Feeds

Almost 2,500 firms breached in ongoing hack attack

Zeus and Waledac unite in global botnet

The Essential Guide to IT Transformation

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

"The botnet is still active and still actively being managed by the organized criminal activity behind it," NetWitness CTO Tim Belcher told The Register. "Over the last month, we've seen it retask its (victim) members half a dozen times looking for different types of information."

The revelation comes a month after Google disclosed that its network and those of at least 20 other large companies were penetrated by hackers targeting intellectual property. By contrast, the attack discovered by NetWitness has breached about 2,400 companies, according to a 75-gigabyte cache of data stolen over a four-week period that the company was able to intercept. Because it's a small fraction of the information siphoned during the 18-month attack, the actual number of affected organizations could be much higher.

The finding sheds new light on Zeus, which by most accounts is ranked as the world's No. 2 botnet in terms of infected computers. While the malware was generally believed to focus on the theft of online-banking credentials, NetWitness researchers have observed the trojan stealing passwords used to access corporate networks, source code repositories, and even dossier-level data sets of individuals who used victim machines.

The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac, a bot primarily used to send spam that contains a backdoor that's driven by a highly efficient peer-to-peer engine.

While it's not uncommon for PCs to be infected by multiple bots, the researchers speculate that the unusually high amount of overlap means the criminals behind the attacks used multiple strains in the event that one infection were to be discovered by security personnel.

The mass infections were discovered on January 26, when a NetWitness employee was performing a scan on a customer's network that had been suspected of being breached. He soon found that a PC on the system was infected by a botnet known as Grum. Curiously, when the compromised machine contacted a command and control channel at silence7.cn, it was instructed to download and execute a file related to Zeus.

"Its pretty evident to us that it's a resilience play where they're infecting it with multiple pieces of malware," Belcher said.

By cross-referencing the contact details for silence7.cn, the researchers were able to find evidence that the attacks were probably carried out by the same individuals in Eastern Europe suspected of orchestrating a phishing scheme that spoofed National Security Agency emails in an attempt to steal passwords from US government and military organizations.

The crew used command-and-control servers physically located in Germany and the Netherlands, and most of the domain names were obtained from China-based registrars, most likely because they are slow to respond to reports of abuse, Belcher said.

Belcher declined to name any of victims breached in the attacks. But according to a report in The Wall Street Journal, the companies included pharmaceutical giant Merck and healthcare provider Cardinal Health. Both companies admitted to being affected but said they had "isolated and contained the problem," the paper said.

Citing unnamed people, The Wall Street Journal report said that Paramount Pictures and Juniper Networks were also infiltrated. It went on to report that the attackers obtained the user name and password of a US soldier's military email account, but a Pentagon spokesman declined to confirm. In all, NetWitness found evidence that organizations in 196 countries were breached, with concentrations highest in Egypt, Mexico, Saudi Arabia, Turkey, and the United States.

NetWitness has dubbed it the "kneber botnet" based on part of the Yahoo email address used as a contact for many of the domain names tied to the attacks.

The findings are the latest to cast doubt on the ability of Fortune 500 companies and government agencies to secure their networks against a rising cast of well-funded hackers sponsored by nation states or organized-crime gangs.

"Many of these organizations I am aware of their expertise in security, and yet this continues to operate on their internal networks with impunity," Belcher said. "It tells me our approach to net security is failing on a broad scale." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.