Attackers used Google and another Internet service in disguising traffic headed to remote servers from compromised computers A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.[Rise seen in use of Google service for mobile botnets]The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution and an Asian government organization. FireEye did not disclose the name of the victims. The unidentified hackers had used spear-phishing attacks to compromise the systems and then used the malware to steal sensitive information and send it to remote servers, FireEye said.What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Fremont, Calif.-based, Hurricane Electric. In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com and outlook.com.“It was a novel technique to hide their traffic,” Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.The attackers’ tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the “Police Mutual Aid Association” and with an expired certificate from an organization called “MOCOMSYS INC.”In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and then redirect the traffic to that location. Google Developers, formerly called Google Code, is the search engine’s Web site for software development tools, application programming interfaces (APIs) and documentation on working with Google developer products. Developers can also use the site to share code.With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company’s hosted DNS service.The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said. Google and Hurricane were notified of the malicious use of their services, Moran said. Both companies had removed the attack mechanisms.[Scammers still using Google Drive for phishing attacks]“We appreciate FireEye discovering and documenting this unusual attack, so that we could immediately fix our service to eliminate the possibility of this type of abuse in the future,” Mike Leber, a spokesman for Hurricane said in an email sent to CSOonline.Moran believed the services were victims of hacker creativity versus a flaw.“These are services offered online that can be used for good or ill,” he said. “A gun can be used to protect and a gun can be used to hurt.” Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe