Feeds

Almost 2,500 firms breached in ongoing hack attack

Zeus and Waledac unite in global botnet

The essential guide to IT transformation

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

"The botnet is still active and still actively being managed by the organized criminal activity behind it," NetWitness CTO Tim Belcher told The Register. "Over the last month, we've seen it retask its (victim) members half a dozen times looking for different types of information."

The revelation comes a month after Google disclosed that its network and those of at least 20 other large companies were penetrated by hackers targeting intellectual property. By contrast, the attack discovered by NetWitness has breached about 2,400 companies, according to a 75-gigabyte cache of data stolen over a four-week period that the company was able to intercept. Because it's a small fraction of the information siphoned during the 18-month attack, the actual number of affected organizations could be much higher.

The finding sheds new light on Zeus, which by most accounts is ranked as the world's No. 2 botnet in terms of infected computers. While the malware was generally believed to focus on the theft of online-banking credentials, NetWitness researchers have observed the trojan stealing passwords used to access corporate networks, source code repositories, and even dossier-level data sets of individuals who used victim machines.

The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac, a bot primarily used to send spam that contains a backdoor that's driven by a highly efficient peer-to-peer engine.

While it's not uncommon for PCs to be infected by multiple bots, the researchers speculate that the unusually high amount of overlap means the criminals behind the attacks used multiple strains in the event that one infection were to be discovered by security personnel.

The mass infections were discovered on January 26, when a NetWitness employee was performing a scan on a customer's network that had been suspected of being breached. He soon found that a PC on the system was infected by a botnet known as Grum. Curiously, when the compromised machine contacted a command and control channel at silence7.cn, it was instructed to download and execute a file related to Zeus.

"Its pretty evident to us that it's a resilience play where they're infecting it with multiple pieces of malware," Belcher said.

By cross-referencing the contact details for silence7.cn, the researchers were able to find evidence that the attacks were probably carried out by the same individuals in Eastern Europe suspected of orchestrating a phishing scheme that spoofed National Security Agency emails in an attempt to steal passwords from US government and military organizations.

The crew used command-and-control servers physically located in Germany and the Netherlands, and most of the domain names were obtained from China-based registrars, most likely because they are slow to respond to reports of abuse, Belcher said.

Belcher declined to name any of victims breached in the attacks. But according to a report in The Wall Street Journal, the companies included pharmaceutical giant Merck and healthcare provider Cardinal Health. Both companies admitted to being affected but said they had "isolated and contained the problem," the paper said.

Citing unnamed people, The Wall Street Journal report said that Paramount Pictures and Juniper Networks were also infiltrated. It went on to report that the attackers obtained the user name and password of a US soldier's military email account, but a Pentagon spokesman declined to confirm. In all, NetWitness found evidence that organizations in 196 countries were breached, with concentrations highest in Egypt, Mexico, Saudi Arabia, Turkey, and the United States.

NetWitness has dubbed it the "kneber botnet" based on part of the Yahoo email address used as a contact for many of the domain names tied to the attacks.

The findings are the latest to cast doubt on the ability of Fortune 500 companies and government agencies to secure their networks against a rising cast of well-funded hackers sponsored by nation states or organized-crime gangs.

"Many of these organizations I am aware of their expertise in security, and yet this continues to operate on their internal networks with impunity," Belcher said. "It tells me our approach to net security is failing on a broad scale." ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.