Skip Links

Cyberattack highlights software update problem in large organizations

Attackers targeting government employees working with nuclear weapons understood departments are using outdated versions of Windows,IE

By Antone Gonsalves, CSO
May 07, 2013 09:30 AM ET

CSO - A recent cyberattack targeting U.S. government employees working with nuclear weapons illustrates the vulnerability of large organizations that struggle with deploying protective software upgrades.

[ALSO: Worst data breaches]

The attackers, who compromised a Department of Labor website, exploited a previously unknown vulnerability, called a zero-day flaw, in Internet Explorer 8, commonly found on PCs running Windows XP. Javascript injected in the site redirected visitors using IE8 on XP to a malicious website.

In choosing to go after federal agencies, the attackers understood that many government departments are still using outdated versions of Windows and IE, due to the huge expense of upgrading thousands of people to newer versions. Such migrations involve the difficult task of upgrading many other business applications to support the new OS.

"There's a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions," Eddie Mitchell, security researcher for Invincea, said Monday. "They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable."

Researchers agree that the command-and-control (C&C) servers in the latest attack, discovered last week, have attributes similar to those used in previous assaults originating from China.

FireEye reported that the host name of the C&C servers in the latest attack included the phrase "microsoftUpdate," which was also used in attacks over the last six months against the Council on Foreign Relations website and news sites in China visited by Chinese dissidents.

[Also see: Army Corps database on dams compromised]

"I'm not going to be surprised if they are originating from the same group," Zheng Bu, senior director of research for FireEye, said.

FireEye and Invincea have not identified the culprits, but AlienVault reported that the malware is using the same protocol to communicate with the C&C servers as the one used by a Chinese hacking group called Deep Panda. The group is known to attack a variety of U.S. entities, including the high-tech and defense industries and state and federal government agencies.

The pages compromised on the Labor Department site contained information that listed nuclear-related illnesses linked to Department of Energy facilities where employees are developing atomic weapons. Visitors were redirected to the malicious website unknowingly, since there was no obvious change in the browser.

That's accomplished through the use of JavaScript and HTML inline frames. Called iFrames, the technology is embedded in pages to link to malicious sites. IFrames were the most commonly used exploit in Web-based attacks in the second half of last year, according to Microsoft's latest Security Intelligence Report

Makers of popular exploit kits available in the criminal underground, such as Blackhole and Cool, are expected to incorporate the latest zero-day vulnerability soon, Mitchell said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News