Websense uncovers cybercrime campaign that has infiltrated hundreds of organisations

Researchers from Websense Security Labs have uncovered an extensive cybercrime campaign which utilises the Mevada malware botnets and has infected hundreds of organisations.

The attacks, which appear to be originating from Russia and Ukraine, are primarily targeting government and business services, along with the manufacturing and transportation industries, in the US, UK, Canada, and India (see map of attacks above).

The investigation found the malware to have infiltrated thousands of computers across the world. The virus is being used for a variety of actions including redirecting network traffic and click fraud, as well as search result high-jacking.

The firm has also found that Mevada has a reverse proxy capability similar to the Shylock malware, which indicates "a very flexible dropper that is well suited to rerouting network traffic, targeted theft of information, and facilitating lateral movement through target networks by creating a network-level backdoor".

As for suspects, Websense, says the heavy use of attack infrastructure located in Ukraine and Russia, along with the Mevade malware, suggests the group may be a well-financed cyber-crime gang operating out of Kharkov, Ukraine and Russia.

Business services and services are the biggest target identified by Websense, with 87 attacks carried out by the gang. Manufacturing has suffered 32 attacks, governments 28, transportation 27 and healthcare 23.

Speaking to ITProPortal about the finding, Jason Hill, Websense's lead security researcher said: "Widespread cybercrime campaigns like this one, which impact a variety of industries dispensed all over the world, highlights how malware remains at the heart of most data theft cyber threats.

"To defend against these complex targeted persistent attacks (TPA) defenses must not only have multiple layers, properly deployed and integrated across web, email, social and mobile vectors but also threat monitoring to give businesses the visibility required to protect its critical data."