face tough questions about his agency’s activities and whether they were illegal or unconstitutional.
“I do think what we’re doing does protect Americans’ civil liberties and privacy,” Alexander said during the hearing. “To date, we have not been able to explain it because it’s been classified. How can we explain it and still keep the nation secure? That’s the issue in front of us.”
In addition to running the NSA, Alexander also is in charge of the U.S. Cyber Command, the military unit tasked with defensive and offensive security operations.
The Poison Ivy remote access Trojan may be old, but it’s not losing favor with nation states that continue to make it the center piece of targeted attacks.
Three groups of hackers, reportedly all with ties to China and possibly related in terms of their funding and training, are currently managing campaigns using the RAT to steal data from organizations and monitor individuals’ activities.
Researchers at FireEye said the three campaigns target different industries yet share some of the same builder tools, employ passwords written in the same semantic pattern, and use phishing emails in their campaigns that are written in English using a Chinese language keyboard.
So much for the notion of targeted, persistent attacks requiring zero-day malware.
“There is a noticeable infrastructure built around using this tool; it’s clear they’ve trained a number of people to use and operate it,” said Darien Kindlund, manager of threat intelligence at FireEye. “It’s effective and there’s no need to change their tactics, which is why they’re still using it.”
Kindlund said, however, that enterprise security managers and operations teams can become complacent when it comes to Poison Ivy, dismissing it as a crimeware tool and missing its potential to still infect many machines as it moves laterally looking for more vulnerable machines or data it targets.
“What’s easy for these threat actors is they’re using easy-to-use tools that are point-and-click and it becomes easy to blend in with crimeware groups, easy to blend into the noise and discount their presence when a defender identifies a Poison Ivy infection,” Kindlund said. “They might remediate a single infected machine rather than think it’s one of 50 compromises and a large-scale infection. That gives the adversary more time to change tactics and move laterally to other systems, making it harder to detect.”
Another reason Poison Ivy still finds favor with attackers is that, unlike Gh0stRAT or Dark Comet, it’s difficult to detect when Poison Ivy beacons out to its command and control infrastructure in order to receive more instructions.
“Compared to Gh0stRAT, which uses zlib compression to obfuscate communication out, if a network operator sees that traffic beaconing out, it’s easy to decode that traffic to figure out what walked out door,” Kindlund said. “Poison Ivy uses Camellia encryption, which makes it more difficult to figure out what walked out the door.”
The three attacks currently are fundamentally familiar. The first, named admin@338 for the password used by the attacker, targets international financial firms that specialize in the analysis of global or country-specific economic policies. It uses malicious email attachments to infect endpoints with Poison Ivy, which then downloads additional malware to steal intelligence in order to monetize insider information to make a market play or for geo-political reasons, Kindlund said.
The second attack, named th3bug for its password, spiked last year, FireEye said. It focuses on higher education and international health care and high tech firms in order to steal intellectual property or new research that has yet to be published by a university team. Most of these are watering hole attacks where a regional website frequented by the targets is compromised and exploit code is injected onto the victim’s machine that redirects them to Poison Ivy.
The third attack, dubbed menuPass, has been the most active of the three and dates back to 2009, spiking last year. It targets the defense industry and international government agencies trying to steal military intelligence. Spear phishing campaigns include attachments infected with Poison Ivy that are meant to look like a purchase order or price quote that would be fairly specific to the victim, Kindlund said.
“They’ve done their homework and looked at the trust relationships of the target—who does this defense contractor do business with—and spoof an email from that partner and send an email through that channel,” Kindlund said. “These three groups have ties back to China; they all use a separate command and control infrastructure, but all three have a backend presence in that country.”
Meanwhile, the company is releasing a free tool based on the open source ChopShop kit developed by MITRE Corp. The module is Poison Ivy specific, similar to other modules built for Gh0stRAT and will allow a security or network operations person to decode Poison Ivy traffic.
*Poison Ivy image via uwdigitalcollections‘ Flickr photostream, Creative Commons