Spearphishing Attack Spoofs Mandiant Report

Talk about a game of cat and mouse.

Earlier this week, Mandiant released a report that called out the Chinese for hacking into U.S. entities. Last night, I found out that the Mandiant report is now being used as bait in at least two different spearphishing campaigns. According to the Kaspersky Lab ThreatPost:

The first phishing attacks are using a file named “Mandiant_APT2_Report.pdf”, a slight variation of the real report name, which uses the APT1 moniker that the computer security firm applies to the specific crew of Chinese attackers discussed in the document. The other spear-phishing attack is using a document named “Mandiant.pdf” as its bait, and the malware used in that attack calls back to a C&C server based in Korea, also at a dynamic DNS provider.

Both variations appear to exploit a vulnerability in Adobe Reader. The first attack targets an older vulnerability, while the second one exploits the newest vulnerability, the one with the latest patch release.

According to Seculert, the first attack appears to be coming from Korea and is targeting Japanese entities. The second attack appears to be a little murkier in its origins and target. In any case, the attacks don’t seem to be originating from the same location or group, but, as the Seculert blog pointed out, it does seem a little odd that the two very similar attacks were released on the same day.

This was an unusually high-profile security report, with a lot of interest. That spearphishing attacks would be developed – and rather quickly – isn’t too surprising. I wouldn’t be shocked to find more instances of spearphishing that use this report. However, I do see this as a growing problem. As cybersecurity becomes more of a focus for the nation, as ordinary people want to learn more about these attacks or companies do more to alert their employees on the dangers of cybersecurity, the bad guys will use these reports and concerns as a way to generate new attacks.