Symantec Uncovers Attacks Targeting Defense, Aerospace Execs

Researchers from Symantec say they have discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

According to Symantec, the attacks came in the form of spear phishing emails with malicious PDF attached, which were sent to carefully selected individuals including directors and vice presidents at organizations in the aviation, air traffic control, and government and defense contractors sectors. In total, Symantec said it had identified at least 12 different organizations that were targeted in the attack—so far.

The attacker(s) used an outlook report for the aerospace and defense industries that was published in 2012 as the malicious document, and attempted to make it appear as though the publisher of the report was the sender of the email, and were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified, Symantec said.

The malicious PDF attempts to exploit an Adobe Flash Player Vulnerability (CVE-2011-0611), and if successful, it drops additional malware and a clean version of the PDF file to help remain below the radar.

The vulnerability exploited in the attack was actually patched in 2011. This is a prime example that older, unpatched vulnerabilities can be just as dangerous as zero-day vulnerabilities to an organization, and in many cases, even more dangerous.

According to a recent report from security vendor Solutionary, 58 percent of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” Rob Kraus, director of research for Solutionary’s Security Engineering Research Team (SERT), said in a statement.

In the attack identified by Symantec, the threat drops a malicious version of the svchost.exe file, which them file then installs a malicious version of ntshrui.dll into the Windows directory.

“The threat leverages a technique known as DLL search order hijacking (the ntshrui.dll file is not protected by KnownDLLs),” Symantec explained in a blog post. “When the svchost.exe file calls the explorer.exe file, it will load the malicious ntshrui.dll file in the Windows folder instead of the legitimate ntshrui.dll file in the Windows system directory.”

Symantec detects both the svchost.exe and ntshrui.dll files as Backdoor.Barkiofork, which has the capabilities including the ability to:

• Enumerate disk drives

• Contact the command-and-control (C&C) server at osamu.update.ikwb.com

• Steal system information

• Download and executes further updates

Symantec advised organizations to ensure proper email security measures are in place, and that patch management is taken seriously.

“It’s vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise,” Solutionary’s Kraus said.