Today is one of those days when security news finds its way to the front page of mainstream news. The New York Times announced in a very detailed report that their network had been breached starting about four months ago in an Advanced Persistent Threat (APT) attack. Their story explains that the attackers have been repelled from their network with help from an outside security company.

What makes this story interesting and important reading is the scope of detail it provides around the attack. Because they’re disclosing an attack after it’s been thwarted, the story provides a broad view into the full lifecycle of an APT attack. The report also provides a level of detail that is rare in these situations. Anyone interested in security and protecting against APTs should take some time and read the full New York Times’s story.

One thing that the New York Times does is to call out that they had security products in place and that those failed to prevent the attack. They go so far as to name the vendor. Some have characterized this as “pointing the finger” at the vendor (who has defended themselves publicly). We don’t have detailed specifics around what products were deployed and how they were maintained. But the New York Times’ story and the vendor’s response would seem to imply that the protection regimen was focused on signature-based endpoint-security. Presumably there were other protections like firewalls and possibly intrusion prevention systems (IPS) that also failed to prevent the attack but there is no specific mention of that.

With that information and what we know about the attacks, we can draw some lessons from that around what it takes to adequately defend an environment against APTs.

Read the rest of this entry »

The past few months have been a busy one for Blackhole spam attackers. The last time we discussed Blackhole spam runs, we noted that it had returned from its New Year break and was hitting users again. Previously, we’d reported in September about how a new version of the Blackhole Exploit Kit had been introduced by attackers into the underground. Since September we observed upgrades and new developments in this area, which this post will tackle.

Upgrade to Blackhole Exploit Kit 2.0

Cybercriminals have stopped using the older 1.x version of the Blackhole Exploit Kit entirely and moved to version 2.0 since last September. Most significantly, the URLs no longer have the eight-character-long random strings that were a key part of the 1.x version. These strings made discovering and monitoring websites that were connected to various spam runs easier for researchers.

New vulnerabilities have also been added to the Blackhole Exploit Kit as they have been made “public”. For example, the recent Java zero-day was added to BHEK’s arsenal within days of the vulnerability becoming known to the security industry.

Clearly, these cybercriminals are continuously enhancing this toolkit to evade detection as well as to generate profit from users. Accordingly, Blackhole Exploit Kit was used to distribute known information stealing malware such as ZeuS and Cridex variants.

Increased Usage of Different Infection Chains

One development we have seen is that different browsers are receiving different infection chains, with more distinct differences from browser to browser. For example, there are situations where users running Chrome may receive malicious files, but Firefox and Internet Explorer do not.

Why this is being done remains unclear. It’s possible that this is being done to lower the profile of these threats; this makes sense in combination with the next development. What is clear is that this makes analysis by researchers and security vendors more complicated. It increases the number of test cases that have to be looked at thus increasing the effort that must be dedicated to any individual attack.

Read the rest of this entry »