Tuesday, September 23, 2014

ALERT: Citadel Adapted for Espionage

IBM's Trusteer, which develops anti-fraud software used by a number of banks, warns that it's discovered a Citadel variant that's been tweaked for espionage purposes, and which is being used to target a number of organizations, including an unnamed chemical manufacturer.

"While the use of advanced malware that was originally built for financial theft as a generic advanced persistent threat tool is not new, this is the first time we've seen Citadel used to target nonfinancial organizations," says Dana Tamir, director of enterprise security at IBM's Trusteer, in a blog post. Trusteer has declined to name the victims - or confirm whether it could tell if the campaign was related to industrial espionage or nation-state spying. It says only that they victims include "one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials." Trusteer says it directly notified all of the fewer than 10 victims it identified.

Based on Trusteer's analysis, tweaking Citadel to spy on non-banking businesses didn't take much customization. "According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies," Tamir says. "Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user."

Because this type of "form grabbing" attack is happening in the browser, it allows the malware to grab the data being submitted - including usernames and passwords for corporate webmail accounts - before it gets encrypted. But Trusteer says it's not clear if the attackers directly targeted the petrochemical and other firms, or if they just happened to retrieve the valid credentials from PCs infected with the malware, as part of more widespread financial cybercrime activities.


To protect against Cyberthreats consider hiring SLC Security Services LLC to perform a complete and full security audit of your network. "If we don't find a vulnerability, you don't pay us! Guarantee. 

No comments:

Post a Comment