A targeted attack liable for the U.S. Chamber of Commerce breach, exploited serious weaknesses within the lobbying group's security defenses, consistent with security experts, and will had been a staging ground for attacks on Chamber member organizations.
If the attackers can send Chamber members a spear phishing message from a sound Chamber email address, then they've got the aptitude to realize access to the systems of bigger U.S. corporations.Harry Sverdlove, CTO of Bit9 Inc.
Investigators haven't determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved within the Chamber's Asian policy affairs, according to a report inside the Washington Post. Experts said that while it's unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization's systems.
“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,†said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they're taking advantage of a piece of software that is otherwise silent but the user has activated it.â€
The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber's systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.
The Chamber has 450 employees and is the country's largest lobbying organization on behalf of businesses. The attack is believed to have been carried out by malicious hackers in China. The forensics team uncovered evidence that as many as 50 Chamber members were compromised. Backdoor exploits on systems led to command-and-control servers where it's believed that well-funded cybercriminals poured through stolen email messages for financial documents and other sensitive data. Data stolen, based on the Post report, included trade-policy documents, meeting notes, trip reports and schedules.
“Despite the trade information they gleaned off of emails, a very likely motivation behind the attack is to get to the members,†said Harry Sverdlove, CTO of application Waltham, Mass.-based whitelisting vendor Bit9 Inc. “If the attackers can send Chamber members a spear phishing message from a legitimate Chamber email address, then they have got the potential to achieve access to the systems of bigger U.S. corporations.â€
The attackers used techniques that were strikingly resembling those utilized in previous high-profile data breaches that were believed to have ties to nation-states. The RSA SecurID breach and the Operation Aurora attacks that targeted Google and other U.S. corporations last year started with spear phishing attacks on relatively benign employees. Additionally, attackers this year targeted oil and other energy companies in a targeted campaign dubbed the Night Dragon Attacks. Once the attackers gain a foothold, they frequently use stolen credentials to access systems containing more critical data, bypassing many security technologies.
“We've learned with RSA that with spear phishing, even very sophisticated users could be breached,†said Pete Lindstrom, research director at Pennsylvania-based security research firm Spire Security. “When we point out targeted attacks, the cybercriminal organization is sometimes going after a particular sort of information and intellectual property is increasingly becoming a favorite target of attackers.â€
The U.S. Chamber of Commerce told the Post that it has since beefed up the safety its systems, adding monitoring technology and enforcing stricter security policies for workers that travel to Asia.Â
Lindstrom said many organizations place confidence in endpoint security software, primarily signature-based email filtering and antivirus technology to weed out malicious attachments. Organizations with a lower risk tolerance will deploy intrusion detection and prevention systems to watch for malicious network traffic.
Unified threat management systems or next generation firewalls could also alert on suspicious traffic trying to send sensitive data to remote locations, he said. Data leakage prevention also attempts to deal with the problem. Whitelisting, which blocks users from installing many programs on their systems is efficacious, but could also bring about false positives, Lindstrom said.Â
“You want to develop context and understand who your adversary is probably,†Lindstrom said. “There are loads of alternative ways to skin this cat and forestall the unwanted outcome, including user awareness training. “
Nessun commento:
Posta un commento
Comments links could be nofollow free