Night Dragon or Red Herring?
TAP into Smart Protection Network
Targeted Attack Prevention is a key component of the Trend Micro Smart Protection Network
In the wake of the recently published report about Night Dragon, Trend Micro wants to assure its customers that they are already protected from the attack.
Following analysis, based on the Smart Protection Network, we know that this incident has not compromised the security of any Trend Micro customer.
The most recent enquiry regarding malicious files and compromised web servers associated with the incident, was raised to us back in early January. This was dealt with swiftly, since then we have had no reports or inbound calls regarding possible infections, only inquiries into our protection. Additionally, Smart Protection Network has not registered any notable detection related to the event for email, web or file threats.
Summary of Protection:
1. Compromised WebPages directing users to malicious web servers in this attack: Web Reputation is blocking the malicious domains and WebPages
2. Spear-Phishing emails with links to malicious web servers: Web reputation is blocking the emails using Secure Click and access to the malicious web servers
3. Malware infecting machines: File reputation includes signatures to detect the malicious files associated with this attack
4. Compromised machines communicating with outside servers controlled by hackers: Web reputation blocks the communication to these servers
Additionally Deep Security will mitigate the initial attack vectors viz. SQL injection and dropping the malware/RAT tools on to the web server.
The DPI rules that should be configured and deployed are as follow:
• 1000608 - Generic SQL Injection Prevention (already available)
This rule may require configuration and will block SQL injection attacks.
• 1003025 - Web Server Restrict Executable File Uploads (Already available)
This rule blocks all executable file uploads to the web server when deployed.
• 1004596 - Detected Night Dragon Network Communication (Expected availability today)
This emergency security update is to issue a specific DPI rule to detect network communication between hosts compromised as part of the “Night Dragon” attack and the CnC servers.
Smart Protection Network contains Targeted Attack Prevention technology designed to proactively identify and mitigate events such as this, so that they never become an issue for our Customers networks. Therefore, we do not view Night Dragon as a major threat incident, because our customers are not affected by the event.
Attacks such as this are notable and on the increase. Already in 2009, Raimund Genes predicted that targeted attacks would be on the increase. In recognition of this fact, we already developed technology able to stop targeted attacks before they become a problem.
Targeted attacks regularly employ Spear-Phishing as a key component. Trend Micro advises all Security specialists to ensure their corporate end users are well versed on this type of attack tool to help protect themselves effectively.
For detailed technical information regarding Night Dragon, please view our Web Attacks entry http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=REMOSH+Hacktool+Used+in+Targeted+Attack
Opportunities
1. Part of this attack was compromising a customer’s web servers. This is an opportunity to discuss Deep Security as a prevention tool which can block a hacker from attempting to compromise their web servers.
2. Malware infections: Opportunity to discuss File reputation and why faster deployment of updates is needed in the case of a targeted attack.
3. TMS - Threat Discovery and Threat Mitigator will minimize their attack surface and risks associated with a targeted attack.
4. PSP - As targeted attacks become more prevalent on larger organizations, they need a security partner who can support them quickly and effectively to mitigate their risks associated with the attack.
Monday, February 28, 2011
Tuesday, February 1, 2011
ATM skimmers don't even have to be on the ATM
Careful ATM users know enough to give a hasty visual check to the machine before using it and to hide the keyboard while entering their PIN.
Unfortunately, sometimes even that is not enough to prevent the fraudsters, and the worst part of it is that they continually think of new ways of stealing your credit and debit card data.
A type of attack that can't be detected by ATM users because there's nothing off on the machine or close enough to it to make them suspicious has been pointed out by Brian Krebs. According to him, criminals have devised a very clever tactic - one that is usually employed to steal the information from users who prefer to use the ATMs located in the antechamber of a bank or building lobby.
Access to these machines is usually controlled by a key card lock that allows customers to enter only after they have swiped their ATM card through it.
Regrettably, crooks have devised a way to add a skimmer to these locks, so that when the customers perform the action, it records the cards' information. And odds are that customers won't even check to see if there's something suspicious about the lock.
When the customers finally access the ATM, those of them who don't take particular care to hide the keyboard from view with the palm of their hand or another object, have their PINs stolen through the use of a zoom-in camera hiding behind a mirror located on the wall above an ATM - which they assume is there to allow them to see if someone is standing behind them.
An instance of this type of attack has been recorded all the way back in 2009, when a customer of a bank in California discovered the camera behind the mirror above one of the two ATMs in the lobby of the bank. It turns out that the criminals put an "Out of Order" sing on the other ATM to force the customers to use only the one that was covered by the camera.
Zeijka Zorz, HNS News Editor
Unfortunately, sometimes even that is not enough to prevent the fraudsters, and the worst part of it is that they continually think of new ways of stealing your credit and debit card data.
A type of attack that can't be detected by ATM users because there's nothing off on the machine or close enough to it to make them suspicious has been pointed out by Brian Krebs. According to him, criminals have devised a very clever tactic - one that is usually employed to steal the information from users who prefer to use the ATMs located in the antechamber of a bank or building lobby.
Access to these machines is usually controlled by a key card lock that allows customers to enter only after they have swiped their ATM card through it.
Regrettably, crooks have devised a way to add a skimmer to these locks, so that when the customers perform the action, it records the cards' information. And odds are that customers won't even check to see if there's something suspicious about the lock.
When the customers finally access the ATM, those of them who don't take particular care to hide the keyboard from view with the palm of their hand or another object, have their PINs stolen through the use of a zoom-in camera hiding behind a mirror located on the wall above an ATM - which they assume is there to allow them to see if someone is standing behind them.
An instance of this type of attack has been recorded all the way back in 2009, when a customer of a bank in California discovered the camera behind the mirror above one of the two ATMs in the lobby of the bank. It turns out that the criminals put an "Out of Order" sing on the other ATM to force the customers to use only the one that was covered by the camera.
Zeijka Zorz, HNS News Editor
Subscribe to:
Posts (Atom)