Symantec confirms Reader exploits targeted defense companies
November attacks delivered in malicious PDFs attached to messages promising a contract guide for 2012
Computerworld - Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses.
"We've seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector," said Joshua Talbot, senior security manager in Symantec's security response group, in an interview Wednesday.
Symantec mined its global network of honeypots and security detectors -- and located email messages with attached malicious PDF documents -- to come to that conclusion.
The inclusion of defense contractors was not unexpected.
Yesterday, when Adobe warned Reader and Acrobat users that hackers were exploiting a "zero-day" bug on Windows PCs, it credited Lockheed Martin's security response team and the Defense Security Information Exchange (DSIE), a group of major defense contractors that share information about computer attacks, with reporting the vulnerability.
The DSIE is composed of companies that are also part of what the federal government calls the "Defense Industrial Base," or DIB. Among the DIB's members are some of the country's largest defense contractors, including Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.
Symantec found attack emails dated Nov. 1 and Nov. 5, 2011.
It also published an image of a redacted email of the attack's bait -- the promise of a 2012 guide to policies on new contract awards -- that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF document.
The message's subject heading read, "FY12 XXXXX Contract Guide," and the body simply stated, "FY12 XXXXX contract guide is now available for all contractors of XXXXX. The new guide contains update information of XXXXX policy on contract award process.
Opening the attached attack PDF also executed the malicious code -- likely malformed 3-D graphics data -- hidden in the PDF, compromising the targeted PC and letting the attacker infect the machine with malware.
That malware, Talbot said, was identical to what was used in early 2010 by hackers exploiting a then-unpatched bug in Microsoft's Internet Explorer 6 (IE6) and IE7.
Symantec labeled the malware "Sykipot" last year.
"It's not overly sophisticated," said Talbot. "It's a general-purpose backdoor. One of the interesting things about it is that it does use a form of encryption of the stolen information, which helps the attack hide what information is stolen."
Sykipot encrypts the pilfered data after it has been retrieved from the victimized firm but while it is still stored on the company's network, as well as when it's transmitted to a hacker-controlled server.
Those command-and-control (C&C) servers are still operating, Talbot said.
Because of the similarities -- using Sykipot, which isn't widely in play, and exploiting zero-day vulnerabilities -- Symantec suspects that the same group of hackers who launched the attacks against IE6 and IE7 last year were also responsible for the Reader-based attacks seen last month.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts