Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra).
Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.
The malicious software embeds itself on infected systems and functions as the attacker's access point to an infected system. A successful exploit could allow the attacker to install any of the 34 identified Red October modules. These modules can extend the functionality of the Red October framework with the following capabilities:
- Compile hardware, software, and operating environment of the targeted system
- Compile network-related information, including Windows Network neighborhood share information
- Exploit weak or default passwords and SNMP community strings to compile network device configurations
- Scan the LAN for ports and hosts vulnerable to additional exploits
- Steal sensitive browser, e-mail, and FTP related information including cookies, credentials, and history
- Gather data from locally attached mobile devices, including iPhones, Nokia phones, and Windows Mobile phones
- Access locally attached Windows Mobile devices and install a back door
- Install back doors on targeted devices
- Capture screen shots and record keystrokes
- Execute arbitrary files that are embedded in certain documents
- Access data on removable storage devices, possibly including deleted files
- Access LAN FTP sites and shared disks
- Access e-mail databases from POP/IMAP servers or local Microsoft Outlook storage
- Install Adobe Reader and Microsoft Office DocBackdoor plug-ins
- Execute arbitrary code and commands
- Exploit system access of targeted systems using Administrator credentials
- Target and compile mail.ru e-mail account information
- Launch additional modules
- Upload gathered intelligence and data to the command and control server
Reports also indicate that Red October targets files and documents with the following extensions:
.acidcsa, .aciddsk, .acidppr, .acidpvr, .acidsca, .acidssa.cer, .cif, .crt, .csv, .doc, .docx, .eml, .gpg, .hse, .iau, .key, .mdb, .odt, .pdf, .pgp, .rst, .rtf, .sxw, .txt, .vsd, .wab, .xia, .xig, .xio, .xis, .xiu, .xls, .xps.
Red October appears to be designed to execute tasks as assigned by the command and control (C&C) systems. These tasks are provided to the infected system as portable executable (PE) DLL libraries that are executed in memory and subsequently cleared. An exception to this are several tasks that remain on the infected system. These tasks are provided as PE EXE files and are installed locally on the infected system.
Reports also indicate that Red October may be assigning a unique identifier to individual victim systems and may be able to re-initiate control of infected systems via a one-way covert communications channel.
Reports also indicate that Red October uses known vulnerabilities with existing exploit code for targeted attacks. The reports have identified the following, known exploits in active use by Red October:
CVE-2009-3129 - Alert 19322
Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability
CVE-2010-3333 - Alert 21716
Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability
CVE-2012-0158 - Alert 25557
Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability
CVE-2011-3544 - Alert 24470
Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
CVE-2008-4250 - Alert 16941
Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability
To exploit these vulnerabilities, the attacker may provide a file to the user or a link to a malicious file and persuade the user to open or execute the file or follow the malicious link by using misleading language or instructions.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers can be found at the following links:
Administrators may consider uninstalling Java.