Monday, October 1, 2012

Because that's where the money is

Money draws talent, and security is no exception.  Three examples show that the attackers are doing much more surgical targeting of victims.

Maker of "Smart Grid" control software hacked:
The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.

Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.

According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.

Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”
Isn't that exactly what the Bad Guys would want to target?  Note that this software is also used extensively by oil and gas companies, and some water works as well.

Adobe scrambles to revoke stolen cert:
Adobe has revealed an attack that compromised some of its software development servers, resulting in its code signing certificate being used to disguise malware as Adobe software.

The attackers compromised a build server, Adobe says in this statement, which had “access to the Adobe code signing infrastructure”. The build server had been put into service even though “the details of the machine’s configuration were not to Adobe corporate standards”.

The company is now revoking the certificates, which had been used to sign at least pwdump7 v7.1, which extracts password hashes from Windows; libeay32.dll, which works in conjunction with pwdump; and myGeeksmail.dll, which it describes as a malicious ISAPI filter.
If you've ever wondered how your browser recognizes a secure web site (say, Paypal), it uses X.509 certificates.  The security here is very, very good, but rests entirely on only the Good Guys being able to sign certificates.  If the Bad Guys get into the system that does this - for example, Adobe's build server (the server that compiles their source code into executable software) then it's Game Over.

A build server is exactly the sort of system that the Bad Guys would want to target at a company like Adobe.  They used it to sign their own malware, so presumably some computer users would have felt comfortable installing it.

Espionage Hackers target "watering hole" sites:
Security experts are accustomed to direct attacks, but some of today’s more insidious incursions succeed in a roundabout way — by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called “watering hole” tactics recently have been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare and utilities sectors.
As defenses have gotten better and it's gotten harder for the Bad Guys to penetrate corporate firewalls, the Bad Guys have looked for softer targets.  Web server attacks that leave malware posted on sites where people of interest are likely to visit means that you've shifted from hunting to trapping.  The problem for IT is that they're now not looking at a single firewall's security, but the security of thousands of end users.

And since the web site might be using SSL encryption, the malware will stream down through the firewall over an encrypted connection.  Sweet.

Why are the Bad Guys going to all this trouble?  It's because that's where the money is.  It's been a while since the days of hacking web sites and replacing them with "L4m3rz!!1!  W3 0wnz j00!!!1!!!"  Now it's "show me the money".

3 comments:

drjim said...

It will be real interesting to see where these attacks originated from.

Anonymous said...

I see that the enenmy is prepping for the forth coming world war.

Anonymous said...

Darn typo's, enemy not enenmy.