Risk

2/18/2010
12:46 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Another Massive Breach Reveals Sorry State Of IT Security

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.According to security firm NetWitness, its security analysts discovered a new ZeuS botnet, that it's calling Kneber, during what the company called a routine deployment of its security monitoring system.

In an e-mail, the company said that it found a 75GB cache of data that included 68,000 corporate logon credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described its find as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines." They also found 2,000 SSL certificates.

Last night, the Wall Street Journal reported that two of the companies breached included Merck & Co. and Cardinal Health. They told the paper that the attack was isolated and contained.

More than half of the machines infected with the new Kneber botnet were also infected with separate strains of the Zeus and Waladac botnets. Apparently, one or multiple groups of attackers, are having a Field Day on these systems.

In a report about the attack, published by NetWitness and available on the vendor's site, the company claims that the malicious executable was identified by traditional anti-virus engines less than 10 percent of the time and that botnet communication was missed by intrusion detection systems.

That may explain why this strain of malware was able to infect 74,126 systems in 196 countries during the course of a year and a half, with the top five comprised nations being Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The types of organizations breached included Fortune 500 firms; local, state, and federal government agencies, energy, financial services, ISPs, education, and technology companies.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Almost all of these infections start with a socially engineered phishing scam to convince people to open an infected file or visit a malicious Web site to download the malware. The files are often injected through a software vulnerability. The vogue vectors recently have been browser flaws, and Adobe PDF files. And that appears to be the case in these attacks, as well.

Typically -- whether discussing ZeuS, Kneber, and similar malware -- once an endpoint is infected, it's only a matter of time before the determined attacker will make their way onto the primary network. Then it's really game over. The attackers will entrench themselves with more malware and uncover more vulnerabilities throughout the network. I'll bet many of the organizations that got deeply infected with this attack focus most of their vulnerability assessments on their external network, and too little on hardening their end-points and internal systems.

They're also relying on their endpoint anti-virus and firewalls too heavily, which can be too easily bypassed through a single bad click by an employee. And that sad fact isn't going to change until the software we all use improves.

We didn't really need a high-profile cyber attack drill this week to tell us that businesses and the government are unprepared against these types of attacks. You only needed to skim the IT news headlines that have been screaming about such problems for a about a decade.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Security's #1 Problem: Economic Incentives
Dimitri Stiliadis, CEO of Aporeto,  9/25/2017
SMBs Paid $301 Million to Ransomware Attackers
Dark Reading Staff 9/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.