Attackers place Command and Control servers inside enterprise walls

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Attackers place Command and Control servers inside enterprise walls
Botnet Waledac
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-04-30
Editor/Conference Security Week
Link http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls (Archive copy)
Author Brian Prince
Type

Abstract

Stealthy Attacks Use Trusted Enterprise Systems and Trusted Networks, Making Detection Difficult

Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses in order to circumvent security measures, according to a security expert familiar with the innovative new attack method.

The tactic is the latest twist in attempts by botnet operators to launch advanced persistent threats (APTs) that can stay below the radar while compromising corporate resources.

“We’ve been seeing this for the last four or five months,” Tom Kellermann, vice president of cybersecurity at Trend Micro told SecurityWeek. “I think it’s really significant when you look at incident response techniques and how this can defeat most of those…everyone keeps assuming that nation states are the only ones launching APTs…but in fact we’re seeing tremendous innovation of this technology by criminal crews.”

According to Kellermann, Trend Micro has observed dozens of incidents were these tactics have been used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, he said. The technique helps attackers to stay stealthy as they exfiltrate data, as very little C&C traffic is leaving the network.

Bibtex

 @misc{Prince2012BFR999,
   editor = {Security Week},
   author = {Brian Prince},
   title = {Attackers place Command and Control servers inside enterprise walls},
   date = {30},
   month = Apr,
   year = {2012},
   howpublished = {\url{http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls}},
 }