Spearphishing Compromises Israeli Police

October 31, 2012

TrendMicro has discovered a spearphishing attack that compromised the Israeli police.  The attack forced all police computers to be taken offline.

In a textbook example of effective social engineering, the attackers crafted this email which spoofed the name of a trusted sender (Benny Gantz, the head of the Israel Defense Forces), had text that was a strong call to action (in this case, a subject of immediate interest to Israeli security forces) and delivered an attachment with zero day exploits.

When the recipients opened the email, they were offered the opportunity to download the enticing attachment.  The attachment installed malware of the Xtreme remote access Trojan (RAT) variety. Like all RAT malware, this RAT can be used for cyberespionage and remote command execution.  TrendMicro reports that this is a new and improved RAT:

In addition to the standard features that are common to every RAT, the newest Xtreme RAT version also has the following features:

  • Windows 8 compatibility
  • improved audio and desktop capture capabilities
  • improved Chrome and Firefox password grabbing; it can also grab passwords from Opera and Safari
  • free updates from the developer

Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. Click here to learn more. You can contact us at 408-727-6342,ext 3 or use our online form.


Chasing What’s Already Gone – Cyberwar

October 22, 2012

Cyberwar is upon us.  Last month it was disclosed that the White House Military Office had been attacked.  Thousands of sensitive records have been stolen from the Pentagon.  Major banks have been compromised.

The administration has introduced legislation to address these threats.  Among the provisions of The Cybersecurity Act are data sharing rules.  In his Cyberwar Pearl Harbor speech,  Secretary of Defense Panetta explained data sharing:

Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure and resilient global, digital infrastructure. Particularly those who operate the critical networks that we must help defend.  To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace. We’ve made real progress in sharing information with the private sector.  But very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive.  Companies should be able to share specific threat information with the government, without the prospect of lawsuits hanging over their head.  And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold.

Being unsatisfied with the progress of this legislation in Congress, the administration is now drafting an executive order.

The fundamental assumption of the legislation and the draft executive order is that prompt reporting of threats will be useful.The premise is that as an attack propagates over time, information gathered from early victims can be used to defend and protect subsequent victims. The flaw in this analysis is that highly targeted attacks do not propagate over time. The bad guys are using unique domains and unique malware to infiltrate systems.  FireEye has established that the most common threat profile is to use a single-use throw-away domain:

Microsoft research has demonstrated that unique attacks are the rule:

Ever since criminal malware developers began using client and server polymorphism (the ability for malware to dynamically create different forms of itself to thwart antimalware programs), it has become increasingly difficult to answer the question “How many threat variants are there?” Polymorphism means that there can be as many threat variants as infected computers can produce; that is, the number is only limited by malware’s ability to generate new variations of itself.

Finding the attack on Company A provides little useful information in protecting Company B.  By the time the attack on Company A has been discovered, the bad guy has created a new message, a new domain and new malware to attack Company B.  Sharing the information about the attack on Company A is chasing what’s already gone.  Mary Chapin Carpenter’s, “Chasing What’s Already Gone” is a fine song, but chasing what’s already gone is a poor cybersecurity strategy.

What is common in spearphishing attacks?  While the attack will use a new domain and new malware and even the text of the email will change, the bad guy will masquerade as a trusted sender.  By unmasking the attacker, SP Guard from Iconix provides another layer of defense. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.

Cyber Pearl Harbor

October 15, 2012

On October 11, 2012, Leon Panetta, the US Secretary of Defense, spoke about the cyberthreats against the United States. He called cyberthreats a potential cyber Pearl Harbor.  You can read a transcript of his remarks here.   You can see the CBS New Report by clicking the picture:

The Secretary spoke about the recent denial of service attack on financial institutions. He disclosed a previous classified attack on US oil interests:

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

What is the most common digital backdoor that is wide open to our cyber adversaries?  As the Administration recently demonstrated for the U.S. Senate, that backdoor is spearphishing. Spearphishing is a cyberattack in which the adversary sends a highly targeted email to the intended victim in order to deceive the victim into an action (e.g., visit a website, click a link, open an attachment) that compromises the security of the systems. Note that in spearphishing, the point of attack is not the security technology, but the people.  Why are the people targeted instead of the systems? Because targeting people is the easiest and most effective way to enter a secure network. How effective is spearphishing?  Spearphishing has been demonstrated to have an effectiveness rate of up to 75%.

How can a spearphishing attack be prevented?  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders. At Iconix we identify trusted senders. Our identification system fights attackers masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.

Spearphishing – The Scariest Cyberweapon

October 9, 2012

In a blog entry posted today, Patrik Runald of Websense writes, “What is Scaring Businesses the Most? Spear-phishing.”  The post explains the difference between high volume spam email and the social engineering used to create highly targeted emails.

The post describes a spearphishing technique in which the attackers use clever timing of different cyberattack tools to defeat cyber-defenses:

A typical attack of this type would have the bad guy doing the following:

  1. Find a URL that can be easily compromised… but do nothing at that time. Leave it ‘as is’ for now.
  2. Craft an email that will not trigger spam, AV or other security measures based on its content, but include links to the currently ‘safe’ URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message… and only change one link to the ‘safe’ URL.
  3. Send the email over the weekend, or late at night, so email defenses will approve the email and deliver it into the user’s mailbox.
  4. Just before you believe employees will begin accessing email, compromise the URL and install that part of the attack strategy.

Evasion techniques like these help when hackers are going for the big game – spear-phishing employees with access to a specific network or data or whale phishing, the targeting of executives at companies.

Websense suggests a three-part defense against spearphishing:

1. Employee Education
2. Email Sandboxing
3. Real-time analysis and inspection of your web traffic

With these measures, Websense estimates 95%+ effectiveness.  At Iconix we believe that this is good advice, but you need to do more to drive down the 5% gap.  Employee education can be augmented with a tool that makes employees more effective at avoiding deceptive emails.  Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

Spearphishers Hack White House Nuclear Command Office

October 1, 2012

The Washington Free Beacon reports that a computer system used by the White House Military Office has been hacked by spearphishers.

U.S. officials familiar with reports of the White House hacking incident said it took place earlier this month and involved unidentified hackers, believed to have used computer servers in China, who accessed the computer network used by the White House Military Office (WHMO), the president’s military office in charge of some of the government’s most sensitive communications, including strategic nuclear commands. The office also arranges presidential communications and travel, and inter-government teleconferences involving senior policy and intelligence officials.

An Obama administration national security official said: “This was a spear phishing attack against an unclassified network.”

The White House confirmed the attack to Politico.com.  Politico.com reported that the attack affected an unclassified network, was “isolated” and that there was no evidence that any data had been stolen.

Washington Post Reports on Spearphishing

October 1, 2012

On September 26, 2012, The Washington Post investigations team published an article entitled, “In cyberattacks, hacking humans is highly effective way to access systems.”

The authors prepared a fascinating graphical description of a highly targeted email attack.  The graphic shows how the hacker starts by using data readily available on the internet to gather information about the target.  The attacker than crafts an email that will be enticing to the target.  When the target takes the action requested in the targeted email, malware is installed in the victim’s system.  At this point, the attacker is free to steal data and disrupt systems.

Demonstrating the persistence of the efforts to trick the victims into responding, the Washington Post noted:

The attackers were relentless, launching e-mails on at least 13 days. They also were creative. Attached to the e-mails were documents covering a variety of subjects that might be of interest to the executives: the U.S. debt crisis, Adobe updates, iTunes help and an analysis of the presidential election.

Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.