Symantec confirms Flash exploits targeted defense companies

November attacks delivered in malicious PDFs attached to messages promising a contract guide for 2012

Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses.

"We've seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector," said Joshua Talbot, senior security manager in Symantec's security response group, in an interview Wednesday.

Symantec mined its global network of honeypots and security detectors -- and located email messages with attached malicious PDF documents -- to come to that conclusion.

The inclusion of defense contractors was not unexpected.

Yesterday, when Adobe warned Reader and Acrobat users that hackers were exploiting a "zero-day" bug on Windows PCs, it credited Lockheed Martin's security response team and the Defense Security Information Exchange (DSIE), a group of major defense contractors that share information about computer attacks, with reporting the vulnerability.

The DSIE is composed of companies that are also part of what the federal government calls the "Defense Industrial Base," or DIB. Among the DIB's members are some of the country's largest defense contractors, including Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.

Symantec found attack emails dated Nov. 1 and Nov. 5, 2011.

It also published an image of a redacted email of the attack's bait -- the promise of a 2012 guide to policies on new contract awards -- that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF document.

The message's subject heading read, "FY12 XXXXX Contract Guide," and the body simply stated, "FY12 XXXXX contract guide is now available for all contractors of XXXXX. The new guide contains update information of XXXXX policy on contract award process.

Opening the attached attack PDF also executed the malicious code -- likely malformed 3-D graphics data -- hidden in the PDF, compromising the targeted PC and letting the attacker infect the machine with malware.

That malware, Talbot said, was identical to what was used in early 2010 by hackers exploiting a then-unpatched bug in Microsoft's Internet Explorer 6 (IE6) and IE7.

Symantec labeled the malware "Sykipot" last year.

"It's not overly sophisticated," said Talbot. "It's a general-purpose backdoor. One of the interesting things about it is that it does use a form of encryption of the stolen information, which helps the attack hide what information is stolen."

Sykipot encrypts the pilfered data after it has been retrieved from the victimized firm but while it is still stored on the company's network, as well as when it's transmitted to a hacker-controlled server.

Those command-and-control (C&C) servers are still operating, Talbot said.

Because of the similarities -- using Sykipot, which isn't widely in play, and exploiting zero-day vulnerabilities -- Symantec suspects that the same group of hackers who launched the attacks against IE6 and IE7 last year were also responsible for the Reader-based attacks seen last month.

Microsoft patched the IE6 and IE7 vulnerability on March 30, 2010, in an emergency, or "out-of-band," update.

Although Symantec found evidence of only the early-November attacks, Talbot said he wouldn't be surprised if the criminals fired off another information-stealing campaign between now and next week, when Adobe promised to patch the bug in Reader and Acrobat 9.x on Windows, the versions that have been exploited in the wild.

Talbot declined to specify the geographic location of the Sykipot C&C servers, or speculate on the origin of the Reader exploits.

Adobe will patch the Windows versions of Reader and Acrobat 9.x by the end of next week, and has promised to deliver fixes to Reader and Acrobat 9.x to Mac and Unix users, and to Reader and Acrobat 10.x for all platforms, next month.

Symantec has shipped detection signatures for the rogue PDFs to its customers, said Talbot.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags boeingGovernment use of ITsymantecsecurityIT in Governmentgovernmentlockheed martinMalware and Vulnerabilitiesraytheon

More about Adobe SystemsAppleBoeing AustraliaetworkGeneral DynamicsGoogleLockheed MartinMicrosoftRaytheon AustraliaSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place