Forbes.com attacked; coordinated disclosure viewed as a sales pitch

On Tuesday, iSIGHT Partners and Invincea disclosed an attack on Forbes.com, assumed to be the work of actors from China conducting an espionage campaign.

But the way the disclosure was handled, including a sensational news cycle and required registration for actual details, makes it look as if both vendors are using the incident to increase their sales channel.

The attack came from an application used on the Forbes.com landing page, their “Thought of the Day” display. According to iSIGHT and Invincea, someone compromised this application for three days (November 28 until December 1, 2014) and redirected certain users to a secondary website where they were targeted by malware.

The attack itself made use of a zero-day Internet Explorer vulnerability, but the main part of the attack focused on an Adobe Flash vulnerability that was properly patched on December 9 last year.

“Based on our visibility, the campaign was only active on the Forbes.com website for a brief duration – lasting from November 28th through December 1st of 2014. It should be noted that our visibility is limited and there is a possibility of a longer duration of activity,” iSIGHT said in a brief overview of the attack.

“Although the Forbes.com website is one of the most heavily trafficked in the world, we believe the campaign to be highly targeted in nature. We do not believe this to be an operation intent on infecting millions of victims but cannot state with certainty true numbers.”

Shortly after news of the attack hit the public, one of the first things many security experts and business leaders (including some who spoke on background with Salted Hash) wanted were additional technical identifiers used in the attack. This would help them determine not only if they too were victimized, but such information could protect them in the future from similar attacks.

However, this information has been denied to everyone, aside from those who registered for a joint webinar from iSIGHT and Invincea.

Such presentations are viewed in a negative light by decision makers, as they’re often used as sales meetings where the attack (or subject in question) could have been prevented if only the victim had been using a given product or service.

Indeed, the registration form on the iSIGHT and Invincea page has all the qualifiers of sales screening, including title selector for decision makers (managers / executives) or someone who is “interested in learning about Cyber Threat Intelligence.”

“To provide more detail on this campaign, support your organization in determining potential exposure and answer any questions you may have, we invite you to attend a live briefing on the subject by filling in the information on this page,” the webinar’s registration page advertises.

Moreover, the report from Invincea was singled out by those speaking to Salted Hash, because it contains the exact type of promotional context that business leaders fear the promoted webinar will contain:

“The integration of Invincea FreeSpace reporting from the blocked and captured attack with iSIGHT’s threat intelligence platform provided context to the thwarted attacks, giving a full picture to organizations as to who is targeting them, with what kind of attack, and in many cases, why. The collaboration between Invincea and iSIGHT and responsible disclosure with Microsoft demonstrates the power of intelligence integration with advanced threat protection tools in protecting organizations everywhere.”

So why did it take so long for word of this attack to come out?

As it turns out, Microsoft had a hand in that. Because part of the attack centered on a vulnerability in Internet Explorer, disclosure was coordinated (delayed) until Microsoft pushed a patch. They did so on Tuesday as part of their monthly patch cycle.

However, Microsoft has proven their ability to patch quickly in the past, and if iSIGHT is to be believed, then addressing a flaw that’s being used in an espionage campaign shouldn’t take such a long time. But maybe it was a complex issue, so the patch was delayed.

If so, then why the hype? Why make an incident that was resolved months ago into a sensational – China is coming for you – event? Based on the restricted access to information and conversations with business leaders watching this story unfold, sales is the likely answer. What else is there? If anything, that’s certainly the perception.

The indicators of compromise and other technical facts are being controlled and withheld, not to protect an active investigation, but in order to keep them from appearing on blogs and other public places – at least until the webinar takes place.

The control exists, because such information is a commodity and can be sold on its own or traded in exchange for registration information. But is it a fair trade? Not really, because based on the facts, the iSIGHT and Invincea disclosure, coordinated with Microsoft, is a day late and a dollar short.

If there were lessons to learn from Tuesday’s disclosure, they would be that attackers target all aspects of a website, from its add-on apps to its core code; and to always patch third-party software in a timely fashion such as Adobe Flash. A webinar isn’t needed to convey such facts.

Threat intelligence is important these days and organizations know this. But intelligence that comes months after the fact, fueled by speculation and powered by buzzword, does nothing to help anyone.

It leaves people, who shouldn’t have to register to hear about outdated information, sitting in a room just as dark now as it was on November 28.