The alarm bell was sounded after the company concerned had a phone call from a stranger, which resulted in an email to Krebs as to whether the problem was a real one.
“So do you think this is legit, or is the guy trying to scare us?” the IT director asked in an email to KrebsOnSecurity.com, agreeing to discuss the incident if he and his company were not named. “He has sent me the logs for the connections to the infected server. I checked the firewall and am not seeing any active connections.”
The call, wrote Krebs in his latest security blog, was legit, and a follow-up investigation by the hedge fund revealed that at least 15 PCs within its network were compromised and were sending proprietary information to the attackers.
The stranger that notified the hedge fund was CyberESI, who apparently knew about the incident because it was monitoring several hacked, legitimate servers that the attackers were using to siphon data from multiple victims.
According to the KrebsonSecurity newswire, the stranger – Bojaxhi – said the hedge fund notification was one of several he made that week to Fortune 500 companies that also had been hacked and were communicating with the same compromised servers.
“The hedge fund incident illustrates the complexities of defending against and detecting targeted attacks, even when victims are alerted to the problem by an outside party”, said the researcher, adding that Joe Drissel, founder and CEO of CyberESI, said too many companies think of cyberattacks as automated threats that can be blocked with the proper mix of hardware and software.
“So many firms are stuck in a paradigm of drive-bys, not targeted attacks,” Drissel told Krebs, adding that there seems to be a real disconnect with what’s really happening on a daily basis.
“We’re trying to fight an asymmetrical war in a symmetrical way, sort of like we’re British soldiers [in the Revolutionary War], all walking in line and they’re picking us off one by one. By the time we turn around and aim, they’re already gone”, he explained.
Now here's the bad news, Infosecurity notes, as none of the first three trojans installed on the hedge fund’s computers were initially detected by any of the 42 anti-virus products bundled into the scanning tools at Virustotal.com.
Drissel, meanwhile, told Krebs that the companies they notify sometimes mistakenly think his firm is involved in the attack, or that they’re somehow joking.
“One guy laughed and said, ‘Thank you for watching out for our company,’ but he didn’t call us back,” Drissel said of a conversation with a victim earlier this year, declining to name the victim.
“We watched [the attackers] exfiltrate weapons systems data for the Defense Department out of their systems, and ended up having to text the same guy a file stolen off their servers. Fifteen minutes later, we got a call back from him, and they unplugged their entire corporate network”, he said.
These APTs – advanced persistent threat attacks – almost always involve social engineering, said Krebs, adding that they can trick people into infecting their systems by disguising a malware-infected email attachment as something that is relevant to the recipient. In many ways, he added, it is the 'persistence' aspect of APT that makes it such a potent threat.
“It is one thing for an APT victim organization to disrupt the flow of information from its own networks to the control networks run by the attackers. But is it anyone’s job to disrupt the infrastructure used to attack multiple corporations simultaneously?”, asked the security researcher.
“Does it even make sense for an organization with specific skill sets attuned to APT attacks to do this?”, he added.