Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Chinese Hackers Reportedly Using Sykipot Variant to Attack Defense Department Smart Cards

Security firm Alienvault says that a new variant of the Sykipot family of malware is targeting ActivIdentity’s ActivClient, which is used by the U.S. Department of Defense as a secure means of authentication. Aside from the examination of a sample of the malware itself, it’s unknown what, if any, data the spear-phishing campaign used to launch the attack has made off with.

Security firm Alienvault says that a new variant of the Sykipot family of malware is targeting ActivIdentity’s ActivClient, which is used by the U.S. Department of Defense as a secure means of authentication. Aside from the examination of a sample of the malware itself, it’s unknown what, if any, data the spear-phishing campaign used to launch the attack has made off with.

Sykipot Attacks Smart CardsActivClient is a smart card solution, which the DoD uses to comply with GSC-IS 2.1 and the General Services Administration’s BSI. Based on what Alienvault has seen, the latest Sykipot variant was compiled with “the purpose of obtaining information from the defense sector: the same sector that makes extensive use of PC/SC x509 Smartcards for authentication.”

The latest attack starts with a Phishing email, delivered to targeted employees, and leverages a recently patched Adobe vulnerability to install the malicious code itself.

“Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center,” Alienvault explained.

“So, the modus operandi of the attackers is listing the certificates present on the victim’s computer included the smartcards, stealing the PIN using the keylogger module and then use this information to log onto remote resources protected with certificates/smartcards.”

This attack is just the latest method being used to circumvent multi-factor authentication, the researchers note. Once the malware is on the system, it can capture the PIN used by the smart card, bind it to the certificate installed on the client machine, and as long as the card itself is in the reader, the attacker can access the protected resources.

The Adobe vulnerability targeted by the Sykipot malware was patched on January 10. Systems running Adobe Reader X (10.1.1) or lower are impacted by the remote code execution flaw.

ActivIdentity was acquired by HID Global in a deal that was completed in December 2010.

SecutityWeek contacted ActivIdenity to get feedback on the situation. “We are aware of the recent reports that purportedly identified a new attack method that could hijack smart card-based certificates,” Jean-Luc Azou, Senior Product Manager at ActivIdentity told SecurityWeek. “We take these reports very seriously and are working diligently to investigate the potential threat.”

“Our initial assessment is that this potential vulnerability is completely unrelated to ActivIdentity ActivClient software,” Azou added. “Nevertheless, it is possible that unauthorized persons may eventually be able to access company IT networks should personal computers become compromised with malware. We therefore urge our customers to deploy ActivIdentity solutions and adhere to best practice security policies and procedures.”

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).