Risk
2/18/2010
12:46 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Another Massive Breach Reveals Sorry State Of IT Security

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.According to security firm NetWitness, its security analysts discovered a new ZeuS botnet, that it's calling Kneber, during what the company called a routine deployment of its security monitoring system.

In an e-mail, the company said that it found a 75GB cache of data that included 68,000 corporate logon credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described its find as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines." They also found 2,000 SSL certificates.

Last night, the Wall Street Journal reported that two of the companies breached included Merck & Co. and Cardinal Health. They told the paper that the attack was isolated and contained.

More than half of the machines infected with the new Kneber botnet were also infected with separate strains of the Zeus and Waladac botnets. Apparently, one or multiple groups of attackers, are having a Field Day on these systems.

In a report about the attack, published by NetWitness and available on the vendor's site, the company claims that the malicious executable was identified by traditional anti-virus engines less than 10 percent of the time and that botnet communication was missed by intrusion detection systems.

That may explain why this strain of malware was able to infect 74,126 systems in 196 countries during the course of a year and a half, with the top five comprised nations being Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The types of organizations breached included Fortune 500 firms; local, state, and federal government agencies, energy, financial services, ISPs, education, and technology companies.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Almost all of these infections start with a socially engineered phishing scam to convince people to open an infected file or visit a malicious Web site to download the malware. The files are often injected through a software vulnerability. The vogue vectors recently have been browser flaws, and Adobe PDF files. And that appears to be the case in these attacks, as well.

Typically -- whether discussing ZeuS, Kneber, and similar malware -- once an endpoint is infected, it's only a matter of time before the determined attacker will make their way onto the primary network. Then it's really game over. The attackers will entrench themselves with more malware and uncover more vulnerabilities throughout the network. I'll bet many of the organizations that got deeply infected with this attack focus most of their vulnerability assessments on their external network, and too little on hardening their end-points and internal systems.

They're also relying on their endpoint anti-virus and firewalls too heavily, which can be too easily bypassed through a single bad click by an employee. And that sad fact isn't going to change until the software we all use improves.

We didn't really need a high-profile cyber attack drill this week to tell us that businesses and the government are unprepared against these types of attacks. You only needed to skim the IT news headlines that have been screaming about such problems for a about a decade.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.