Report about hacking becomes spear-phishing bait
“It was only a matter of time,” the security company Mandiant said about recent phishing attacks using its report on Chinese hacking as bait.
Mandiant released its report, “APT1: Exposing One of China’s Cyber Espionage Units” on Feb. 18, focusing on the activities of a group that the company says is responsible for a cyber espionage campaign against a broad range of Western companies and governments over the last seven years. The report immediately attracted worldwide attention, not all of it benign. Within two days, two apparently unrelated phishing attacks were identified using the report as bait.
“We are currently tracking the threat actors behind the activity and have no indication that APT1 itself is associated with either variant,” Mandiant wrote in its response. “Mandiant has not been compromised.”
The first attack, reported by Symantec appears to be aimed at Japanese targets with an e-mail attachment titled “Mandiant.pdf.” When opened, the attachment contains the first page of the report, but also delivers malicious code exploiting a vulnerability in Adobe Reader. A patch for the vulnerability was released Feb. 20. The malware communicates with a command and control server hosted in Korea.
The second attack was identified by researcher Brandon Dixon and targets Chinese journalists with an attachment titled “Mandiant_APT2_Report.pdf.” When opened it exploits another Adobe Reader vulnerability. The malicious code connects with a domain associated in earlier attacks against human rights activists.
The attacks are another example of how attacks are being refined to specific targets. Scammers have often targeted viral Internet topics in wide-scale phishing scams, trying to lure people into clicking on malicious links that purportedly related to Steve Jobs’ death, an on-court outburst by tennis star Serena Williams or photos of Osama bin Laden. Now, targeted, spear-phishing attacks are being used to target journalists reporting on a report about hacking.
The advice is old, but bears repeating: Be careful opening attachments. Hashes for the malicious PDF files are available on the report blogs. The hash for the genuine report is available from Mandiant’s download site. If you’d like to read the report, download it yourself. Don’t wait for someone to e-mail it to you.
Posted by William Jackson on Feb 25, 2013 at 9:39 AM