A reason to update? 23 nations, 10 days, one Reader exploit

A week-long campaign used foreign policy, human rights and NATO documents to lure would-be victims into opening a malicious PDF attachment

A malware assault on several governments, exploiting a recently closed Adobe Reader flaw, highlight the importance of applying software updates swiftly -- particularly for government staff, if they're under attack.

According to researchers at Kaspersky Lab, a [[xref:http://www.cso.com.au/article/455015/researchers_discover_new_global_cyber-espionage_campaign/|targeted malware attack on governments and think-tanks[[ has netted 59 victims across 23 countries in 10 days with an exploit for a Reader/Acrobat flaw (CVE-2013-0641) that Adobe patched on February 20.

That’s not many victims, but it was a week-long targeted campaign, which used foreign policy, human rights and NATO documents dating between 2013 and 2005 to lure would-be victims into opening a malicious PDF attachment.

The “dropper” for the lightweight, “old school” malware Kaspersky has called MiniDuke was created as recently as the day Adobe released a patch -- seven days after security firm FireEye discovered the original zero day exploit that piggy-backed a malicious PDF labelled “Visaform Turkey.pdf”.

The original exploit PDF could have targeted any non-Turkish citizen planning to travel to the country, and there was not much people could do besides hope that security software picked up the threat. But victims of the second campaign aimed at government employees after February 20 at least had a patch.

The command servers Kaspersky researchers analysed showed were communicating with government networks in the Ukraine, Belgium, Portugal, Romania, Czech Republic and Ireland as well as a research institute and think tanks in the US.

Separate to the MiniDuke campaign, two days after Adobe released a patch, security researchers at Symantec and Seculert discovered that hackers were bundling the PDF exploit in a fake version of the recent Mandiant report on Chinese hacking. These attacks targeted Chinese journalists and Japanese speakers.

Kaspersky dismissed the malicious Mandiant PDFs as just crude and “dirty hacks” of the original exploit. “These newer attacks appear to have been created by a 0-day toolkit that was used to build the original “Visaform Tukey.pdf” discovered by FireEye,” the Russian security firm notes (PDF).

It's not known if it the new attacks were by the same group with a new target, or a new group that had bought the exploit or somehow “captured” it.

On the other hand, originality and elegance may not be necessary for a successful campaign. The “Red October” campaign, which Kaspersky found had hit governments and other organisations in 39 nations, replaced executables in old Chinese-made exploits designed for Office and Java flaws that had long since been patched by Microsoft and Oracle.

The company’s recent research on government attacks show that targeted attackers are more than willing to reuse older exploits and target flaws for which patches exist. And its advice is pretty much what every security expert already suggests: update Adobe Reader, remove Java if it’s not used, update to the latest version of Windows and Office, and of course, use up to date antivirus and scan incoming documents.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityadobe acrobatadobe

More about Adobe SystemsFireEyeKasperskyKasperskyMicrosoftNATOOracleSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts