A unique malware targeting mass media agencies in Hong Kong hides its C&C (command and control) server inside Dropbox accounts. According to FireEye’s threat analysis, the campaign seems to be part of a Chinese state-sponsored attack, carried out by a group previously known as admin@338. Craig Young, security researcher at Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :
“This is not a threat toward Dropbox users but rather the attackers are relying on Dropbox to help stay under the radar. Many security departments would recognize command and control traffic because the communication is to unexpected places on the Internet but since Dropbox is so prevalent and communication is encrypted, it is impossible to distinguish the sessions from real Dropbox usage. The idea here is not new and in fact we have learned of various other malware campaigns leveraging cloud services including one that uses the attacker’s GMail account as a private channel for controlling infected systems.
Proper vulnerability management and endpoint security controls along with user education on phishing are the best techniques to protect against this campaign. The fact that the attackers are successfully using a vulnerability from 2012 is a testament to the fact that the victims are not using up to date software.”[/su_note][su_box title=”About Tripwire” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.