Last week Miami played host to the Hacker Halted Conference, the 14th in the international series of conferences aimed to raise awareness and provide education on IT security.
One speaker addressed the topic of ‘Zombie Browsers’, an angle of attack that has rocketed in the last year. Hacker’s access the user’s computer via malicious extensions in Safari, Firefox and Chrome by web based drive-by downloads and infected attachments. Hackers can steal data, spy on webcams, hijack sessions as well as upload and download files.
Almost 50 new malicious extensions have been found this year, a significant amount compared to the mere 10 that were around only a year ago. Despite being active for over 2 years, many antivirus and IDS (Intrusion Detection System) software are failing to detect zombie browsers.
A recent attack on a business based in Switzerland revealed exactly how zombie browsers work and how dangerous they are.
The hacker targeted just one employee via an email redirecting to a dynamic –exploit delivery page. A patch has now been released for the MS12-037 exploit that was present. This gave the hacker full access to the victims machine. Passwords were found within the HTML code which gave access to valuable content from the company’s network. The same passwords were also used for other machines and programmes. Managing to access documents and intellectual property stored on the Linux server.
Security for the server was in fact good, however the back-up, not. By using exploit ‘phpMyAdmin 3. 4. 1 swekey RCEexploit’ the attacker accessed the remote shell on the backup server, with Linux 2.6 x unmounts exploit the hacker accessed every file and directory on the root shell of the backup. Sending encrypted information to a compromised host in Malaysia the attacker attempted to send money to a foreign bank account, using signatures and documents stolen in the 2 week long hack.
The hack was brought to light after the firms bank highlighted this as suspicious. Preventative methods to avoid this type of attack, detect unusual traffic and understand the nature of targeted attacks requires a SIEM tool (Security Information & Event Management).
Experiences like these need to be shared and recognised by businesses in order to detect and prevent against similar hacks and to keep up to speed with the hacker world.