The Mask Raises Network Security Worries in an Age of Cyberwarfare
The Careto malware, a.k.a. The Mask, could have been a Duqu-like cyberweapon – but more sophisticated.
What if your network was compromised for the past five years and you didn't know?
That seems to have been the situation for many victims of one of the greatest security threat to have been recently discovered.
On February 11, Kaspersky Labs announced its discovery of a particularly insidious piece of malware dubbed "The Mask" – also known as "Careto" (Spanish for "mask" or "ugly face"), the name given by the attackers to one of the two primary backdoor implants used on target machines. Kaspersky has detected at least 380 unique victims of the attack across at least 31 countries, concentrated among energy companies, government offices, private equity firms, research institutions, and political activists. Kaspersky further concedes that many more victims could remain undetected.
Kaspersky reports that The Mask has been active for at least five years, until January of this year. This means that, for years, major public and private sector organizations have had their networks and data deeply compromised and not known about it.
Some samples of The Mask were found to have been compiled even before then, in 2007. Disturbingly, this is the same year as the origins of major cyberweapons like Stuxnet and Duqu. What's more, Kaspersky reports that The Mask is a more sophisticated piece of malware than Duqu because of the former's capacity for flexibility and customization.
Working through a highly complex combination of modules and plug-ins, The Mask would secretly gather and steal data from all manner of systems and networks – including remote and virtualized ones – while monitoring all file operations. It would then hide its tracks in highly sophisticated ways, including replacing real system libraries, entirely wiping log files (as opposed to simple deletion), and blocking the IP addresses of renowned computer research entities (including Kaspersky) from its command and control servers.
For these reasons, and because of the unique and sophisticated way this malware would work from a network infrastructure management perspective, security experts hypothesize that The Mask was created or sponsored by a nation-state, similar to Kaspersky's conclusions about the Stuxnet worm.
"The attack is designed to handle all possible cases and potential victim types," Kaspersky reports. Kaspersky has uncovered versions of The Mask that affect Windows, Mac OSX, and Linux. Kaspersky also reports that there are mobile versions of The Mask, including one known to attack Nokia devices. While Kaspersky has not been able to obtain a sample to 100% confirm, the computer security firm believes that versions of The Mask affect both iOS and Android devices. The Mask also works through a variety of browsers, including Internet Explorer, Firefox, Chrome, Safari, and even Opera.
"Depending on the operating system, browser and installed plugins," Kaspersky notes, "the user is redirected to different subdirectories, which contain specific exploits for the user’s configuration that are most likely to work."
Among these exploits are plugin modules that attack anti-malware products (including those by Kaspersky), intercept network traffic, obtain PGP keys, steal email messages, intercept and record Skype conversations, gather a list of available WiFi networks, and provide other network functions to facilitate other modules. One module even creates a framework for extending the reach of The Mask with new plugins.
The Mask also has the ability to profile its targets. Its modules would automatically determine details of its victims' systems and software and then customize attacks using that information. It can even figure out if it is targeting a remote desktop portal or a virtualized environment.
"The installer module can detect if it is being executed in a VMware or Microsoft Virtual PC virtual machine," reports Kaspersky.
Network administrators and information security officers should find these revelations particularly disturbing. The fact that something so flexible, complex, and sophisticated could compromise so much information across so many platforms and go undetected for several years is bad enough. The fact that it is probable that this is the work of a nation-state or nation-state-sponsored group is yet more disconcerting. As cyber warfare ramps up, so must cyber defenses. The logical consequence may be greater government oversight (some may prefer the more uncharitable characterization "intrusion") over private sector systems, particularly in essential industries like energy, banking, and transportation.
For now, basic security measures are still the best protection against these kinds of attacks. Use up-to-date antimalware and firewall software. Don't open suspicious attachments or click suspicious links. Use air gaps where practicable, and when transferring files across the air gap, use media with small storage space filled with random files to prevent malware from storing itself on your USB stick or CD and leaping the air gap.
In the present case, The Mask appears to have been focused primarily on obtaining information. Still, such information – especially considering the sheer volume of system information accessible to those behind The Mask – could be used to develop and enable outright destructive Stuxnet-like attacks in the future. Therefore, those who were compromised should not consider themselves out of the woods yet. New security measures, perhaps right down to a complete network infrastructure overhaul, may be necessary to avoid serious system disruptions down the line.
And then there is the even bigger question: If something as sophisticated as The Mask went undetected in the wild this long, then what else is still out there?
Photo courtesy of Shutterstock.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.