Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/18/2010
12:46 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Another Massive Breach Reveals Sorry State Of IT Security

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.According to security firm NetWitness, its security analysts discovered a new ZeuS botnet, that it's calling Kneber, during what the company called a routine deployment of its security monitoring system.

In an e-mail, the company said that it found a 75GB cache of data that included 68,000 corporate logon credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described its find as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines." They also found 2,000 SSL certificates.

Last night, the Wall Street Journal reported that two of the companies breached included Merck & Co. and Cardinal Health. They told the paper that the attack was isolated and contained.

More than half of the machines infected with the new Kneber botnet were also infected with separate strains of the Zeus and Waladac botnets. Apparently, one or multiple groups of attackers, are having a Field Day on these systems.

In a report about the attack, published by NetWitness and available on the vendor's site, the company claims that the malicious executable was identified by traditional anti-virus engines less than 10 percent of the time and that botnet communication was missed by intrusion detection systems.

That may explain why this strain of malware was able to infect 74,126 systems in 196 countries during the course of a year and a half, with the top five comprised nations being Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The types of organizations breached included Fortune 500 firms; local, state, and federal government agencies, energy, financial services, ISPs, education, and technology companies.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Almost all of these infections start with a socially engineered phishing scam to convince people to open an infected file or visit a malicious Web site to download the malware. The files are often injected through a software vulnerability. The vogue vectors recently have been browser flaws, and Adobe PDF files. And that appears to be the case in these attacks, as well.

Typically -- whether discussing ZeuS, Kneber, and similar malware -- once an endpoint is infected, it's only a matter of time before the determined attacker will make their way onto the primary network. Then it's really game over. The attackers will entrench themselves with more malware and uncover more vulnerabilities throughout the network. I'll bet many of the organizations that got deeply infected with this attack focus most of their vulnerability assessments on their external network, and too little on hardening their end-points and internal systems.

They're also relying on their endpoint anti-virus and firewalls too heavily, which can be too easily bypassed through a single bad click by an employee. And that sad fact isn't going to change until the software we all use improves.

We didn't really need a high-profile cyber attack drill this week to tell us that businesses and the government are unprepared against these types of attacks. You only needed to skim the IT news headlines that have been screaming about such problems for a about a decade.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.