/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsThis quarter saw a significant shift in the way the security industry approaches targeted attacks and advanced persistent threats, which are now viewed more as a long-term, on-going campaign versus the typical “smash-and-grab incidents” favored by cybercriminals in the past, according to the Trend Micro Q1 2012 Security Roundup Report. Q1'svisible events —Linsanity, Whitney Houston's death, and sociopolitical upheavals around the world —gave cybercriminals new social-engineering campaign material, equipping them to penetrate and or infect users and networks in order to access victim's data. The report also noted that cybercriminals who launch APTs will often keep track of the different attacks within a campaign in order to determine which individual attack compromised a specific victim's network. The Luckycat campaign, in particular, attacked a diverse set of targets using a variety of malware, some of which have been linked to other cyber-espionage campaigns. New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got malware. This quarter's top spam-sending countries included: India (20 percent), Indonesia (13 percent), South Korea (12 percent), and Russia (10 percent).
Apple surpassed Oracle, Google and Microsoft in reported vulnerabilities, with a total of 91. Oracle came in second, with 78; Google, 73; Microsoft, 43. Apart from posting the highest number of reported vulnerabilities, Apple also issued a record-breaking number of patches last March. Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24). In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system. Trend Micro also found in its quarterly security roundup that it found 5000 new malicious Android apps during the period. "With the increased use of smartphones for Internet access and the huge Android user base, the increase in attacks targeting the platform is thus not surprising," the report said. In recent days, Apple security received a black eye with the outbreak of the Flashback Trojan, which at its height infected more than 600,000 computers. Despite some innovative efforts by Apple to eradicate Flashback, recent tallies estimate that 140,000 Macs remain infected with the malware. Meanwhile, Black Hats have started moving away from their initial vehicle for delivering Flashback--a vulnerability in Java for the Mac--and have begun boobytrapping Microsoft Word documents to spread the Trojan.
Amit Nath Country Manager India and SAARC Trend Micro said “The number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are better characterized as “cyber espionage.” Highly targeted attacks are computer intrusions threat actors' stage in order to aggressively pursue and compromise specific targets, often leveraging social engineering, in order to maintain persistent presence within the victim's network so they can move laterally and extract sensitive information”. He further added “In a typical targeted attack, a target receives a contextually relevant email that encourages a potential victim to click a link or open a file. The links and files the attackers send contain malicious code that exploits vulnerabilities in popular software”.
The exploits' payload is a malware that is silently executed on the target's computer. This exploitation allows the attackers to take control of and obtain data from the compromised computer. In other cases, the attackers send disguised executable files, usually compressed in archives that, if opened, also compromise the target's computer. The malware connects back to command-and-control (C&C) servers under the attackers' control from which they can command the compromised computer to download additional malware and tools that allow them to move laterally throughout the target's network. These attacks are, however, not isolated “smash-and-grab” incidents but are part of consistent campaigns that aim to establish covert presence in a target's network so that information can be extracted as needed. Targeted attacks are rarely isolated events. In fact, they are constant. It is more useful to think of them as campaigns-a series of failed and successful attempts to compromise a target's network over a certain period of time. The attackers, in fact, often keep track of the different attacks within a campaign in order to determine which individual attack compromised a specific victim's network. As the attackers learn more about their targets from open source research-relying on publicly available information, as well as previous attacks, the specificity of the attacks may sharply increase.
Targeted attacks have been extremely successful, making the scope of the problem truly global. These have been affecting governments, militaries, defense industries, high-technology companies, intergovernmental organizations, nongovernmental organizations (NGOs), media organizations, academic institutions, and activists worldwide. Targeted attacks are not isolated smash-and-grab incidents. They are part of consistent campaigns that aim to establish persistent, covert presence in a target's network so that information can be extracted as needed. Targeted attacks may not be easy to understand but careful monitoring allows researchers to leverage the mistakes attackers make to get a glimpse inside their operations. Moreover, we can track cyber-espionage campaigns over time using a combination of technical and contextual indicators.
In the course of our research, we discovered that it had a much more diverse target set than previously thought. Not only did the attackers target military research institutions in India, as earlier disclosed by Symantec, they also targeted sensitive entities in Japan and India as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free-hosting sites to dedicated VPSs. We also found that the Luckycat campaign can be linked to other campaigns as well. The people behind it used or provided infrastructure for other campaigns that has also been linked to past targeted attacks such as the ShadowNet campaign. Understanding the attack tools, techniques, and infrastructure used in the Luckycat campaign as well as how an individual incident is related to a broader campaign provides the context necessary for us to assess its impact and come up with defensive strategies in order to protect our customers.
Trends in Targeted Attacks
Targeted attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace. These attacks are not automated and indiscriminate nor are they conducted by opportunistic amateurs. These computer intrusions are staged by threat actors that aggressively pursue and compromise specific targets. Such attacks are typically part of broader campaigns, a series of failed and successful compromises, by specific threat actors and not isolated attacks. The objective of the attacks is to obtain sensitive data. Targeted attacks remain a high priority threat that is difficult to defend. These attacks leverage social engineering and malware that exploits vulnerabilities in popular software to slip past traditional defenses. While such attacks are often seen as isolated events, they are better conceptualized as campaigns, or a series of failed and successful intrusions. Once inside the network, the attackers are able to move laterally in order to target sensitive information for ex-filtration. The impact of successful attacks can be severe and any data obtained by the attackers can be used in future, more precise attacks. However, defensive strategies can be dramatically improved by understanding how targeted attacks work as well as trends in the tools, tactics and procedures of the perpetrators. Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense. By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks.