Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/25/2010
12:04 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Report: Most Targeted Attacks Originate From China

While the majority of targeted email attacks come from U.S. email servers, the actual machines sending the emails reside mostly in China as well as Romania

Most targeted attacks come from China, even though the majority of malicious emails targeting corporations come from email servers in the U.S., according to a new report released today.

Symantec MessageLabs found that the location of the offending email server is only part of the equation. "When we looked at the IP addresses from which the messages were being sent, it revealed that the U.S. appeared to be responsible for more than one-third of those attacks," says Paul Wood, senior analyst with MessageLabs Intelligence. But on closer inspection of the email headers, MessageLabs found 28.2 percent were from China, 21.1 percent were from Romania, and 13.8 percent were from the U.S.

"These are either from individuals in China or computers in China that are under control of someone else [as bots]," Wood says. "The Chinese are certainly in the same boat as the rest of us in malware and bot [infections]."

Targeted attacks, such as those that recently hit Google, Adobe, Intel, and other U.S. companies, brought to light the danger of such attacks that conduct industrial espionage or steal intellectual property from an organization.

Whether this data reflects any activity related to those attacks, also known as Operation Aurora, is unclear. "We were just looking at malware samples we blocked and identified as malicious. There's not necessarily a connection there at all" with Operation Aurora, Wood says. "That's not something I can say 'yes' or 'no' to."

While 36.6 percent of the targeted emails came from mail servers in the U.S., 17.8 percent were from China and 16.5 from Romania. Wood says the U.S. accounted for such a high percentage due to the high concentration of messages that were from Webmail services hosted in the U.S.

The top five types of targeted people were directors, senior officials, vice presidents, managers, and executive directors, the report found. Also, any person with responsibilities in foreign trade and defense policy in Asian countries or other places was also a target, according to the report.

.DOC and .XLS files were the most common types of attachments to the malicious emails -- each accounting for 15.4 percent of the files -- followed by .ZIP (11.2 percent), .PDF (10.7 percent), and .EXE (6.7 percent). Woods says .EXE attachments typically arouse suspicion as malicious, and 15 percent of those they found with emails were malicious. And even though .DOC files are mostly associated with malicious emails, he says, they are not necessarily the most dangerous -- they usually are safe attachments included with the messages.

The most dangerous type of file is an encrypted form of the relatively obscure .RAR file, a proprietary, compressed file. "If they're not encrypted, they are less likely to be malicious," Wood says. "The encrypted ones were malicious 96.8 percent" of the time, he says.

The MessageLabs Intelligence March 2010 report, available here for download, also found that 77 percent of spam sent by the Rustock botnet was sent via a secure TLS connection this month. Spam sent over TLS made up about 20 percent of all spam in March, the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...