SandCat: The previously identified Uzbekistan hacking group named SandCat is being exposed by Kaspersky. According to Kaspersky, they have been tracking the group since their discovery in 2018 and due to bad operational security by the group, Kaspersky has been able to receive samples of malware before the group fully developed it, leading them to multiple zero-day vulnerabilities purchased by SandCat from third-parties. SandCat downloaded Kaspersky anti-virus software onto the development machines they were using for malware, allowing Kaspersky to collect samples that triggered their anti-virus before it was fully developed. They were also able to embed a screenshot of the developers’ machines in a test file, exposing the attack platform as it was in development. These faults by SandCat inadvertently supplied researchers with four different zero-days. Furthermore, these mistakes by SandCat also affected Saudi Arabian hacking groups as well as those in the UAE. When zero-days or malware are purchased from third party vendors, there are two options–either a premium price is paid for exclusive rights to that zero-day, or for a lower price, the group can have access to it, but it is not exclusive to the particular attacker. Since both groups purchased the same zero-days, once one group exposed it, it became less valuable for all of the buyers because patches can be issued by the affected vendor and then customers can patch their systems to remediate the vulnerability. Kaspersky plans on unveiling their findings at the Virus Bulletin conference in London.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is