Feeds

Adobe exploit bears fingerprints of hack on Google

New in-the-wild attacks unearthed

Choosing a cloud hosting partner with confidence

Recent attacks that exploit an unpatched vulnerability in Adobe's near-ubiquitous Reader application bear the hallmarks of the people who breached Google and dozens of other large companies earlier this year, researchers from Symantec said.

The booby-trapped PDF files are attached to emails that request interviews and offer expert commentary on matters involving North Korea and China, according to Symantec's Karthik Selvaraj. They began circulating as early as September 1 and contain similarities to emails that contained the Hydraq trojan that was used to penetrate Google, Adobe Systems and at least 32 other companies. Parallels include wording in the email, multiple variants of the PDF, and the same geographic region of one of the people responsible.

“If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks,” Selvaraj wrote here. “In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation. Furthermore, we have seen a large number of detections of unique versions of the PDF – not yet seen elsewhere in the wild – coming from a single computer in Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks.”

Adobe disclosed the zero-day vulnerability last week and warned that it was being actively exploited on the internet to attack users of its Reader application. In addition to bypassing protections built in to more recent versions of Microsoft Windows, the sophisticated exploit also used a stolen digital certificate belonging to Missouri-based Vantage Credit Union, evidently in an attempt to allay suspicions of prospective victims.

Adobe's security team has yet to say when it expects to release a patch. In the meantime, users who don't want to use an alternate PDF application can employ Microsoft's Enhanced Mitigation Experience Toolkit, or EMET, to block attacks. The tool, which was updated earlier this month, will insulate a Reader module that's targeted in the exploit, Adobe said.

Microsoft provides instructions and screenshots here. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.