Cyber-Espionage, Duqu Trojan Lead Week's Security News

 
 
By Fahmida Y. Rashid  |  Posted 2011-11-06
 
 
 

Duqu continued to dominate security headlines as researchers analyzed the malware to discover its origins and intended target.

The Indian government, acting on information provided by Symantec researchers, raided a Web hosting company in Mumbai and seized hard drives and other components from a server suspected of being a remote command and control server for the information-stealing Trojan.

Teams of researchers around the world looked for the installation file to figure out how Duqu was being transmitted and to identify potential attack vectors. Hungary's Laboratory of Cryptography and System Security (CrySyS) and Symantec said they had found a malicious Word document booby-trapped to take advantage of a zero-day vulnerability in the Windows kernel.

Microsoft issued an advisory less than 48 hours later, identifying the unknown security flaw and providing a temporary workaround while the company worked on a patch. The issue with the Win32k TrueType font parsing affected every supported version of Windows, including the more secure Windows 7 and Windows Server 2008.

The patch will not be available by November's Patch Tuesday release this week, and Microsoft did not indicate when the Duqu fix would be available.

Symantec researchers, who first publicized Duqu in October, have identified another malware attack. The cyber-espionage campaign, dubbed "Nitro," resulted in unknown attackers stealing data from at least 48 companies, including chemical and defense companies.

Unlike Duqu, it doesn't appear that the gang behind Nitro bothered with any zero-day exploits. The cyber-spies relied on a well-known off-the-shelf Trojan called PoisonIvy to open a backdoor on infected systems. Once the Trojan was on the network, attackers were able to uncover network information and obtain a dump of cached Windows password hashes. Symantec claimed to have traced the servers that received the stolen data to an individual living in China.

Speaking of China, at least one Congressional report has taken off the diplomatic gloves and directly accused China and Russia of spying on the United States using cyber-methods. The Office of the National Counterintelligence Executive wrote in a report to Congress that China is the "world's most active and persistent" perpetrator of economic espionage against the United States.

China, Russia and other countries are using data stolen from cyber-espionage operations to benefit domestic companies and gain competitive advantage, the report said.

The U.S. and European Union conducted its first joint cyber-war exercise, to explore how officials on both sides of the Atlantic would cooperate in the case of a cyber-attack on critical infrastructure. EU officials have conducted several cyber-exercises recently, and the Department of Homeland Security regularly runs simulated attacks with various branches of the military and government agencies.

British authorities also arrested and jailed 13 people in England for participating in a Zeus Trojan cyber-fraud operation that may have bilked victims out of approximately $4.6 million. The gang used Zeus to infect user computers to steal documents and log-in credentials. The gang of 13 was led by two Ukranian men.

In a contest where participants applied social engineering techniques to obtain certain types of information, none of the 14 companies targeted succeeded in keeping the data safe, Social-Engineer.org disclosed in an Oct. 31 report summarizing an exercise conducted at the Defcon conference in early August. Firms targeted included Apple, AT&T, Conagra Foods, Dell, Delta Airlines, IBM, McDonald's, Oracle, Symantec, Sysco Foods, Target, United Airlines, Verizon and Walmart. 


Rocket Fuel