We recently documented an attack that leveraged the publicly available Xtreme RAT on targets in Israel and was widely reported in the media. Our friends at Norman were able to link the attack to a yearlong campaign against both Israeli and Palestinian targets. We have found that the attacks are still on-going and that the target set is broader than previously thought.

We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel. One of the emails was sent to 294 email addresses. While the vast majority of the emails were sent to the Government of Israel at “mfa.gov.il”, “idf.gov.il,” and “mod.gov.il,” a significant amount were also sent to the U.S. Government at “state.gov” email addresses. Other U.S. government targets also included “senate.gov” and “house.gov” email addresses. The email was also sent to “usaid.gov” email addresses.

The target list also included the governments of the UK (fco.gov.uk), Turkey (mfa.gov.tr), Slovenia (gov.si), Macedonia, New Zealand, and Latvia. In addition, the BBC (bbc.co.uk) and the Office of the Quartet Representative (quartetrep.org) were also targeted.

Read the rest of this entry »

News of the ‘unknown’ and underground zero-day in Adobe Reader is all over the Internet. Because of its supposed noteworthy features, including the capability to defeat Adobe’s sandbox feature, users are alarmed – and rightfully so. Fortunately, the situation is not without hope.

With this entry, my aim is to explain to our customers what this exploit means to them and what protective measures can be implemented.

Let us understand the threat situation first. How serious is it? There are claims of a zero-day exploit affecting versions 10 and 11 of Adobe Reader and is reportedly being sold in the underground for USD 30,000 – 50,000. Why so much money? This zero-day bypasses the sandbox protection technology that Adobe introduced in ver. 10. It executes even if JavaScript is disabled in the software. The only interaction it requires is for a user to open a .PDF document and the bug is triggered when the browser is closed.

There is news that this bug is being exploited in specific targeted attacks. There is also news that it will soon be incorporated in the notorious BlackHole Exploit Kit. Once it gets added, there is a chance of widespread exploitation via the exploit kit.

Read the rest of this entry »