Defense Industry Primary Target In Latest Adobe Exploit
Symantec said Friday that the critical vulnerability is being targeted by a skillful group of individuals who are well organized and persistent. Since at least March 2010, the group has targeted mostly defense contractors, government departments and telecommunication, computer, chemical and energy companies.
Adobe warned Tuesday of the flaw in its Acrobat and Reader products for reading and editing PDF files, saying the defect could be used by a hacker to commandeer a personal computer. The company plans to release a patch next week.
The cyber-criminals trying to take advantage of the weakness use a well-known family of malware that Symantec calls Sykipot. The attackers aim the malicious code at so called zero-day vulnerabilities, which means they have not been reported by security experts or software makers, or at common business applications, hoping the user has not kept up with the latest security patches.
On Dec. 1, Symantec recorded a spike in the number of recipients of e-mails carrying Sykipot malware aimed at Reader and Acrobat. The attackers sent the messages mostly to high-ranking executives, including C-level officers, vice presidents and directors, Symantec said. These executives are most likely to have design, manufacturing or strategic planning documents in their computers, as well as information that could be used to mount attacks against lower-level employees and computer systems holding sensitive data.
Another example of the attackers' skillfulness is how they would initially send commands to gather system and network information to determine whether the compromised computer had the desired data. If so, then commands customized to the system were issued to exfiltrate the information.
Symantec believes the attackers were also involved in a March 2010 attack on a zero-day vulnerability in Microsoft Internet Explorer. The more than 30 command-and-control servers used in the attacks since then indicate a group of well-funded cyber-criminals.
Symantec does not believe the attacks are politically motivated. Instead, the hackers are most likely working for a government or private entity.
While Symantec doesn't know who is behind the attacks, the company is certain the group has had some success in stealing information. "They've been persistent across two years, and I'm sure nobody would conduct a campaign over two years if they weren't seeing any success," Vikram Thakur, principal security response manager, for Symantec, said.