Staples Still Silent On Severity Of Corporate System Breach


Staples is remaining mum about the extent of a malware infection that crippled its corporate systems last week while investigators contained the attack.

CRN learned last week that the Framingham, Mass.-based office supply retailer was impacted by the ChangeUp worm, a fast-spreading attack designed to spread via network shared drives. Once systems are infected with ChangeUp, the worm contacts a remote server to download additional malware, which can range from banking Trojans to keystroke loggers designed to record keystrokes to steal account credentials.

Staples spokesperson Mark Cautela said last week that he would look into the matter but has not returned repeated requests for information about the attack or whether any customer data was exposed as a result of the incident. Security experts said shared drives are typically isolated from servers containing more sensitive data; however, file shares could contain intellectual property and other information that could be high-value assets to the retailer.

[Related: DoS Attacks Grab Headlines, But Stealthy Threats Are The Real Story]

Symantec is reported to be the firm investigating the infection, identifying it as a variant of ChangeUp. The malware author behind the attacks constantly changes it in an effort to evade detection by antivirus and network security appliances. Symantec and several other security firms warned in November that a new variant was detected spreading in the wild.

Symantec doesn't comment about specific customer incidents, but Kevin Haley, a director at Symantec Security Response, told CRN Monday that a social engineering attack lies at the core of how the malware infection initially infects its victim.

"Every employee sitting at their desk is also a consumer and susceptible to social engineering attacks," Haley said. "While the ultimate malware that gets delivered by ChangeUp might not be a significant risk to enterprises, it is a huge cost in terms of cleanup and productivity."

ChangeUp spreads via removable and mapped drives, making copies of itself and using the Windows AutoRun feature to spread to other computers via removable media. Microsoft issued an update in 2009 restricting the use of AutoRun to CD and DVD drives, but USB devices may have firmware that can bypass the restrictions. Security researchers say organizations can create an application control policy to block AutoRun files.

ChangeUp also was programmed to dynamically generate URLs to download its malware payload, according to a Symantec analysis of the threat. Each copy of the worm modifies itself to evade antivirus detection based on file hashes, the Cupertino, Calif., security firm said.

Most malware attacks stem from a spearphishing email or drive-by attacks targeting a known vulnerability, said Zheng Bu, senior director of security research at Milpitas, Calif.-based FireEye. Bu told CRN that increasing malware sophistication is continuing to weaken signature-based security such as antivirus, which is often relied on by enterprises as the first line of defense.

Organizations need to ensure that client software is updated to reduce some of the risk of an infection, but there will be some delays in rolling out updates at large organizations, Bu said.

"The perception is that if you turned on Windows security update you are fine, but nowadays a lot of third-party apps are the target of malware writers," Bu said. "If you have network security you can apply security mitigations, but it is difficult to upgrade 30,000 endpoints at the same time."

PUBLISHED APRIL 10, 2013