A targeted attack answerable for the U.S. Chamber of Commerce breach, exploited serious weaknesses inside the lobbying group's security defenses, consistent with security experts, and will was a staging ground for attacks on Chamber member organizations.
If the attackers can send Chamber members a spear phishing message from a valid Chamber email address, then they've got the capability to realize access to the systems of bigger U.S. corporations.Harry Sverdlove, CTO of Bit9 Inc.
Investigators haven't determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved inside the Chamber's Asian policy affairs, according to a report inside the Washington Post. Experts said that while it's unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization's systems.
“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,†said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they're taking advantage of a piece of software that is otherwise silent but the user has activated it.â€
The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber's systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.
The Chamber has 450 employees and is the country's largest lobbying organization on behalf of businesses. The attack is believed to have been carried out by malicious hackers in China. The forensics team uncovered evidence that as many as 50 Chamber members were compromised. Backdoor exploits on systems led to command-and-control servers where it's believed that well-funded cybercriminals poured through stolen email messages for financial documents and other sensitive data. Data stolen, in keeping with the Post report, included trade-policy documents, meeting notes, trip reports and schedules.
“Despite the trade information they gleaned off of emails, a very likely motivation behind the attack is to get to the members,†said Harry Sverdlove, CTO of application Waltham, Mass.-based whitelisting vendor Bit9 Inc. “If the attackers can send Chamber members a spear phishing message from a legitimate Chamber email address, then they've got the potential to realize access to the systems of bigger U.S. corporations.â€
The attackers used techniques that were strikingly a twin of those utilized in previous high-profile data breaches that were believed to have ties to nation-states. The RSA SecurID breach and the Operation Aurora attacks that targeted Google and other U.S. corporations last year started with spear phishing attacks on relatively benign employees. Additionally, attackers this year targeted oil and other energy companies in a targeted campaign dubbed the Night Dragon Attacks. Once the attackers gain a foothold, they regularly use stolen credentials to access systems containing more critical data, bypassing many security technologies.
“We've learned with RSA that with spear phishing, even very sophisticated users should be breached,†said Pete Lindstrom, research director at Pennsylvania-based security research firm Spire Security. “When we speak about targeted attacks, the cybercriminal organization is sometimes going after a selected form of information and intellectual property is increasingly becoming a favorite target of attackers.â€
The U.S. Chamber of Commerce told the Post that it has since beefed up the safety its systems, adding monitoring technology and enforcing stricter security policies for staff that travel to Asia.Â
Lindstrom said many organizations rely upon endpoint security software, primarily signature-based email filtering and antivirus technology to weed out malicious attachments. Organizations with a lower risk tolerance will deploy intrusion detection and prevention systems to watch for malicious network traffic.
Unified threat management systems or next generation firewalls may also alert on suspicious traffic trying to send sensitive data to remote locations, he said. Data leakage prevention also attempts to handle the problem. Whitelisting, which blocks users from installing many programs on their systems is valuable, but also can cause false positives, Lindstrom said.Â
“You should develop context and understand who your adversary may well be,†Lindstrom said. “There are plenty of other ways to skin this cat and stop the unwanted outcome, including user awareness training. “
Nessun commento:
Posta un commento
Comments links could be nofollow free