Attacks/Breaches
7/19/2010
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Raises Infocon Alert To Yellow In Light Of New Windows 'Shortcut' Attack Threat

Security experts closely monitoring spread of new zero-day threat

A zero-day flaw being used in targeted attacks against organizations worldwide -- most notably on SCADA systems -- has security experts worried that the threat could spread further. Concerns about additional attacks using the so-called "LNK" vulnerability in Windows machines via USB devices and fileshares prompted the SANS Internet Storm Center today to raise its Infocon alert level to "yellow," up from "green," or normal, status.

SANS made the call to go Code Yellow to help raise awareness of the vulnerability, which Microsoft officially revealed on Friday after security researchers in Belarus reported finding new malware samples that could infect a Windows 7 machine via an infected USB drive. "We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation," blogged SANS ISC handler and security consultant Lenny Zeltser today. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

The number of machines hit so far is only in the tens of thousands, according to some estimates, but many security experts worry that could change fast.

"This is not something to just shrug off," says Paul Henry, security and forensics analyst for Lumension Security. Henry says the biggest targets for the attack are Microsoft XP SP2 machines, which the software giant stopped patching as of this month.

"You've got a large user base that can't move off of XP SP2, and that creates a perfect situation for the bad guys," Henry says, noting many SCADA apps only run on XP. "Now they've got a wide, open field where they can create malware, with no fear that Microsoft will create a patch for it."

Microsoft late Friday issued a security advisory that points to a flaw in Windows Shell, which was being used along with a family of malware called Stuxnet. Dave Forstrom, Microsoft's director of marketing communications for integrated communications & response, says Microsoft had only seen "limited, targeted attacks" thus far, and that the attacks were most likely to occur via removable USB drives.

While Microsoft as of that posting had spotted most of the attacks in Iran and Indonesia, researchers at ESET today report that the Stuxnet worm going after the LNK flaw is mostly hitting the U.S. now, with 58 percent of all infections, 30 percent in Iran, and more than 4 percent in Russia. "This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does," says Juraj Malcho, head of ESET's Virus Lab, based in Bratislava, Slovakia.

ESET expects other malware to exploit the Windows vulnerability, which has to do with how it processes LNK files.

SANS' yellow alert indicates it's tracking a significant, new threat, and that users should take "immediate specific action" to contain any impact the threat could unleash.

While USB-born malware is nothing new, what makes this attack unique is that even if Windows Autoplay and Autorun are disabled, the Stuxnet worm can still automatically infect a USB drive. The exploit can also spread via SMB fileshares, posing the possibility of further internal infections within a targeted organization, experts say.

A few workarounds are available to defend against the threat. Microsoft suggests disabling icon shortcuts as well as the WebClient service, for instance. SANS suggests disabling autorun for USB contents and locking down SMB shares internally such that it limits who is able to write to the shares. SANS' Zeltser also points to a free tool called Ariad, which is in beta.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.