Light Dark
May 2, 2017 By Mark Samuels 2 min read

Organizations across a range of industries are being targeted in a sophisticated campaign that uses malware to put critical information at risk. The National Cybersecurity and Communications Integration Center (NCCIC) said its preliminary research suggested attackers are using stolen administrative credentials and certificates to try and gain access to data. Its evidence indicated attackers are also placing sophisticated malware implants on critical systems.

What Does the Campaign Look Like?

The campaign, which uses multiple malware initiatives, has been running since at least May 2016. In the NCCIC alert, the organization said its initial analysis suggested victims come from multiple sectors, including IT, energy, health care, communications and critical manufacturing. NCCIC classified the threat level as “medium,” and stated it could impact foreign relations, civil liberties, public health or safety, economic security, national security or public confidence.

With the attack, cybercriminals could gain full access to networks and data in a way that appears legitimate to existing monitoring tools. Credential compromises among IT service providers could also be used to access customer environments.

What Malware Techniques Are Attackers Using?

The NCCIC said implant attackers are using REDLEAVES malware, which is a remote administration Trojan (RAT) that uses thread generation during its execution. The implant contains some functions typical of RATs, including system enumeration.

Attackers are also using PLUGX, which is a sophisticated RAT that has been operating since about 2012. PLUGX allows remote users to perform malicious actions against a system, including setting connections, modifying files, logging off the current user and terminating processes, CRN explained.

NCCIC investigations into the campaign continue. In the meantime, the group has released indicators of compromise (IoCs) so organizations can check their networks and systems for potential areas of concern. It will update the advisory alert as more information becomes available.

How to React

Business leaders should focus on a layered approach. Experts recognized that threat actors can morph or change their zero-day malware, meaning conventional antivirus tools are often viewed as incomplete security solutions.

NCCIC noted there is no single defensive technique that will completely avert the risk of malicious activity. The good news is that properly implemented programs will at least make it more difficult for an adversary to gain access to a network.

The NCCIC’s recommendations to help form a secure program are based on investigations and client interactions, and it suggested several best practice techniques, including:

  • Implement a vulnerability assessment and remediation program.
  • Encrypt all sensitive data in transit and at rest.
  • Create an insider threat program.
  • Assign additional personnel to review logging and alerting data.
  • Complete an independent security audit.
  • Create an information sharing program.
  • Maintain network and system documentation to aid timely incident response.

IT decision-makers should also focus on a defense-in-depth approach, where multiple techniques are used to increase the likelihood of detection and decrease the likelihood of compromise. Security professionals should check their systems and networks for potential compromises and look to build such a layered approach.

 |  |  |  |  | 
Mark Samuels
Tech Journalist

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature