Forgot your password?
typodupeerror
Government Security Your Rights Online

Ongoing Attacks Target Defense, Aerospace Industries 77

Posted by Soulskill
from the hackers-want-spaceships-with-lasers dept.
Gunkerty Jeb writes "Researchers have identified a strain of malware that's being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations. The attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets (PDF)."
This discussion has been archived. No new comments can be posted.

Ongoing Attacks Target Defense, Aerospace Industries

Comments Filter:
  • Looks like we need to step it up a notch.
  • by Shag (3737) on Tuesday January 31, 2012 @04:14PM (#38881203) Homepage

    So, let's see it defend.

    • by alreaud (2529304)
      There is NOTHING that can defend against the failure of the wetware in the system architecture...
    • IMO, its doing a pretty good job. I worked a while on the IA team, and from my experiences, breaches have been small and severely limited in damage ever since the USB drive debacle a few years ago (backdoor installed on vendor distributed drives from a tech conference caused gigs of classified data to be stolen).

      It takes 6 hours to receive an email through the firewall and filter, but at least there is no spam.
  • I wonder... (Score:4, Interesting)

    by AngryDeuce (2205124) on Tuesday January 31, 2012 @04:16PM (#38881231)
    China? Wouldn't be surprised...
    • by Anonymous Coward

      China runs the pirated infected Windows machines to mask the source of the Russian hackers.

      • If the governement sector there is anything like the private sector im not suprised. go look at the list of banned people on punkbuster, its so bad that when my friends think somone is hacking, we just call them russian.
  • by Anonymous Coward
    Or so some proclaim. I have to laugh all the times that I see people posting that there is no cold war by china against the west. China is NOT interested in what is best for their citizens. China is not even interested in grabbing Taiwan and simply calling it quits. They are interested in what will put their communist leadership in effective control. Sadly, most republicans and a number of dems are working hand in hand with the communist and handing it over to them.
  • by Nyder (754090) on Tuesday January 31, 2012 @04:28PM (#38881383) Journal

    they reap what they sow.

    You want to make the most profit you can, so you undercut. You leave things out, like good security. You make bad choices, all in the name of profit.

    Well, you can't skimp on computer security, can you?

    • by bkaul01 (619795) on Tuesday January 31, 2012 @04:36PM (#38881495)

      Problem is, these attacks don't primarily rely on bad security for their point of entry, but on fooling users. You can have the most secure network in the world, but if a user clicks a malicious link that uses the latest zero-day exploit on some Adobe product, it doesn't matter. These aren't people finding holes in firewalls or ill-conceived or executed security plans; they're targeting pretty well-constructed, legit-looking attacks at specific individuals. You or I might be able to discern a malicious e-mail, even if it's really well put together, and something like 90% of other educated users can too, but if they get one or two people to click out of a few hundred, that's all it takes sometimes.

      • Problem is, these attacks don't primarily rely on bad security for their point of entry, but on fooling users. You can have the most secure network in the world, but if a user clicks a malicious link that uses the latest zero-day exploit on some Adobe product, it doesn't matter. ....

        The thing is, often there's no need for any Adobe product at all. It's nice to have all the bells and whistles, but you can conduct business with plain ascii text emails, and other simpler, more secure systems. You can also use physical firewalls to prevent data from moving from/to the Internet.

        • by damm0 (14229)
          Uh, No. A smooth and engaging first impression can be a critical moment for a product or sales effort. Also, people feel more comfortable when the people they are talking with "look like them". On the Internet, "look like them" really translates into "my emails look like their emails" or "my documents are written in Word, and so are theirs." This application-generated serif is important! So, no, businesses are not going to switch over to emails in plain ASCII because you happen to think it is more secu
        • tried it, but hackers sent ^G until i had to switch back to sanscrit. (j/k!)

      • If there is a weakness, plan to reduce / remove / detect-&-mitigate it.

        Right now I agree with the GP. They're saving money by farming the responsibility out to the vendor of whatever product they purchase / lease.

      • by Jawnn (445279)

        Problem is, these attacks don't primarily rely on bad security for their point of entry, but on fooling users.

        Incorrect. Given that users will consistently do things that threaten security, giving them access to potential sources of malware is the very definition of "bad security". If those users' systems are "high value", or those users' systems are are attached to a network connected to "high value" systems, giving those users access to the wild Internet is stupid.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        True. We need to do more to limit the opportunity for user's to open the doors.

        Start with attachments. PDF files should be intercepted and extracted by the mail server, and reprinted to a new PDF file through a PDF engine that is enhanced to strip things like external links, javascript, etc., then replaced with a link so the user will pull the message from the internal secure attachment storage.

        Archive attachments get expanded, recursively, processed, and re-archived.

        All attachments should be checked for

        • by Thing 1 (178996)

          Executives and active content should be stripped.

