In yesterday’s assessment we reported on Google’s disclosure that it had been the victim of a highly sophisticated targeted attack and that some twenty plus other large companies had also been targeted. No more details appear to have emerged directly from Google at this time.

However, Adobe announced that they had also been victims of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies” but further stated that there was “no evidence to indicate that any sensitive information–including customer, financial, employee or any other sensitive data–has been compromised”. While the Adobe disclosure made no mention of any relationship to the Google attack, Computerworld is now reporting comments from an Adobe representative that the attacks appear to be related.

And yet another report of a targeted attack alleging a “cyber attack directed from within China” has surfaced. In this case, the affected company is a law firm who recently filed a software piracy action against the PRC and seven major computer manufacturers. The media report quotes that attorneys at the firm received “several targeted customized Trojan emails made to appear as if they were sent by other members of the firm”. It is further noted that it has not yet been determined if the attacks were successful but that the matter has been reported to the FBI. There is no suggestion in the media report that this attack is related to the Google or Adobe attacks.

Adobe Investigates Corporate Network Security Issue

http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://www.computerworld.com/s/article/9144378/Hackers_used_rigged_PDFs_to_hit_Google_and_Adobe_says_researcher
http://www.businesswire.com/portal/site/pecom/?ndmViewId=news_view&newsId=20100113006774&newsLang=en

The Google and Adobe disclosures have generated intense media coverage and speculation and appear to have significantly piqued the public interest. As a result of the level of interest, we expect to see attempts by criminal entities who have demonstrated an ability to quickly exploit public interest utilizing SEO (Search Engine Optimization) and spam campaigns with headlines and subjects relevant to, or associated with, in this case, the attacks. This in turn brings us to the next subject of today’s assessment.

As many may be aware, Haiti has been tragically devastated by an earthquake. The FBI has issued an alert warning, “Internet users who receive appeals to donate money in the aftermath of Tuesday’s earthquake in Haiti to apply a critical eye and do their due diligence before responding to those requests”. We advise our readers to note the advice in the FBI alert. Again, this is a subject of major public interest and unfortunately, a perfect vehicle for criminal entities to launch SEO and email campaigns. To put this public interest into perspective, CNN report that as of mid-day Wednesday, four of the top ten Twitter topics were on Haiti or earthquake relief and eleven of the top twenty topics on Google Trends (Wednesday afternoon) were Haiti or earthquake related. A CA blog posting (URL below) provides an example of malware from a Haiti related SEO campaign.

And lastly on the subject of SEO, spam, and public interest, it has only been a few days since Google announced the availability of the Nexus One phone. According to a PandaLabs blog posting dated the thirteenth, searching for “buy Nexus One” will provide around 4,000 malicious links. So, we urge readers to exercise caution and make sure anti-virus and security solutions are installed and up-to-date.
http://www.ic3.gov/media/2010/100113.aspx
http://www.cnn.com/2010/TECH/01/13/haiti.internet/index.html
http://community.ca.com/blogs/securityadvisor/archive/2010/01/13/latest-blackhat-seo-on-haiti-earthquake.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+CS_CASecurityAdvisorResearchBlog+%28CA+Security+Advisor+Research+Blog+%28CS%29%29
http://pandalabs.pandasecurity.com/

Additionally, we would like to draw attention to an integer underflow vulnerability in MIT Kerberos 5.x which could be remotely exploited leading to crashes and heap corruption or, in what is stated as “extraordinarily unlikely conditions”, arbitrary code execution. Affected versions are KDC and application servers in MIT krb5-1.3 and later releases, prior releases did not contain the vulnerable code. We advise users to check the vendor advisory for complete details and apply patches as recommended.
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt

Advertisements