It is my hope that this quick blog will clear up some questions that have been asked privately as well as publicly about #OperationSMN, and encourage organizations and enterprises to capture and leverage some of the output of the coalition’s efforts.
What is #OperationSMN?
Operation SMN is the first of what Novetta hopes will be many efforts taken by the cyber security industry to capture, analyze, share, iterate, distribute, then act and report on threats. For this case we chose a single advanced threat group that we have named “Axiom,” whose activity has gone unabated for multiple years and has demonstrated a level of sophistication in both tooling and techniques that has proven to be extremely effective in maintaining long term persistence. This effort focused on the detection and removal of malware families (tools) used by Axiom, while the methods that we created and used were meant to insure that moving forward the ability to use these tools would be as constricted as possible. We are relying on industry to act on the information shared to provide that effect not only against Axiom, but other actors who use the same tools. During this operation we did not conduct any sink holing, domain takedowns, or conduct any technical operations against pieces of malware (no p2p botnets to poison). Also, by no means is this operation over; we are still collecting and analyzing data to provide an impact assessment, as well as finishing up full reporting for distribution.
How does a company or individual take advantage of #OperationSMN?
End point protection:
The biggest and simplest thing that an enterprise or individual can do to take advantage of our effort is to download and install this month’s Malicious Software Removal Tool (MSRT) from Microsoft. This will give you the best chance of identifying and removing most of the known tools used by the Axiom threat group. We also highly encourage you to run the MSRT monthly against all Windows machines, as there are a host of other threats that are detected and cleaned by it.
As a participant of #OperationSMN, Cisco/Sourcefire has pushed out the following IDS signatures that will detect the malware families used by Axiom. It is highly encouraged and suggested that people download and deploy these signatures to their IDS platforms as soon as possible.
ClamAV names and Snort Signature IDs detecting Axiom/Group 72 RAT malware:
- Gh0stRat — Win.Trojan.Gh0stRAT, 19484, 27964
- PoisonIVY / DarkMoon — Win.Trojan.DarkMoon, 7816, 7815, 7814, 7813, 12715, 12724
- Hydraq — Win.Trojan.HyDraq, 16368, 21304
- HiKit — Win.Trojan.HiKit, 30948
- Zxshell — Win.Trojan.Zxshell, 32180, 32181
- DeputyDog — Win.Trojan.DeputyDog, 28493, 29459
- Derusbi — Win.Trojan.Derusbi, 20080
It should also be noted that the data that this operation collected and produced was distributed to 64 vendors in 22 different countries via Microsoft’s Virus Information Alliance (VIA) program. This was done in an attempt to insure that the larger security industry has the ability to analyze, develop, and deploy tailored detection and mitigations for their own customer base. We would expect to see solutions appearing within their products and services shortly. If you are a security vendor not in the VIA program, we encourage you to click here for more information on how to get involved with the program.
It is my own personal hope, as well as Novetta’s, that the methods that we have used in Operation SMN are shared, leveraged, and tweaked within industry to continually impact threat actors of all different types. In this first effort we chose a target whose capabilities, resources, techniques, and methods are rather advanced, but the processes used by the coalition can be applied to threats of all shapes and sizes. This new methodology of leveraging Microsoft’s ownership of its ecosystem via their industry programs and capabilities, executing small coordinated iterative analysis and action, followed quickly by wide sharing of raw and finished data to industry for consumption and use is potentially a disruptive new pattern against cyber threats. This pattern could also be leveraged by other ecosystem owners to thwart threats against their own customer bases.
It is my belief that when leveraged in conjunction with the more typical methods used in industry, this newer methodology can have a tremendous impact on the threats – and the actors behind them – that exploit and erode our trust in the technologies we use on a daily basis. In the end, this is just another tool that researchers and industry can use to fight threats that our customers as well as our own organizations face.
A special thanks to Holly Stewart and the team at Microsoft who runs the Coordinated Malware Eradication program – without their help this program and effort would not have come to fruition.
I want to again call out those organizations both public and anonymous who have contributed effort, resources, data, and action to make this effort come to fruition.
List of related Blog posts by coalition organizations:
Microsoft: MSRT October 2014 – Hikiti
F-secure: One Doesn’t Simply Analyze Moudoor
Cisco: Threat Spotlight: Group 72