          Yeah, I know you're an AC and likely won't see it, but: love the typo. :)

      • by koan (80826)

        That's why you don't put your important info on computers that can be accessed over the Internet or access the Internet, you leave them on a secured LAN with no outside access, this also gives the opportunity to charge any person stealing military secrets with espionage and use the death penalty, quite an effective block to this silliness.

        • Well that's the fucked up thing.

          I'm a military contractor. While I'm waiting for a file to download, I'm posting on /. My other monitor has a spec on it right now.

          Nothing I work on with this computer is Classified, FULL STOP. 99% of the documents aren't classified anyway. There's no point and it just makes it harder to work with them.

          If for some reason I want to look at a Classified document, I have to do this:
          1. Request the document.
          2. Get that document request approved and sent to me via a CD with the

          • by koan (80826)

            Which is exactly how it should be done.
            Why should it be convenient for anyone? I wager 5 quatloos that convenience means little to nothing compared to information security.

      • by Reason58 (775044)

        Problem is, these attacks don't primarily rely on bad security for their point of entry, but on fooling users.

        Of course any enterprise level security plan should include user awareness training. The idea that security only applies to machines is not correct, even when it comes to IT.

        • by bkaul01 (619795)
          Of course, but it will never be 100% effective. You can reduce the click-rate from 10% to 1% through training, but there's still that 1% that will be fooled and click it to see what it is.
    • by wmbetts (1306001) on Tuesday January 31, 2012 @05:25PM (#38882121)

      When you're doing a targeted attack with an 0day in something like an ms office product it's pretty simple to get into the network. For example:

      I send a resume to them that's not really a resume it's an 0day in word or adobe. This will get me into HR.
      From HR I then send a list of xyz from a valid and known HR email address that would be of interest to some other manager in another department. I now have an in HR and the other department. I setup filters on the HR ladies computer so she/he won't see any replies to that email. I then send a sorry I didn't mean to send that yet follow up to any replies thus terminating the conversation about said spread sheet, PDF, or what ever.

      Repeat until you have everything you want. Once you have the systems you want just sit there and monitor everything and you'll have all the designs, source, etc.

      I know it might sound far fetched, but I saw something very similar happen at a maker of guitar peddles. They hacked the email server and then did the above and got repo access to the firmware source code and where gone before anyone knew what happened. As far as I know they never figured out who did it, but it was suggested that it was a foreign company.

      • This. Plus, it becomes even easier with companies scattered all over the globe because you can't check on particular items that look odd. At least not easily or without the impediment of time zones.

  • ...the latest recipient of their "Clicky here purleese," email with the recruitment.xls attachment.

  • by Anonymous Coward on Tuesday January 31, 2012 @04:31PM (#38881415)

    I work for a military-tech company of sorts, and I'm pretty sure I've seen malicious emails like this.. sounds pretty familiar with the bogus conference invites. Fortunately, the company seems to have competent IT, and most non-software people have pretty locked-down machines. Also, if you actually click a link in a malicious email, our internal DNS redirects to a page that essentially calls you an idiot for clicking that link, and warns you to be suspicions of certain emails or else IT will come give you a stern talking to.

    Executable attachments simply don't get through, as is common with corporate email. There are better ways to send things anyway.

    Certainly some emails would get through the cracks, but whatever my IT department does to make this work seems pretty effective.

    • targeted at bosses / hire ups / the type of people who don't want IT in there way and they are the type of people who don't want to be locked down mainly as they have no idea on why they need to be locked down like that.

      • by X0563511 (793323)

        We are seeing Darwin at work, in an unexpected fashion.

        The more idiot bosses/execs that get nailed doing this, the less (theoretically) there will be when all is said and done.

        Lets just have some patience, and for now enjoy the show.

        • The more idiot bosses/execs that get nailed doing this, the less (theoretically) there will be when all is said and done.

          Except, considering the attitudes of pretty much everyone in middle-to-upper management, they will just throw the nearest IT person to the wolves and absolve themselves of any responsibility for their actions.

          Been to that rodeo, rode that bronco, got the t-shirt.

        • by jamstar7 (694492)

          We are seeing Darwin at work, in an unexpected fashion.

          The more idiot bosses/execs that get nailed doing this, the less (theoretically) there will be when all is said and done.

          Great in theory, but that's not quite how the universe works.

          Make an idiot-proof mousetrap and the universe evolves a smarter better class of idiot.

    • by rtb61 (674572)

      The reality is companies should start running networks in parallel. There is not reason that the network that handles email and web browsing should in any way be connected to the internal network. Any data transferred from one network to the other should only be done manually at the computer admin desk, after the data has been scanned and confirmed suitable to leave or be added. It is the simplest way to secure the system and the most reliable. Whilst it might cost a bit more, just one security failure cou

      • by damm0 (14229)
        In some companies, this approach would cost SO much as to effectively bankrupt the company. This approach is not the best. Hackers will get in. You can count on that.
  • by Anonymous Coward

    . . . Going to occur. Meaning, because of crap like this, there will be a greater push for law enforcement types to be on the internet. This does not strike me as a good thing at all. I can see government security freaks pushing against privacy, required internet ID's, and laws against computers and people holding "viruses and other malicious code." As in all other areas, once you give an inch to government control, they will take feet.

