Espionage network exploiting Adobe Reader flaw
Adobe warned users of its Reader software earlier this week that hackers were using a critical vulnerability in the program to enable "limited, targeted attacks." Today security firm Symantec provided details of the compromise, which appear to have been well-funded efforts aimed at stealing secrets from specific industries and government agencies in the United States and United Kingdom.
The attacks used crafted emails designed to look like personal communications to specific managers or executives at the targeted organization, the company states in its brief analysis. Once the PDF attachment is opened, a Trojan -- dubbed "Sykipot" by Symantec -- infects the system using the vulnerability. Once a system is compromised, it communicates with a network of command-and-control servers hosted on at least a dozen and perhaps more than 50 domains.
"While the back door Trojan itself isn't very sophisticated or well-coded, the attackers are skilled enough to have discovered multiple zero-day vulnerabilities," the security firm states. "Given the long list of command-and-control servers being used for controlling the botnet, the attackers are unlikely to be a single person, but rather a group of people."
In March 2010, the same group used a zero-day flaw in Internet Explorer to further its attacks on targets, Symantec says. While the latest attacks appeared to only target Windows systems, the critical vulnerability in Adobe Reader affects Windows, Mac OS X, and Unix, according to Adobe's advisory. Adobe expects to patch the vulnerability the week of Dec. 12.
The attacks have targeted defense contractors, telecommunications firms, computer-hardware makers, chemical companies, and energy utilities, as well as government agencies, Symantec states. The company would not speculate who was launching the attacks against the sensitive networks, but found evidence that the attacks have lasted at least two years and perhaps as far back as 2006.
"These attacks have been long running, persistent, and targeted, leading us to believe that the attackers are well-funded and motivated to acquire specific, high-value information," the company states in its analysis.
While linking such attacks to any particular nation or adversary is difficult, the samples of the Sykipot Trojan analyzed by Symantec contained error messages in Chinese.
(Source: infoworld.com)
