Re: [Dataloss] Windows servers hacked at The Hartford insurance company

[Jeffrey Walton <noloader () gmail com>]

W32.Qakbot spreads by exploiting vulnerabilities when a user visits
certain Web pages. Exploit code hosted at these remote locations
downloads the threat on to the compromised computer. Many of the
infections are aided by users unwittingly clicking on malicious
links... The worm also spreads through network shares by copying
itself to shared folders when instructed to by a remote attacker.
(http://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99)

I wonder if this is a new variant, or if The Harford was not running
AV on their servers or workstations.

On Thu, Apr 7, 2011 at 4:05 AM, security curmudgeon
<jericho () attrition org> wrote:
> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
>
> http://www.computerworld.com/s/article/9215582/Windows_servers_hacked_at_The_Hartford_insurance_company
>
> By Robert McMillan
> IDG News Service
> April 6, 2011
>
> Hackers have broken into The Hartford insurance company and installed
> password-stealing programs on several of the company's Windows servers.
>
> In a warning letter sent last month to about 300 employees, contractors,
> and a handful of customers, the company said it discovered the infection
> in late February. Several servers were hit, including Citrix servers used
> by employees for remote access to IT systems. A copy of The Hartford's
> letter was posted earlier this week to the website of the Office of the
> New Hampshire Attorney General.
>
> "It was a very small incident," said Debora Raymond, a company
> spokeswoman. The victims were mostly company employees. Less than 10
> customers were affected by the malware, the W32-Qakbot Trojan, she said.
>
> Qakbot has been around for about two years. Once installed it spreads from
> computer to computer in the network, taking steps to cover its tracks as
> it logs sensitive data and opens up back doors for the hackers to access
> the network.
>
> [..]
>
> Despite the presence of keylogging software, the insurance company's
> lawyer, Debra Hampson, said that her company has "no reason to believe
> that any information has been or will be misused." Victims are being given
> two years' free credit monitoring.
>
> [..]
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
> Archived at http://seclists.org/dataloss/
> Unsubscribe at http://datalossdb.org/mailing_list
>
> Learn encryption strategies that manage risk and shore up compliance.
> Download Article 1 of CREDANT Technologies' The Essentials Series:
> Endpoint Data Encryption That Actually Works
> http://credant.com/campaigns/realtime2/gap-LP1/
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/