Attackers place Command and Control servers inside enterprise walls
(Publication) Google search: [1]
Attackers place Command and Control servers inside enterprise walls | |
---|---|
Botnet | Waledac |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-04-30 |
Editor/Conference | Security Week |
Link | http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls (Archive copy) |
Author | Brian Prince |
Type |
Abstract
“ Stealthy Attacks Use Trusted Enterprise Systems and Trusted Networks, Making Detection Difficult
Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses in order to circumvent security measures, according to a security expert familiar with the innovative new attack method.
The tactic is the latest twist in attempts by botnet operators to launch advanced persistent threats (APTs) that can stay below the radar while compromising corporate resources.
“We’ve been seeing this for the last four or five months,” Tom Kellermann, vice president of cybersecurity at Trend Micro told SecurityWeek. “I think it’s really significant when you look at incident response techniques and how this can defeat most of those…everyone keeps assuming that nation states are the only ones launching APTs…but in fact we’re seeing tremendous innovation of this technology by criminal crews.”
According to Kellermann, Trend Micro has observed dozens of incidents were these tactics have been used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, he said. The technique helps attackers to stay stealthy as they exfiltrate data, as very little C&C traffic is leaving the network.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR999, editor = {Security Week}, author = {Brian Prince}, title = {Attackers place Command and Control servers inside enterprise walls}, date = {30}, month = Apr, year = {2012}, howpublished = {\url{http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls}}, }