  • ... its time to go back to the basics, like doing spear attacks.
  • by thestudio_bob (894258) on Tuesday January 31, 2012 @04:44PM (#38881581)

    Hmmm.... I don't remember having a conference call with a Nigerian prince. Maybe he wants to by a lot of defense equipment. Awesome!

  • Maybe I'm from the old school but email for me are meant to be only text. no html code, no attachment, no file...just plain text from beginning to end. less risk in the first way. And wtf is wrong with them, opening emails with attachments anyway ?
    • by tlhIngan (30335)

      Maybe I'm from the old school but email for me are meant to be only text. no html code, no attachment, no file...just plain text from beginning to end. less risk in the first way. And wtf is wrong with them, opening emails with attachments anyway ?

      All it takes is the right email. Since this isn't a mass attempt at phishing, it'll take some research.

      First, find out a subcontractor (not hard to do if you read press releases), and a project they're working on.

      Then, you find out someone who would have something

  • That would be the ones that use 12345 or "password" for their authentication.
    Why do such places allow their users to see anything but plain text from outside sources? Since they are vulnable to these exploits, one has to assumme they have a MS infrastructure. Set the outlook group policy to disable preview and display only the plain text portion of a message.
  • Why isn't all high-value email being run with an outlook client in a locked virtual machine? Say centralized, with a VNC connection and all the anti-malware scrubbing everything and resetting its configuration?

  • Red Chinese (Score:2, Troll)

    by benjfowler (239527)

    It'll be the Chinese. Their get-rich-quick mentality, and the evil Chinese Communist Party's habit of indoctrinating everyone with a bullshit sense of self-righteous grievance that everything is Whitey's fault, gives then license to lie, cheat and steal. Chinese have a "shame" culture (unlike our Western "guilt" culture). There's no shame in lying, cheating, dealing drugs, adulterating food and medicine, stealing, etc in their culture -- only the shame of getting caught.

    Too bad we can't give them a well des

  • DSS are already our cyber detectives [dss.mil] and can bring a great deal of wealth into what to expect with these types of attacks.

    This is their report from last year on what kind of defense contractors are being targeted and why. (PDF Warning 2011-unclassified-trends [dss.mil].) Social engineering has generally always been the weakest link in a good secure system, but can still be deterred with strict security policies. It's not really a matter of if you'll get infected, but a matter of when. I've heard of incidents
  • The Gov't and a lot of corporations run their networks like a home network. Flash, sure you can have that because you might want on YouTube and that is a good use of tax payer funds. Acrobat, yah here you go, never mind there are pdf viewers out there that are more secure. Whitelists and blacklists, nah, our users can sit around and watch porn all day, that is an even better use of taxpayer funds. Word docs and spreadsheets, yah you can send and receive those without worrying. We only scan your email f
    • The Gov't and a lot of corporations run their networks like a home network. Flash, sure you can have that because you might want on YouTube and that is a good use of tax payer funds. Acrobat, yah here you go, never mind there are pdf viewers out there that are more secure. Whitelists and blacklists, nah, our users can sit around and watch porn all day, that is an even better use of taxpayer funds. Word docs and spreadsheets, yah you can send and receive those without worrying. We only scan your email for anything you say reguarding our CEO of the company or President of the US, but send and receive those viruses all day long as we have not figured out good perimeter security. Speaking of perimeter security, just email everything you want back and forth that is secure right, or download it to your laptop if you work for the VA.

      Well, I don't know which Gov't agencies you've dealt with, but this is not how it works at military installations. You can have Acrobat and Flash, but you don't get anywhere on the Internet that can do real damage save for Facebook and YouTube. You most certainly won't get to any porn sites. The web is heavily filtered at the AF base I work at.

  • 'Clearly the above patterns are trying to appear as though they are related to Microsoft’s “Windows Update” service versus something malicious. A clear, common name for this particular threat did not seem to emerge in the open-source, so we have commonly referred to this threat family as the “MSUpdater” Trojan` link [seculert.com]
  • Has that industry has been utilized for ANYthing other than perpetuating distant wars for the profit of a few corporations at great public expense ?
    Which expense, then came out of stuff that reflects directly on people's well being, and the general stability of the society in general, like social security or healthcare ?

    why should people give a fuck ? let corporations defend themselves with the money they sucked away from public funds behind the pretense of defense.

  • Hackers use PDFs to hack into defence contractors network.


    Read the full report in this PDF...

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...