$140 Billion Spearphishing Attack

Yesterday, April 23, the twitter account of the AP wire service was compromised.  The perpetrators sent out a fake tweet from the real AP account saying that the President had been injured in a bombing at the White House.  There was no bombing.

Jay Carney Confirms President is Fine

This is the tweet that cost $140 billion in lost stock market value.

How could this have happened?  It happened because a spearphishing email tricked an employee of AP into compromising the credentials to AP’s twitter account.  With the credentials in hand, the attackers were free to use the twitter account for their own purposes.

As Jim Romenesko reported, AP staff were warned that they were under attack by a spearphishing email.  But that warning came too late.  Warnings always happen after the attack starts because, in the absence of time travel, an attack specific warning cannot be issued before the attack is discovered.  Had AP been using SP Guard from Iconix, employees would have been able to easily determine that the email that pretended to be from a colleague was fake.

To learn more, you can contact us at  408-727-6342, ext 3 or use our online form.

Drone Sector Under Spearphishing Attack

On April 17, 2013, FireEye reported on a series of spearphishing attacks against government agencies and aerospace, defense, telecommunications companies in India and the United States.

The attachments which installed the malware varied considerably.  Some were blank, some were unreadable, some purported to contain contact data for a U.S. serviceman.  And some of the attachments were infected copies of an Indian researcher’s report on the Pakistani drone program.

FireEye reports on the various techniques that the attackers uses to prevent detection.  FireEye identified this evasion methods:

1. The file specifies fake properties, pretending to be Google or Microsoft.
2. The file is large, which is atypical of malware.  The large size also discourages detailed analysis.
3. The file generates random data that gives it a unique hash.
4. The malware uses clever programming tricks to evade detection by dynamic malware analysis systems.

Employees’ email decisions compromise security.  IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

APT – Going for Cybergold

After an investigation which commenced in autumn of 2011, yesterday (April 11, 2013) Kaspersky Labs announced the results of its investigation into malware in the gaming industry. Kaspersky has identified the attackers as the Winnti organization. Kaspersky observed:

It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.

The target of the attack — gaming cyber gold, among other things.

As Kaspersky describes in detail in its 95 page report, in the Winnti attacks the attackers used all manner of highly tuned malware uniquely created to exploit the systems and engineering processes of each victim.  The exploits that were used against Victim A were different than the exploits used against Victim B.  In a particularly evil twist, the attackers stole the digital signatures of victims and then compiled new malicious code using the digital signatures of previous victims.  This is consistent with our observation that, contrary to the assumptions of the Department of Homeland Security and the President of the United States, knowing the details of the attack on one entity are of little value in protecting other victims.  We discuss the inherent weakness in the information sharing model here.

The Winnti attacks also reiterate the infiltration method — highly targeted spearphishing emails.  Using their advanced forensic tools and skills, Kaspersky identified some of the attack emails.  In this example, the attackers replaced the real sending address with a spoofed internal from address.  In the inbox, the victim saw this:

Could there be a more enticing item in the inbox?  Of course, the victim opened this clever piece of social engineering. And this is what they saw:

The attachment purported to have the specifics of the pay and benefits adjustments.  Regrettably, the attachment could not be recovered; however, all of the circumstances make it clear that the malware which compromised the victim was delivered by this clever piece of deception.

Your personnel will receive deceptive emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.

Smarter Malware

After a spearphishing email deceives a recipient into introducing malware into a network, diverse protective strategies kick into action. These defensive strategies monitor activity and flag unusual activities. The goal of the attacker is to “stay below the radar” and avoid detection.

FireEye has discovered malware which seeks to hide behind legitimate activity to evade detection. FireEye reports that, unsurprisingly, this malware is introduced as an attachment to a spearphishing email. After the malware, dubbed “Trojan.APT.BaneChant”, is installed, the malware engages in a multi-tiered defensive strategy to evade detection.  FireEye summarized the malware’s detection evasion strategies:

1. Evade sandbox by detecting human behaviors (multiple mouse clicks);
2. Evade network binary extraction technology by performing multi-byte XOR encryption on executable file;
3. Social engineer user into thinking that the malware is legitimate;
4. Avoid forensic and incidence response by using fileless malicious codes; and
5. Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.

This smarter malware reiterates the cleverness and adaptability of our cyber adversaries. As defenses get better, the attackers will modify their attacks to overcome the new defenses — or even hi-jack the defenses and use compromised defenses to support that attack.

In the face of smarter malware, the need to stop that attack while it is merely an unwanted, but deceitful email, becomes more urgent. Your personnel will receive malicious emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.