Botnet that hid for 18 months

Botnet that hid for 18 months(arstechnica.com)

125 points by takiwatanga 4 years ago | 22 comments

mikeyouse 4 years ago |

Interesting -- not targeting defense contractors or governments..

> In this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in M-Trends 2022, suggests an espionage mandate.

Is there enough money in high finance to support the development of sophisticated tools to rig trading markets?

nyokodo 4 years ago | |

> Is there enough money in high finance to support the development of sophisticated tools to rig trading markets?

Yes, but a well timed economic WMD on countries heavily reliant on efficient capital markets would greatly distract them from interfering in international events.

pigtailgirl 4 years ago | |

insider trading without insider trading - the netflix engineers who got busted by the DoJ last year did well over 3 million USD on just subscriber data - imagine what access to exec inbox would look like -

tomatowurst 4 years ago | | |

but wouldn't it be easy to catch people with lot of near expiry far OTM put options for instance?

Or are these people going on r/wallstreetbets to write long DD upvoted by bots, purchased accounts, awards, under VPN to make their purchases seem organic?

Still wouldn't it be obvious somebody doing that routinely and establishing a pattern of unusually high win rates before earnings?

Sort of like how poker companies catch cheaters, simply by knowing the average win rate to be within a specific distribution, even the slightest deviation or outlier would send its risk management scrutinizing play by play to determine a pattern.

Wouldn't large state actors with web of shell companies be able to obfuscate and get away with impunity? Literally printing money and also weaponizing a foreign financial market.

belter 4 years ago | | |

If you want to do insider trading without penalties get elected to Congress.

"59 members of Congress have violated a law designed to stop insider trading and prevent conflicts-of-interest"

https://www.businessinsider.com/congress-stock-act-violation...

password4321 4 years ago |

Did anyone ever decrypt that portion of Gauss, circa 2012?

That's the most effectively hidden malware code I know of.

https://arstechnica.com/information-technology/2013/03/the-w...

mike_d 4 years ago | |

No. I know a few antivirus companies and security searchers continue to run brute force cracks against it going on 10 years now.

Other modules in Gauss monitored transactions with Lebanese banks, so a logical assumption is it was deployed as part of a terror financing investigation against a very specific set of computers.

nyokodo 4 years ago |

This doesn’t sound like a botnet so much as a (possibly Russian) child of Stuxnet.

kramerger 4 years ago |

Isnt this significantly better than current botnets?

Is there any information about their targets?

PenguinCoder 4 years ago | |

This activity is steps above a normal botnet or threat actor such as standard ransomware operators. Not only living off the land, but taking care to blend in to the device/environment, not just dropping a randomly named blob. They show a narrow focus of targeting, awareness for evasion, and skill at maintaining persistence. This level of sophistication is not normal, for normal incidents.

daniel-cussen 4 years ago | | |

I bet sometimes they kick out bots that are competing for resources. Or at least scan for the other bots and carve it out, otherwise when there's two that's when they both start mining full blast, they each try to cash in the crypto keys on the computer before the other one does, and the user gets around to reinstalling the OS because his computer is unusable.

solarmist 4 years ago | |

It certainly seems like it to me.

r00fus 4 years ago |

Is this what it takes for IoT devices to finally get DMZ'd away from main networks at enterprises?

vlan0 4 years ago | |

You could try that. But I’m unsure how much that would move the needle in this particular case. It’s too easy to slip up when your only defense is a walled garden. And with wireless controllers and load balancers on the list, that’ll be tricky.

But what would likely have helped is a focus on strong controls around identity and access management. Especially in the form of passwordless auth. Would certainly make lateral moves harder.

robotnikman 4 years ago | |

Do other companies seriously not do this? I would think that is a basic security concept at this point. Then again, I've seen worse security practices at companies.