Ongoing Attacks Target Defense, Aerospace Industries

Gunkerty Jeb writes "Researchers have identified a strain of malware that's being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations. The attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets (PDF)."

I'd feel bad but...

[Nyder]

they reap what they sow.

You want to make the most profit you can, so you undercut. You leave things out, like good security. You make bad choices, all in the name of profit.

Well, you can't skimp on computer security, can you?

Re:I'd feel bad but...

[bkaul01]

Problem is, these attacks don't primarily rely on bad security for their point of entry, but on fooling users. You can have the most secure network in the world, but if a user clicks a malicious link that uses the latest zero-day exploit on some Adobe product, it doesn't matter. These aren't people finding holes in firewalls or ill-conceived or executed security plans; they're targeting pretty well-constructed, legit-looking attacks at specific individuals. You or I might be able to discern a malicious e-mail, even if it's really well put together, and something like 90% of other educated users can too, but if they get one or two people to click out of a few hundred, that's all it takes sometimes.

Re:I'd feel bad but...

[wmbetts]

When you're doing a targeted attack with an 0day in something like an ms office product it's pretty simple to get into the network. For example:

I send a resume to them that's not really a resume it's an 0day in word or adobe. This will get me into HR.
From HR I then send a list of xyz from a valid and known HR email address that would be of interest to some other manager in another department. I now have an in HR and the other department. I setup filters on the HR ladies computer so she/he won't see any replies to that email. I then send a sorry I didn't mean to send that yet follow up to any replies thus terminating the conversation about said spread sheet, PDF, or what ever.

Repeat until you have everything you want. Once you have the systems you want just sit there and monitor everything and you'll have all the designs, source, etc.

I know it might sound far fetched, but I saw something very similar happen at a maker of guitar peddles. They hacked the email server and then did the above and got repo access to the firmware source code and where gone before anyone knew what happened. As far as I know they never figured out who did it, but it was suggested that it was a foreign company.

More "cyber" law enforcement is. . .

. . . Going to occur. Meaning, because of crap like this, there will be a greater push for law enforcement types to be on the internet. This does not strike me as a good thing at all. I can see government security freaks pushing against privacy, required internet ID's, and laws against computers and people holding "viruses and other malicious code." As in all other areas, once you give an inch to government control, they will take feet.