New malware variant hijacks US Defense Dept.'s smart cards
A new variant of an "old" malware appears to be targeting the United States' Department of Defense by hijacking the smart cards used in its computer systems.
Researchers at security firm AlienVault said the variant of the Sykipot malware may have been compiled in March 2011 and had been used in several attacks.
"It should come as no surprise, then, that we recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DOD [Department of Defense] and Windows smart cards. This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year," AlienVault said in a blog post.
The Sykipot malware had been around since 2007 and used for "spear phishing" campaigns against targets mainly in the US, AlienVault noted.
It said these attacks originate from servers in China with what appears to be the purpose of obtaining information from the defense sector, which extensively uses PC/SC x509 smart cards for authentication.
"Smart cards have a long history of usage in the Defense Sector, for both physical and information access management, and historically have merely forced attackers to route around the smartcard authentication system through other, more vulnerable attack vectors," it said.
AlienVault said the latest attacks use a spear phishing campaign to fool their targets into opening a PDF attachment which deposits the Sykipot malware onto their machine.
In the latest attack, the attackers exploited a zero-day exploit in Adobe.
"(But) unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center," it said.
The latest malware also had two more modules that can list all the certificates that are stored on the windows key store.
"So, the modus operandi of the attackers is listing the certificates present on the victim's computer included the smartcards, stealing the PIN using the keylogger module and then use this information to log onto remote resources protected with certificates/smartcards," AlienVault said.
Also, AlienVault said the attackers showed they are implementing different techniques to bypass two-factor authentication with smartcard/PIN to access protected resources on the victim's network.
"By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader," it said.
"While trojans that have targeted smartcards are not new, there is obvious siginficance to the targeting of a particular smartcard system in wide deployment by the US DOD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration," it added.
* implications
AlienVault said that as defenses get better, attackers will continue to change their tactics to adapt.
In this case, it said the attackers will hijack the very systems designed to provide more security, if necessary.
But it noted an interesting by-product of this malware’s necessity of having the card physically present is that attackers can only leverage it for secure authentication to target systems, during times that the user them is physically present at the workstation, making unauthorized activity that much more difficult to discern from legitimate usage.
"Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally," it added. — LBG, GMA News
Researchers at security firm AlienVault said the variant of the Sykipot malware may have been compiled in March 2011 and had been used in several attacks.
"It should come as no surprise, then, that we recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DOD [Department of Defense] and Windows smart cards. This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year," AlienVault said in a blog post.
The Sykipot malware had been around since 2007 and used for "spear phishing" campaigns against targets mainly in the US, AlienVault noted.
It said these attacks originate from servers in China with what appears to be the purpose of obtaining information from the defense sector, which extensively uses PC/SC x509 smart cards for authentication.
"Smart cards have a long history of usage in the Defense Sector, for both physical and information access management, and historically have merely forced attackers to route around the smartcard authentication system through other, more vulnerable attack vectors," it said.
AlienVault said the latest attacks use a spear phishing campaign to fool their targets into opening a PDF attachment which deposits the Sykipot malware onto their machine.
In the latest attack, the attackers exploited a zero-day exploit in Adobe.
"(But) unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center," it said.
The latest malware also had two more modules that can list all the certificates that are stored on the windows key store.
"So, the modus operandi of the attackers is listing the certificates present on the victim's computer included the smartcards, stealing the PIN using the keylogger module and then use this information to log onto remote resources protected with certificates/smartcards," AlienVault said.
Also, AlienVault said the attackers showed they are implementing different techniques to bypass two-factor authentication with smartcard/PIN to access protected resources on the victim's network.
"By capturing the PIN for the smartcard and binding the certificate, malware can silently use the card to authenticate to secure resources, so long as the card remains physically present in the card reader," it said.
"While trojans that have targeted smartcards are not new, there is obvious siginficance to the targeting of a particular smartcard system in wide deployment by the US DOD and other government agencies, particularly given the nature of the information the attackers seem to be targeting for exfiltration," it added.
* implications
AlienVault said that as defenses get better, attackers will continue to change their tactics to adapt.
In this case, it said the attackers will hijack the very systems designed to provide more security, if necessary.
But it noted an interesting by-product of this malware’s necessity of having the card physically present is that attackers can only leverage it for secure authentication to target systems, during times that the user them is physically present at the workstation, making unauthorized activity that much more difficult to discern from legitimate usage.
"Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally," it added. — LBG, GMA News
We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus
advertisement
advertisement
advertisement
