Global Botnet Attack Hits Enterprise, Government PCs
Operating undetected for about a year, the criminals behind the cyberattack had control of more than 74,000 computers.
Over 74,000 personal, corporate and government computers at over 2,500 organizations around the world have been found to be zombies in the newly discovered "Kneber botnet."
Late last month, NetWitness, a computer security company headed by former DHS cybersecurity director Amit Yoran, discovered over 75 GB of stolen data as part of its routine enterprise analytics activities. The company says that the data turned out to be the product of a botnet of over 74,000 computers, that the malware used to create the botnet was recognized by less than 10% of antivirus software, and that the botnet's network communication was not recognized by existing intrusion detection systems.
The cache of data represents a month of botnet data collection and the botnet is estimated to have been operating for about a year. The stolen data includes about 68,000 corporate logins to e-mail accounts, online banking accounts, Facebook, Hotmail, Yahoo accounts and other social networking sites. It also includes almost 2,000 SSL certificate files, which are used for activities like online banking or connecting to a VPN.
Merck, Cardinal Health, Paramount Pictures and Juniper Networks are among the companies believed to have been affected, according to a report in The Wall Street Journal.
Yoran suggests that this botnet makes Operation Aurora, the cyber attack directed at Google and 33 other companies last December, look insignificant. "While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet," he said in a statement. "These large-scale compromises of enterprise networks have reached epidemic levels. Cyber criminal elements, like the Kneber crew, quietly and diligently target and compromise thousands of government and commercial organizations across the globe."
NetWitness says that the Kneber botnet was assembled using a variant of the Zeus Trojan, malware that's widely known for stealing banking credentials. But the compromised PCs -- all running Windows, mainly XP or Vista -- also show signs of a secondary infection with Waledac, a peer-to-peer spamming botnet. While this is not unusual, NetWitness believes that the data it has analyzed indicates that the two criminal gangs behind these two malware families are cooperating.
The company says that it cannot be certain as to how or by whom this stolen data will be used. Much of the computer and domain infrastructure used to spread the botnet resides in China, though those operating the botnet are believed to be in Eastern Europe.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.