Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nitro Malware Targeted Chemical Companies

Symantec finds Trojan launched industrial espionage attacks against chemical compound and advanced material manufacturers.

In the case of the Nitro attacks, Symantec traced the command-and-control servers back to a virtual private server (VPS) located in the United States that was rented for about $32 per month. "However, the system was owned by a 20-something male located in the Hebei region in China," said Chien and O'Gorman. "We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school."

But they were unable to verify whether the person they contacted was actually employed by the school, using an alias, or working for someone else, and said his cover story--using the VPS and its static IP address as a way to access a favorite instant messaging system from within China--would have been technological overkill. "The scenario seems suspicious," they said. "We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform 'hacking for hire.'"

Whoever the Nitro campaign's handler, there are multiple information security lessons to be gleaned from how the attacks were executed, and thus how they can be stopped. "Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack," said Chester Wisniewski, a senior security advisor at Sophos Canada, in his analysis of Symantec's report.

Notably, he said, the attack proves--once again--that end users shouldn't have administrative-level access rights to their Windows PCs. "Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights," he said. "Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for [host intrusion prevention systems] or behavioral antivirus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22382
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...
CVE-2021-22383
PUBLISHED: 2021-06-22
There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by se...
CVE-2021-22342
PUBLISHED: 2021-06-22
There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V50...
CVE-2021-22363
PUBLISHED: 2021-06-22
There is a resource management error vulnerability in eCNS280_TD V100R005C10SPC650. An attacker needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper resource management of the function, the vulnerability can be exploited to cause service abnormal ...
CVE-2021-22377
PUBLISHED: 2021-06-22
There is a command injection vulnerability in S12700 V200R019C00SPC500, S2700 V200R019C00SPC500, S5700 V200R019C00SPC500, S6700 V200R019C00SPC500 and S7700 V200R019C00SPC500. A module does not verify specific input sufficiently. Attackers can exploit this vulnerability by sending malicious parameter...