Feeds

Almost 2,500 firms breached in ongoing hack attack

Zeus and Waledac unite in global botnet

Top 5 reasons to deploy VMware with Tegile

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

"The botnet is still active and still actively being managed by the organized criminal activity behind it," NetWitness CTO Tim Belcher told The Register. "Over the last month, we've seen it retask its (victim) members half a dozen times looking for different types of information."

The revelation comes a month after Google disclosed that its network and those of at least 20 other large companies were penetrated by hackers targeting intellectual property. By contrast, the attack discovered by NetWitness has breached about 2,400 companies, according to a 75-gigabyte cache of data stolen over a four-week period that the company was able to intercept. Because it's a small fraction of the information siphoned during the 18-month attack, the actual number of affected organizations could be much higher.

The finding sheds new light on Zeus, which by most accounts is ranked as the world's No. 2 botnet in terms of infected computers. While the malware was generally believed to focus on the theft of online-banking credentials, NetWitness researchers have observed the trojan stealing passwords used to access corporate networks, source code repositories, and even dossier-level data sets of individuals who used victim machines.

The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac, a bot primarily used to send spam that contains a backdoor that's driven by a highly efficient peer-to-peer engine.

While it's not uncommon for PCs to be infected by multiple bots, the researchers speculate that the unusually high amount of overlap means the criminals behind the attacks used multiple strains in the event that one infection were to be discovered by security personnel.

The mass infections were discovered on January 26, when a NetWitness employee was performing a scan on a customer's network that had been suspected of being breached. He soon found that a PC on the system was infected by a botnet known as Grum. Curiously, when the compromised machine contacted a command and control channel at silence7.cn, it was instructed to download and execute a file related to Zeus.

"Its pretty evident to us that it's a resilience play where they're infecting it with multiple pieces of malware," Belcher said.

By cross-referencing the contact details for silence7.cn, the researchers were able to find evidence that the attacks were probably carried out by the same individuals in Eastern Europe suspected of orchestrating a phishing scheme that spoofed National Security Agency emails in an attempt to steal passwords from US government and military organizations.

The crew used command-and-control servers physically located in Germany and the Netherlands, and most of the domain names were obtained from China-based registrars, most likely because they are slow to respond to reports of abuse, Belcher said.

Belcher declined to name any of victims breached in the attacks. But according to a report in The Wall Street Journal, the companies included pharmaceutical giant Merck and healthcare provider Cardinal Health. Both companies admitted to being affected but said they had "isolated and contained the problem," the paper said.

Citing unnamed people, The Wall Street Journal report said that Paramount Pictures and Juniper Networks were also infiltrated. It went on to report that the attackers obtained the user name and password of a US soldier's military email account, but a Pentagon spokesman declined to confirm. In all, NetWitness found evidence that organizations in 196 countries were breached, with concentrations highest in Egypt, Mexico, Saudi Arabia, Turkey, and the United States.

NetWitness has dubbed it the "kneber botnet" based on part of the Yahoo email address used as a contact for many of the domain names tied to the attacks.

The findings are the latest to cast doubt on the ability of Fortune 500 companies and government agencies to secure their networks against a rising cast of well-funded hackers sponsored by nation states or organized-crime gangs.

"Many of these organizations I am aware of their expertise in security, and yet this continues to operate on their internal networks with impunity," Belcher said. "It tells me our approach to net security is failing on a broad scale." ®

Internet Security Threat Report 2014

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.