Video Screencast Help
Partners Community Blog

Recent Hydraq cyberattack - What you need to know

Created: 21 Jan 2010
GRH's picture
0 0 Votes
Login to vote

A zero-day vulnerability recently identified in Microsoft Internet Explorer was used as an entry point for a coordinated set of cyber attacks that has been carried out on dozens of large enterprises. Please be advised that Symantec is working to keep our partners and customers informed of these cyberattacks known as Hydraq (also known as Aurora, Google Attacks, and the Microsoft IE Vulnerability (advisory number 979352)). The malware behind most of these attacks, "Trojan.Hydraq" appears to have been part of a sophisticated attack pattern designed to steal large amounts of intellectual property. Your customers may have become aware of this event from the heavy media coverage about the attacks on Google.
 
The underlying vulnerabilities used in this attack are now widely known and likely to be exploited by other cybercriminals even though the Command and Control infrastructure behind this coordinated attack has been taken down.

It is important that all computer users take action to prevent themselves from future attacks. Symantec partners and their customers with current antivirus definitions and IPS signatures are already protected.

Symantec partners are encouraged to visit our Hydraq Threat Outbreak page <http://www.symantec.com/outbreak/index.jsp?id=trojan-hydraq&tabId=3>  and the Symantec Security Response blog <http://www.symantec.com/business/security_response/weblog/index.jsp> . These are the best resources for you and your customers.  

To stay abreast of the latest security threats and receive timely information on risks, vulnerabilities and virus definitions, we encourage our partners to follow the Symantec Channel account on Twitter <http://www.twitter.com/symantecchannel> , as well as sign up for threat alerts via RSS feeds <https://partnernet.symantec.com/Partnercontent/News/ThreatAlerts.jsp> .

We encourage you to reach out to your customers and reassure them that these threats are currently under control and continue to monitor the Hydraq Threat Outbreak page <http://www.symantec.com/outbreak/index.jsp?id=trojan-hydraq&tabId=3>  for the latest information.

FAQ’s

Q. Are Symantec customers protected?
A. Symantec customers with current antivirus definitions and IPS signatures are already protected against attacks that leverage this vulnerability. In particular, Symantec endpoint products provide the following protection:

IPS Protection:
For the Client Intrusion Prevention System (IPS) capability within Symantec Endpoint Protection and Symantec Client Security, Symantec has released the following signatures:
·        To block the IE zero-day exploit
 HTTP MSIE Memory Corruption Code Exec (23599) <http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23599>  – January 16, 2010

·        To block the Adobe Acrobat, Reader and Flash vulnerability
HTTP Acrobat PDF Suspicious File Download 4 <http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23412>  - July 17, 2009

Antivirus Protection:
For all in-field antivirus products, Symantec has released or updated the following AV signatures associated with the malware known to have played a role in this attack:
·        Trojan.Pidief.G <http://www.symantec.com/security_response/writeup.jsp?docid=2009-072209-2512-99> - July 2, 2009

Q. Are customers who use Internet Explorer 6 still vulnerable?
A. Our data shows that many corporate customers are still using versions of IE 6. Customers who are still using IE6 are vulnerable to the newly disclosed Microsoft IE vulnerability and will continue to be vulnerable until they take the following actions:
·        Follow the Microsoft recommended actions to increase their security posture

·        Patch their IE with the soon-to-be released patch from Microsoft (Microsoft announced it will release an out-of-band patch on Jan. 21)

·        Have an IPS deployed and active in their environment

Q. Why is using an Intrusion Prevention System (IPS) important?
A. If your customer is not using a Symantec IPS product, they may continue to be vulnerable to the IE exploit unless they have taken explicit remedial measures as recommended by Microsoft. Although they will have antivirus protection against the known pieces of malware in this attack, they are likely still vulnerably to future attacks. This should be an opportunity to explain to your customer the value of having a Symantec IPS product deployed on their endpoint machines. An IPS will protect them against all future attempts to exploit the known vulnerabilities.

Q. Which other Symantec products are relevant in the defense against these targeted attacks?
·        Symantec Protection Suite

·        Symantec Security Information Manager

·        DeepSight Early Warning Services

·        Symantec Managed Security Services

·        Symantec Critical Systems Protection

·        Altiris Total Management Suite

·        Symantec Hosted Services

·        Symantec Data Loss Prevention

For more information on these products and how they protect customers, please visit the Hydraq Threat Outbreak page <http://www.symantec.com/outbreak/index.jsp?id=trojan-hydraq&tabId=3> .

Q. My customer wants a lot more information about this. What do I do?
A. We are producing collateral and events for detailed briefings on these matters. We will soon deliver a PowerPoint presentation deck for one-on-one overviews with affected and/or vulnerable enterprises. Also, we are planning a larger event around Hydraq to give customers focused attention on this critical matter. Please stay tuned.

Q. My customer believes they have been targeted as part of this attack. What do I do?
As you would with any other incident or outbreak at a customer, please engage Symantec Support to help any customers who have been impacte