The security firm AlienVault reports that it has seen dozens of attacks on US Government issued SmartCards, using a unique variant of Sykipot. Attacks using Skyipot have been around since 2007. This one is slightly different than typical.
Since passwords have proven easy to guess or brute force, SmartCards are used as an extra layer of security on top of passwords. This malware strain specifically targets ActivIdentity, which offers a SmartCard-based PKI authentication mechanism known for its compliance with US government specifications. The malware is capable of capturing PIN numbers allowing access to privileged information.
The attackers use a spear phishing campaign using a PDF attachment which deposits the Sykipot malware onto recipient’s systems. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware acts as the authenticated user and has access to sensitive information. The malware is controlled by a command & control server, getting commands, updates, and moving data as directed.
With ActivIdentity as the target, the attacks are clearly aimed at US defense agencies, but it’s still unclear what information may have been captured or compromised, if any. As usual, there is a link to China…