Perhaps looking for new malware types, attackers from China are apparently going after state and local governments in the United States the old-fashioned way: with malware-laden CDs sent through the mail.
According to reports, the Multi-State Information Sharing and Analysis Center (MS-ISAC), an organization created to help improve the security posture of U.S. governmental agencies--including state, local and tribal governments--issued a non-public alert warning of the scam. Some state governmental agencies reported last month receiving mail from China containing letters that seemed to be written by someone with a lack of command of the English language and a CD.
The CDs contain Microsoft Word files written in Mandarin, and some of the files contain malicious Visual Basic scripts.
The agencies that have received the mail are the most high-profile targets, including state archive agencies, state historical societies and a state’s cultural affairs department. There's no word whether any of the recipients fell for the scam and inserted a CD into an agency computer.
However, the mailings serve as a reminder that even at a time when hackers continue to evolve their methods for delivering malware and other threats and use more modern avenues such as the web and mobile devices, there is still room for the older techniques that have worked in the past. Researchers with cybersecurity vendor F-Secure noted late last month that four decades after the first piece of spam was sent, email continues to be the most common way cybercriminals spread their malicious web links and malware-laden attachments.
It’s clear why. According to the researchers, spam still works. In the second half of 2017, the click rate on spam was 13.4 percent. That increased in the first half of this year, to 14.2 percent. Attackers also have a good understanding of what works best with spam. The probability of a person opening an email jumps 12 percent if it claims to come from a known individual, and having an error-free subject line improves the success rate of the spam by 4.5 percent, according to F-Secure.
The spam attacks also are getting more sophisticated.
“Rather than just using malicious attachments, the spam we’re seeing often features a URL that directs you to a harmless site, which then redirects you to site hosting malicious content,” Päivi Tynninen, threat intelligence researcher at F-Secure, said in a statement. “The extra hop is an analysis-evasion method for keeping the malicious content hosted for as long as possible. And when attachments are used, the criminals often attempt to avoid automatic analysis by asking the user to enter a password featured in the body of the email to open the file.”
So it is with CDs, which were a common way of spreading malware not that long ago. One of the highest-profile examples was Stuxnet, which was first downloaded from a CD that was inserted in an Iranian nuclear plant. Even at a time when most PCs and Apple Macs no longer have CD drives, some users are still vulnerable.
“I don’t think this is as common as it used to be, but it still works, and it works well,” Chris Morales, head of security analytics at Vectra, which sells automated threat management solutions, told ITPro Today in an email. “More often an attacker would leverage a USB drive as most new systems do not have CD drives. That form of medium was most likely very specific to the intended audience (a government agency still using legacy systems that support CDs).”
In addition, the “‘persona’ who is most at risk is someone who owns a device with a CD drive,” Morales said. “Apple hasn’t sold a MacBook or an iMac with a DC or DVD drive for well over four years. The same is true for many PC makers, including HP, Dell, Lenovo. This means the people at risk are tech laggards who are using older hardware. Elderly parents and frugal small-business owners jump to mind.”
According to Sanjay Kalra, co-founder and chief product 0fficer at cloud security solutions provider Lacework, the CD attacks show that attackers don’t always use elaborate technology to deliver malware.
“They'll usually take the path that is most likely to collide with a user's lack of awareness and will prey upon misconfigurations,” Kalra told ITPro Today in an email. “People have to operate with a security-first mindset and question the sources of the technology they engage with. Every time they download, upload, or click ‘OK’ they have to think about the potential door they're opening into their own IP and their organization's environment.”
The mail isn’t the only way to receive CDs with malware, according to Joseph Kucic, chief security officer at cybersecurity vendor Cavirin. It’s also important for users to be aware that CDs and USB devices received, for example, at trade shows can be threats, and that there are steps enterprises can take to protect themselves.
“This continues the 1980s sneaker net approach of floppy disks and snail usage of CDs as a distribution source,” Kucic told ITPro Today in an email. “Most organizations no longer provide CD/DVD drives, and most consumer devices exclude them, as well. In addition, organizations disable auto-on/boot features on computers. Following best practices for disabling these devices and/or not allowing the user to have administrator privileges is the best approach for users that will try to load and run those CDs.”