Hannaford Brothers, CEO Subpoenas and the Rise of Targeted Malware

Earlier this year, customers of Hannaford Bros. grocery stores in New England learned that over 4 million of their credit and debit card numbers had been stolen by cyber criminals.

At first glance, this data breach looked all too common. After all, plenty of other companies – from Pfizer to Monster.com to TJX – have weathered similar attacks recently.

But when you dig deeper into the details of this attack, a disturbing trend emerges: Hannaford Bros. was the victim of targeted malware. Unlike most data breaches, which are opportunistic crimes triggered by things like stolen laptops or poorly secured databases, this instance involved malware written specifically to steal information from Hannaford Bros.

Criminals secretly infected servers at every single grocery store with software that intercepted card data at checkout. The information was then sent overseas.

If you think this is an isolated incident, think again. Recently, a new phishing attack has been circulating that targets not a company but a specific type of person: the corporate CEO. The CEO subpoena phishing attack looks like a valid legal document, but if CEOs fall for it, they put their company at risk. A similar attack targeted CEOs in the energy sector last year.

Then there is Trojan.Silentbanker, malware that targets the online banking accounts of approximately 400 banks. This is an especially troubling type of malware, since users believe they are secure during the banking session, having logged into their accounts using various forms of two-factor authentication.

This man-in-the-middle attack, which infects users through corrupted websites, re-routes the victim’s account to the attacker’s site. Since users have no idea that their banking session has been compromised, seeing the same screens they would during an uncompromised session, Trojan.Silentbanker is able to intercept user names, passwords, and other forms of authentication, such as security questions.

Taken together these targeted attacks beg the question: does this represent the future of malware?

If it does, we need to seriously rethink our approach to security. Research firms such as the Yankee Group have been saying for quite some time that the antivirus/perimeter approach to security is dead, and targeted attacks could very well be the final nail in the AV coffin.

Traditional security works best when hackers employ the “spray-and-pray” approach. When hackers write far-reaching malware that targets anyone and everyone, traditional security is able to counter these attacks through signatures. With a broad Internet presence, traditional AV companies collect as many instances of these types of attacks as they can, gauge their severity, study them and create signatures to stop them.

That method falls flat when it comes to targeted attacks. Since they target small groups of users, many of these attacks evade the early-warning systems that AV vendors rely on. Next, since they infect so few users, the risk isn’t deemed terribly severe, since AV vendors typically rely on infection rates rather than the severity of the attack. Finally, since they don’t believe other users will be infected, AV vendors don’t devote the resources to studying and developing signatures for targeted malware.

What then can you do to protect yourself from this kind of attack? Fortunately, there is hope. The three steps outlined below will help you stave off this new class of malware.

The first step is to evaluate your security posture – and re-evaluate it on an ongoing basis. At eEye, these targeted attacks aren’t a surprise because we’ve seen them before. As part of our Preview service, our security experts study corporate networks, pinpoint vulnerabilities and analyze whatever malware we find – and we’ve found a number of instances of targeted malware.

We’ve also learned that this type of malware is far more powerful and well-engineered than typical malware. Unfortunately, most targeted malware attacks bypass perimeter defenses, so what we have to do is rely on other layers, searching for anomalies. We review IPS logs and look for any weird activities; we review HTTP Proxy logs and try to identify any potentially malicious requests for .exe’s and such; and if everything is behind HTTPS, we occasionally have to review the logs by checking the sites manually.

It’s a cumbersome process, and one usually best outsourced unless you have a big in-house IT staff.

The next step is to rethink your approach security. Traditional security tries to find what is bad out in the world and stop it. With the rise of targeted malware, one-off malware, and automated hacking tools, this is exactly backward. It’s better to define what is good and acceptable and disallow anything beyond that. Protect yourself by employing security that blocks behaviors rather than specific, known malware variations.

Finally, find a way to correlate all of your security layers and their many alarms and logs. In other words, come up with a security management strategy and adopt powerful security management tools. If your security vendors don’t offer good security management layers, push them to address this or find a vendor that does.

Knowledge is power. Too often, though, the information that leads knowledge is buried deep in logs and drowned out by false alarms. With centralized, integrated security management and a single point of visibility into your network, you won’t be blindsided by a targeted attack.

Source: Andre Derek Protas, Director of Research and Preview Services

Virus Bulletin Product Review: eEye Digital Security Blink Professional 4.0
"Blink Professional 4.0 Product Review" Full Article

Expert eGuide: Best Practices for Integrated Threat Management
"Networks and endpoint devices are targets for sophisticated, malicious attacks that have the ability to avoid detection by traditional security solutions. What is required for today's threat landscape is the use of a multi-layered integrated threat management system that protects company assets - from the networks and endpoints to the operating systems and applications. Integrated threat management solutions not only offer comprehensive protection for sensitive data, but also help to reduce costs and aid in achieving regulatory compliance." Full Article

eEye Digital Security REM Security Management Appliance 1505
"Put this 1U security appliance in your small business's equipment rack and you may worry about your budget, but not about your security. The eEye Digital Security REM Security Management Appliance 1505 is expensive for small businesses, but it does a very good job of providing integrated vulnerability assessment along with security- and incident-management services." Full Article

View All Media Coverage
"eEye and its security solutions have been covered by numerous press and media associations." Full Article

Q: I've been hearing a lot of talk about "packers" being used to hide malware, is this is a serious threat?

A: Packer obfuscation of binaries is a very serious threat. In effect, this allows for an executable to be somewhat encrypted' in order to avoid detection by AV companies, but still allows the payload to be executed. AV vendors are focusing their attention on these issues (http://www.datasecurity-event.com/downloads.html), but so are researchers (http://www.racetozero.net/).

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Expands Line of Security Management Appliances
Retina 651 Scanner Combats Cyber-Crime; Aids SMB and Large Organizations Full Article

eEye Unveils Retina Web Security Scanner
Partners with NTO on Integrated Threat Management Suite Full Article

eEye Security Solutions Used by Over Half of the Fortune 100
More than 50 of the Fortune 100 Use eEye Digital Security Products & Solutions Full Article

View All Articles and Announcements
eEye and its security solutions set have introduced a number of newsworthy security advisories and security technology deliveries that have been covered by the press. Select any of the links below to view more details regarding our most recent articles and announcements. Full Article

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.