Feeds

Almost 2,500 firms breached in ongoing hack attack

Zeus and Waledac unite in global botnet

SANS - Survey on application security programs

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

"The botnet is still active and still actively being managed by the organized criminal activity behind it," NetWitness CTO Tim Belcher told The Register. "Over the last month, we've seen it retask its (victim) members half a dozen times looking for different types of information."

The revelation comes a month after Google disclosed that its network and those of at least 20 other large companies were penetrated by hackers targeting intellectual property. By contrast, the attack discovered by NetWitness has breached about 2,400 companies, according to a 75-gigabyte cache of data stolen over a four-week period that the company was able to intercept. Because it's a small fraction of the information siphoned during the 18-month attack, the actual number of affected organizations could be much higher.

The finding sheds new light on Zeus, which by most accounts is ranked as the world's No. 2 botnet in terms of infected computers. While the malware was generally believed to focus on the theft of online-banking credentials, NetWitness researchers have observed the trojan stealing passwords used to access corporate networks, source code repositories, and even dossier-level data sets of individuals who used victim machines.

The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac, a bot primarily used to send spam that contains a backdoor that's driven by a highly efficient peer-to-peer engine.

While it's not uncommon for PCs to be infected by multiple bots, the researchers speculate that the unusually high amount of overlap means the criminals behind the attacks used multiple strains in the event that one infection were to be discovered by security personnel.

The mass infections were discovered on January 26, when a NetWitness employee was performing a scan on a customer's network that had been suspected of being breached. He soon found that a PC on the system was infected by a botnet known as Grum. Curiously, when the compromised machine contacted a command and control channel at silence7.cn, it was instructed to download and execute a file related to Zeus.

"Its pretty evident to us that it's a resilience play where they're infecting it with multiple pieces of malware," Belcher said.

By cross-referencing the contact details for silence7.cn, the researchers were able to find evidence that the attacks were probably carried out by the same individuals in Eastern Europe suspected of orchestrating a phishing scheme that spoofed National Security Agency emails in an attempt to steal passwords from US government and military organizations.

The crew used command-and-control servers physically located in Germany and the Netherlands, and most of the domain names were obtained from China-based registrars, most likely because they are slow to respond to reports of abuse, Belcher said.

Belcher declined to name any of victims breached in the attacks. But according to a report in The Wall Street Journal, the companies included pharmaceutical giant Merck and healthcare provider Cardinal Health. Both companies admitted to being affected but said they had "isolated and contained the problem," the paper said.

Citing unnamed people, The Wall Street Journal report said that Paramount Pictures and Juniper Networks were also infiltrated. It went on to report that the attackers obtained the user name and password of a US soldier's military email account, but a Pentagon spokesman declined to confirm. In all, NetWitness found evidence that organizations in 196 countries were breached, with concentrations highest in Egypt, Mexico, Saudi Arabia, Turkey, and the United States.

NetWitness has dubbed it the "kneber botnet" based on part of the Yahoo email address used as a contact for many of the domain names tied to the attacks.

The findings are the latest to cast doubt on the ability of Fortune 500 companies and government agencies to secure their networks against a rising cast of well-funded hackers sponsored by nation states or organized-crime gangs.

"Many of these organizations I am aware of their expertise in security, and yet this continues to operate on their internal networks with impunity," Belcher said. "It tells me our approach to net security is failing on a broad scale." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.