Welcome Guest. | Log In | Register | Membership Benefits
  • |   Email this page E-mail
  • |  Print Print
  • |   Bookmark and Share

Sykipot Malware Now Steals Smart-Card Credentials

New variant of malware used by advanced persistent threat (APT) actors out of China challenges DoD, other organizations’ two-factor authentication

Jan 12, 2012 | 02:49 PM | 

By Kelly Jackson Higgins
Dark Reading
An infamous family of malware used in cyberespionage attacks out of China can now hijack a user’s smart-card credentials.

Researchers at AlienVault have discovered a new variant of the Sykipot malware family that steals smart-card credentials of Department of Defense (DoD) and other users. Sykipot has been in action since around 2007 for launching targeted attacks via spear-phishing emails to the DoD community. And that community employs PC/SC x509 smart cards for multifactor authentication of its users.

The new Sykipot variant appears to have been in the wild for months: Researcher Jaime Blasco found that it was first compiled in March 2011, and since then it has been spotted in dozens of attack samples. Blasco says he has no information on whether the attackers were successful in pilfering DoD or other smart-card credentials, but his lab has proved that it works, so it’s likely to have been used in some hacks.

“We have tested the malware and, in fact, it is working,” Blasco says. “It’s likely they got inside protected systems and gained access using this malware.”

AlienVault researchers believe one group of attackers is and has been behind the malware. “We believe it’s the same group of attackers. They have been using the same techniques, even sharing some parts of the code in other attacks,” Blasco says. “It’s related to another one we reported a month ago.”

Blasco is referring to a targeted attack campaign with Sykipot that exploited a zero-day Adobe Reader flaw to send malicious PDF files that included information lures about drone spy plans, such as the Boeing joint unmanned combat air system X-45 and the Boeing X-37 orbital vehicle.

Symantec researchers in early December said the PDF zero-day attack was part of a larger, longer-term targeted attack campaign aimed mainly at stealing intellectual property from the U.S. and U.K. industries and government agencies -- including defense contractors, telecommunications firms, computer hardware companies, chemical companies, and energy companies.

The attacks first came to light when Adobe alerted users that its Adobe Reader and Acrobat were under attack via a previously unknown flaw in the software that lets an attacker crash the app and wrest control of the victim's machine.

"The goal of Sykipot attackers is to obtain sensitive documents to high level executives within a variety of target organizations, of which the vast majority have been defense related. Considering the long-running campaign history of the attackers and their previous use of zero-day exploits, future versions of Sykipot that are delivered using another zero day are likely," Symantec warned in a blog post last month.

The Sykipot attackers typically send spear-phishing emails to employees who might have access to sensitive information. In the newest variant, the malware employs a keylogger to steal PINs for the smart cards. Once a user scans his card into the card reader, the malware poses as the authenticated user and hijacks the information.

Blasco says this is the first malware his team has seen that steals smart-card credentials.

[Security consultants and the feds are tracking a dozen groups responsible for advanced threats -- all out of China. See Dastardly Dozen: A Few APT Groups Carry Out Most Attacks.]

The attackers list the certificates on the victim’s machine (including the smart card’s) and then grab the PIN via the keylogger. They then use those credentials to log into machines that are accessible via the smart cards. In another clue that the attackers are targeting DoD users, the researchers discovered a software module that handles ActivIdentity’s ActivClient -- a smart-card-based authentication client used in the DoD’s Common Access Card (CAC) system.

This gives the attackers carte blanche into any secured systems, while the CAC or other smart card is in the reader. “This is similar to what Mandiant described on the 2011 M-Trends report as a 'Smart Card Proxy.' While trojans that have targeted smartcards are not new, there is obvious significance to the targeting of a particular smartcard system in wide deployment by the US DoD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration,” AlienVault wrote it a blog post today that provides technical details on the attack.

So how can the DoD and other organizations protect their smart-card users from this attack? “One way is to add another layer of authentication,” such as a one-time password, Blasco says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Authentication Reports

report Will Smartcards Live Up to Their Name?
Recent compromises of smartcard data have exacerbated concerns about the technology?s privacy, security and standards (or lack thereof). Yet the promise of smartcards is too compelling to ignore. New technologies and applications prompt us to take a fresh look.

report Get The Best Of Biometrics
As data volume and sensitivity grow, companies cannot rely on password- and token-based authentication. Biometrics can be used to provide strong access control, but you must weigh added complexity and costs against assurance that users are who they say they are.

report Proof of Identity: How to Choose Multifactor Authentication
User names and passwords are no longer sufficient authentication. In a time when so much business depends on the Internet, security requirements and regulatory mandates are putting pressure on business to adopt strong, multifactor authentication methods. In this Tech Center report, we explain how to weigh cost vs. risk to select the Web authentication method for your high-risk applications.

Other reports from the Authentication Tech Center:

Related Content

Effective and Painless Multi-factor Authentication
When the information age was young, authentication was simple-assign the user a password. Today, user populations have expanded and users access numerous distinct systems with each system requiring credentials. That said, it is no surprise that users have reverted to tactics that invalidate the security strength of passwords. Yet, the use of passwords as the only means to certify a user's identity still remains prevalent among SMBs. There is a new, multi-factor authentication approach that strengthens identity authentication and does not introduce extra cost, user inconvenience, and administrative. This white paper describes why multi-factor authentication is rising in importance and reviews the pros and cons of different multi-factor authentication approaches.

Man-in-the-Browser Attacks Explained
Cybercriminals are using more advanced methods to target online users. One of the fastest growing threats today is the man-in-the-browser (MITB) Trojan attack - an attack designed to intercept data as it passes over a secure communication between a user and an online application. Propagation of man-in-the-browser attacks is being helped by spear phishing attacks, the popularity of social networking sites, and the increase in drive-by downloads. In the last year, there has been an exponential increase in the number of these attacks against financial institutions. This white paper introduces the MITB attack, explains the infection rate, features and functionality of the attack and provides advice on how financial institutions can mitigate the threat.

How to: Select the Best Authentication Solution for Your Business
With the number of new and emerging security products being denoted by analysts as the "silver bullet" solution, it is critical to recognize that there are many authentication choices available on the market. The Authentication Decision Tree is a comprehensive tool that helps organizations understand, evaluate and select the most appropriate authentication solution to meet the needs of their users and their business. This white paper provides an overview of the Authentication Decision Tree, examines the five factors critical to selecting an authentication solution, and offers a clear guide to selecting the right solution that effectively balances risk, cost and end user convenience.

Strong Authentication for SMBs
Small and mid-sized businesses authenticate their end-users primarily with passwords, in spite of the fact that passwords are less secure, inconvenient and more expensive then stronger forms of authentication. This white paper reveals recent research conducted by Aberdeen on the drivers, inhibitors and technology adoption trends among SMBs. Find out what authentication solutions are well-designed to address the needs of SMBs.

How to Make the Case for Strong Authentication
With today's threat landscape and the increased value placed on the information created and stored, systems that rely on static passwords for security are left vulnerable and at high risk of being breached. This paper examines the need for strong authentication and explores the return on investment in order to help organizations make an informed decision when contemplating their strategic move toward more effective security.