Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/18/2010
12:46 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Another Massive Breach Reveals Sorry State Of IT Security

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.

On the heels of the operation Aurora attacks, and constant stories about the Advanced Persistent Threat, another security firm has discovered a botnet that is responsible for stealing sensitive data from more than 2,500 companies over the past 18 months.According to security firm NetWitness, its security analysts discovered a new ZeuS botnet, that it's calling Kneber, during what the company called a routine deployment of its security monitoring system.

In an e-mail, the company said that it found a 75GB cache of data that included 68,000 corporate logon credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, and others. The company described its find as "a vast cache of dossier-level data sets on individuals including complete dumps of entire identities from victim machines." They also found 2,000 SSL certificates.

Last night, the Wall Street Journal reported that two of the companies breached included Merck & Co. and Cardinal Health. They told the paper that the attack was isolated and contained.

More than half of the machines infected with the new Kneber botnet were also infected with separate strains of the Zeus and Waladac botnets. Apparently, one or multiple groups of attackers, are having a Field Day on these systems.

In a report about the attack, published by NetWitness and available on the vendor's site, the company claims that the malicious executable was identified by traditional anti-virus engines less than 10 percent of the time and that botnet communication was missed by intrusion detection systems.

That may explain why this strain of malware was able to infect 74,126 systems in 196 countries during the course of a year and a half, with the top five comprised nations being Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The types of organizations breached included Fortune 500 firms; local, state, and federal government agencies, energy, financial services, ISPs, education, and technology companies.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Once infected with this scourge, the botnet can capture everything the victim types into web forms, and by doing so prior to the SSL session, can sidestep the authentication. The botnet is also capable of capturing cookies, passwords and usernames stored on user systems, grab files off of the infected end-point, and it provides full remote control capabilities on the infected system. Additional malware can be downloaded to the system at the will of the attacker.

Almost all of these infections start with a socially engineered phishing scam to convince people to open an infected file or visit a malicious Web site to download the malware. The files are often injected through a software vulnerability. The vogue vectors recently have been browser flaws, and Adobe PDF files. And that appears to be the case in these attacks, as well.

Typically -- whether discussing ZeuS, Kneber, and similar malware -- once an endpoint is infected, it's only a matter of time before the determined attacker will make their way onto the primary network. Then it's really game over. The attackers will entrench themselves with more malware and uncover more vulnerabilities throughout the network. I'll bet many of the organizations that got deeply infected with this attack focus most of their vulnerability assessments on their external network, and too little on hardening their end-points and internal systems.

They're also relying on their endpoint anti-virus and firewalls too heavily, which can be too easily bypassed through a single bad click by an employee. And that sad fact isn't going to change until the software we all use improves.

We didn't really need a high-profile cyber attack drill this week to tell us that businesses and the government are unprepared against these types of attacks. You only needed to skim the IT news headlines that have been screaming about such problems for a about a decade.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting