[ISN] New Targeted Attack Campaign Against Defense Contractors Under Way

From: InfoSec News <alerts_at_private>
Date: Mon, 25 Jul 2011 01:47:44 -0500 (CDT)
http://www.darkreading.com/security/attacks-breaches/231002455/new-targeted-attack-campaign-against-defense-contractors-underway.html

By Kelly Jackson Higgins
Dark Reading
July 22, 2011

The U.S. Defense industry once again is under siege by cyberspies in an 
attack that provides a link to a rigged spreadsheet containing a real 
list of high-level defense industry executives who attended a recent 
Intelligence Advanced Research Projects Activity (IARPA) event.

A Defense contractor friend of Anup Ghosh, CEO of Invincea, sent him a 
copy of a targeted yet suspicious email with the attachment he had 
received unsolicited. "He said he has been a nonstop target of a lot of 
spear-phishing attempts, but this one was very compelling because it was 
purported to have names of attendees to a recent IARPA meeting," Ghosh 
says. It appears that the attackers sent the same email and malicious 
attachment to the other 163 event attendees, he says.

The embedded URL -- which appears to be a subdomain of a domain that 
redirects to the legitimate research project website -- provides a ZIP 
archive to the attendee roster, which includes the names of directors, 
presidents, and CEOs of major Defense and intelligence companies.

"Unzipped, you see an XLS-looking file, but it's actually an 
executable," Ghosh says. "It extracts another custom program that's an 
HTTP client. This client beacons out to a server. You wouldn't notice it 
even if you were looking at your system process table: It looks like 
standard browser activity."

[...]


___________________________________________________________
Attend Black Hat USA 2011, hosted at Caesars Palace in
Las Vegas, Nevada July 30-Aug 4, offering over 60 training
sessions and 9 tracks of Briefings from security industry elite.
To sign up visit: http://www.blackhat.com
Received on Sun Jul 24 2011 - 23:47:44 PDT

This archive was generated by hypermail 2.2.0 : Sun Jul 24 2011 - 23:53:19 PDT