Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/3/2008
07:24 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Steady Rise Of Targeted Trojan Attacks

Look before you click may be a good idea for a new IT security public awareness campaign. Consider the reports coming out of South Korea that North Korean spyware made it's way onto the computer of a S. Korean army Colonel. There's no reason why this can't happen to you.

Look before you click may be a good idea for a new IT security public awareness campaign. Consider the reports coming out of South Korea that North Korean spyware made it's way onto the computer of a S. Korean army Colonel. There's no reason why this can't happen to you.Here's the news from The Chosun IIbo:

A North Korean spyware e-mail was reportedly transmitted to the computer of a colonel at a field army command via China in early August. The e-mail contained a typical program designed automatically to steal stored files if the recipient opens it. It has not been confirmed whether military secrets were leaked as a result of the hacking attempt, but their scale could be devastating given that the recipient is in charge of the South Korean military's central nervous system -- Command, Control, Communication, Computer & Information (C4I).

Now, imagine if that happened to your company, only it's not military secrets, but corporate secrets, preannounced earnings reports, or the financial information of customers. It could happen, and it only requires a single employee clicking the wrong link, or inserting the wrong USB drive.

These types of attacks aren't anything new. In mid-2005, the U.K.'s Centre for the Protection of National Infrastructure (CPNI) warned that Trojan-horse attacks were targeting certain U.K. companies and government agencies.

This is from a SecurityFocus news story at the time:

This week, security company Symantec sorted through low-volume e-mail threats submitted to its response team for analysis and found several that had targeted U.S. government agencies or had been submitted to Symantec from government sources in the United States. (Symantec is the parent company of SecurityFocus.)

"This appears to be a very specific virus writer targeting government agencies and, not as (other articles) suggested, targeting only U.K. government agencies," said Dave Cowings, senior business intelligence manager for Symantec.

More recently, InformationWeek covered a warning from the SANS Internet Storm Center explaining that executives were being targeted with phishing e-mails that used fake subpoenas as bait. Click on the link and you're sent to a Web site crafted to push a Trojan to the system of the victim:

The SANS Internet Storm Center on Monday warned that CEOs of some companies are being targeted with a phishing attack involving fake federal subpoenas sent via e-mail.

"We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case," said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and Internet Storm Center handler, in an online post. "It then asks them to click a link and download the case history and associated information. One problem: It's totally bogus."

These types of targeted attacks are, when it comes to security, the new black. Gone, for the most part, are the days of high-impact worms. It's about getting a foothold into your organization, and that can be done via a phishing attack, or from a bogus e-mail that looks to come from someone you know, to a fake profile on a social networking or microblogging site designed to do nothing more than infiltrate a targeted company, agency, or person of interest.

One of the best defenses against these types of attacks isn't anti-malware, content filtering, or IDS -- it's a workforce made aware of the dangers.

How do you fight targeted attacks aimed at your company? Let me know. And consider following my security (and other) observations throughout the day on Twitter.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.