Risk
2/18/2010
12:46 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Another Massive Breach Reveals Sorry State Of IT Security

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.According to security firm NetWitness, its security analysts discovered a new ZeuS botnet, that it's calling Kneber, during what the company called a routine deployment of its security monitoring system.

In an e-mail, the company said that it found a 75GB cache of data that included 68,000 corporate logon credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described its find as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines." They also found 2,000 SSL certificates.

Last night, the Wall Street Journal reported that two of the companies breached included Merck & Co. and Cardinal Health. They told the paper that the attack was isolated and contained.

More than half of the machines infected with the new Kneber botnet were also infected with separate strains of the Zeus and Waladac botnets. Apparently, one or multiple groups of attackers, are having a Field Day on these systems.

In a report about the attack, published by NetWitness and available on the vendor's site, the company claims that the malicious executable was identified by traditional anti-virus engines less than 10 percent of the time and that botnet communication was missed by intrusion detection systems.

That may explain why this strain of malware was able to infect 74,126 systems in 196 countries during the course of a year and a half, with the top five comprised nations being Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The types of organizations breached included Fortune 500 firms; local, state, and federal government agencies, energy, financial services, ISPs, education, and technology companies.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Almost all of these infections start with a socially engineered phishing scam to convince people to open an infected file or visit a malicious Web site to download the malware. The files are often injected through a software vulnerability. The vogue vectors recently have been browser flaws, and Adobe PDF files. And that appears to be the case in these attacks, as well.

Typically -- whether discussing ZeuS, Kneber, and similar malware -- once an endpoint is infected, it's only a matter of time before the determined attacker will make their way onto the primary network. Then it's really game over. The attackers will entrench themselves with more malware and uncover more vulnerabilities throughout the network. I'll bet many of the organizations that got deeply infected with this attack focus most of their vulnerability assessments on their external network, and too little on hardening their end-points and internal systems.

They're also relying on their endpoint anti-virus and firewalls too heavily, which can be too easily bypassed through a single bad click by an employee. And that sad fact isn't going to change until the software we all use improves.

We didn't really need a high-profile cyber attack drill this week to tell us that businesses and the government are unprepared against these types of attacks. You only needed to skim the IT news headlines that have been screaming about such problems for a about a decade.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.