Feeds

back to article Securo-boffins uncover new GLOBAL cyber-espionage operation

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers. Infosec researchers have uncovered SafeNet in as many as 100 countries. SafeNet …

COMMENTS

This topic is closed for new posts.
Bronze badge
Holmes

Street address..

From the white paper:

"The email address was used to register a domain name for a personal blog about software development with a Beijing street address."

Tad careless perhaps or a piece of deliberate misdirection?

0
0
FAIL

Trend micro didn't name the attack SafeNet.

If you read the original blog, trend Micro state that the reference o SafeNet is within the attack itself. They actually point out that the reputable firm SafeNet Inc is unrelated.

0
0
(Written by Reg staff)

Re: Trend micro didn't name the attack SafeNet.

You are indeed correct and we've updated the bootnote to make that clear.

0
0
Silver badge
Facepalm

Info Sec - wat iz it?

I have an advanced degree and can't be bothered with info sec. Isn't that the nerdy students job?

0
0
Silver badge
Trollface

Re: Info Sec - wat iz it?

While you are busy applying the hard-acquired knowledge of your MBA, unknown operatives from many places of the world are playing tag on your machine (if they aren't chatting with each other), like a particularly functional version of an UN assembly.

1
1
FAIL

cache poisoning

Well, whist the malware does sometimes install itself into a directory called "safenet" (see copied text below), I think its a bit naughty to seize upon this for a name, it's a form of cache poisoning, despite the grovelling disclaimer. An internal name whilst it was being researched, fine, but someone should have pulled it out of the publication and kept the normal academic respect. Can you imagine if they had reason to call it MSword, or iTune?

The malware creators used the term "safenet" as a decoy and this should not be perpetuated.

here is what it does:

If User Account Control (UAC) is active, SafeExt.dll will be injected into

explorer.exe. Otherwise, the file is copied to %Program Files%\Internet

Explorer\SafeNet\ and registered as a Browser Helper Object (BHO).

0
0
Facepalm

Re: cache poisoning

sorry, that was bollocks.

I just read the paper properly, the researchers call it "the Safe campaign" and do not mention safenet except as a directory name. The disclaimer is simply to apologise for having to use the word, the report has to mention where the thing installs itself.

0
0
Gold badge
Unhappy

Vulnerability fixed last year.

So probably wide open on quite a lot of large groups of PCs.

Like the people on that list for example.

0
0
Bronze badge

Re: Vulnerability fixed last year.

When I was doing information assurance for the US DoD, if I didn't have every system on the installation patched within 10 days of a patch being approved by DISA, I had to explain to a rather irritated General why the systems weren't patched and vulnerable.

Fortunately, that was a vanishingly rare occurrence. I had more often, false positives in the vulnerability scanner, which I addressed directly with the vendor.

Fortunately, most of those false positives plagued all installations and the vendor fixed their test for those vulnerabilities in a matter of a few days.

I did somewhat disappoint that General once though.

Me: No, sir, that's not going to happen here.

Gen: Erm, excuse me? Why not?

Me: I have no budget to implement that many additional card readers and my client organizations also don't have the budget to purchase those additional card readers. Hence, we are unable to implement that at this time.

Gen: So, you need card readers?

Me: Yes, sir.

Two days later, I had a box with double the number required of card readers and two USB hard drives (which were forbidden at the time on the network, due to a Chinese government attack that was quite expensive and successful. I was instructed to get those *@&! drives off of the base.

They're my portable storage now. :)

0
0
Gold badge
Unhappy

Re: Vulnerability fixed last year.

"When I was doing information assurance for the US DoD, if I didn't have every system on the installation patched within 10 days of a patch being approved by DISA, I had to explain to a rather irritated General why the systems weren't patched and vulnerable."

It sounds like you ran a tight ship.

The trouble is what sort of operation does everyone else run?

Unless your network is completely disconnected from other sites and other organizations you're as vulnerable as the least secure of those entities. They might be substantially more lax.

It's a dreadful old cliche but network security is everyone's business.

0
0
Bronze badge
Childcatcher

Re: Vulnerability fixed last year.

The trouble is what sort of operation does everyone else run? Unless your network is completely disconnected from other sites and other organizations you're as vulnerable as the least secure of those entities.

I'll give you a hint: if you throw in laptops and allow people to work from home, you will be lucky to achieve 90% compliance within 1 month. As far as physically disconnecting networks from the rest of the world, even that isn't enough. I am sure everyone has heard of Stuxnet and how it made it past an air-gap. Also, mention the word "spillage" to IA types in the US and watch their reaction - it's great fun. The greatest vulnerability cannot be patched: people.

0
0
This topic is closed for new posts.