Targeted Attacks – Is There a Solution?
By Nofar Gueta | August 21, 2012
Much has changed since information security was only a remote concern, handled by the IT guy at the office. Nowadays, it’s everybody’s problem. This change of reality created a new terminology that helps us understand the threats, and more importantly, create solutions for them.
One of these new terms, a really popular one, is “APT” – Advanced Persistent Threat.
First used by the U.S. Air Force to describe a Chinese threat, APT has been quite controversial. Our contact with costumers continually teaches us that the use of this term is very diverse: some classify even random, traditional attacks as APTs, while others sometimes don’t even realize they are under a targeted attack. In order to understand how Cyvera accomplishes its goal — preventing APTs — we first need to explain Cyvera’s point of view concerning that term.
Over the years, we have come to realize that in the game of targeted attacks the rules are less than strict. The term “targeted attacks” can be used for relatively generic attacks exploiting not-so-generic vulnerabilities, attacks using contemporary high-profile events such as the Dalai Lama’s birthday, or attacks adjusted specifically to the victim.
Reviewing high profile APTs in 2012 shows that whether the threat was directed towards a governmental, financial or private sector, the motivation remained the same: getting file X from computer Y, or getting Z’s infrastructure damaged. If the attackers are after you, they will do whatever it takes to get to you, including getting to know your personal interests, mapping weaknesses on your network, and even gaining access to the companies supplying your security technology and various other vendors you interact with.
There are many ways in which an attacker might be able to gain access to a company’s network in order to deliver his/her malicious code (also known as the payload – the eventual effect of the malware). These ways, referred to as the attack vectors, usually combine technological exploitation with human deception. Common examples include infected email attachments sent to one of the company’s employees, an infected disk-on-key “forgotten” at the office, false pop-up windows, and bogus security updates. Inevitably, the eventual goal of the attack entails some sort of program installation by the payload. Usually, following a successful exploitation of the machine, a Trojan horse programmed to collect specific information from the company’s network is installed.
Using the aforementioned methods, attackers frequently manage to generate a substantial effect on the targeted victim. Scenarios like exposing intellectual property assets, publishing classified information, performing complete deletion of data, or even hardware destruction are certainly not unprecedented. Targeted organizations rarely manage to overcome such scenarios and experience difficulties handling financial loss and damaged reputation. On the bright side, over the last few years, organizations are becoming increasingly aware of these threats.
That awareness brings us to the formation of the magic circle: as security awareness increases, the attacker faces new challenges. This situation triggers the development of even more creative solutions, from both sides of the field. This process explains the large variety of APTs and targeted attacks, with each scenario having its own nuances.
As attacks constantly evolve, the security community is forced to handle both known and unknown threats. Recently, we have been witnessing the growing usage of technology that aims to detect and prevent tomorrow’s threats, today. Examples of such technologies include heuristics analysis, abnormal behavior identification, and pattern matching. These technologies, that work well for known threats, are much less relevant when facing unknown targeted attacks by rivals that adapt their infiltration strategy according to the known defenses on-site.
Employing only these technologies, and considering the continuously increasing amount of targeted attacks, we raise the question – is preventing the unknown beyond our reach? Let’s try to answer that.
Much research was conducted, reviewing the different factors of targeted attacks at organizations. Some organizations still believe that they are “too small” or “not that interesting”, although almost 40 percent of all targeted attacks are aimed at small companies.
Let us assume, for the sake of argument, that security awareness is not part of the equation, and that even a company with all its systems fully patched and its anti-viruses meticulously updated still remains exposed to targeted attacks. We may base the reasoning on many reasons: excellent use of social-engineering, taking advantage of an unknown vulnerability, and so on.
At the same time, there are some aspects we find recurring in virtually all attacks. For example, exploitation is one of the most predominant attack vectors in APTs. Exploitation is a term frequently used, and often misunderstood. Performing exploitation means basically taking advantage a vulnerability inherent in the exploitable mechanism. An Exploit is a malicious piece of code, written to leverage a specific vulnerability. Exploits are usually spread in the form of exploit kits, and can used by either high-level (operators) or low-level (developers) attackers.
Each exploit one or more exploitation techniques, but usually more than one technique is needed for a single exploit. Unlike vulnerabilities and exploit kits, there are only so many exploitation techniques an attacker can use. New exploitation techniques are discovered infrequently, and even then mostly take years to deploy.
At Cyvera, we have been preforming thorough research concerning these exploitation techniques, and managed to develop exploit mitigation modules that cover every known exploitation technique, new emerging techniques, and a number of techniques known only to us. Our ability to prevent the actual exploitation techniques allows us to stop threats without relying on their behavior, signature, and other characteristics traditionally used to detect threats. In that respect, our product, Cyvera TRAPS, efficiently protects our clients from zero-day attacks.
Looking back at the major attacks in 2012 shows us that when it comes to information security there are no guarantees. No network is truly isolated and no organization can be completely threat-resistant. All the recent inspected cases made us, here at Cyvera, believe that only a proactive approach, together with best-of-breed technology, gives an effective answer to today’s and tomorrows targeted attacks.
Here are some of the noticeable targeted remote-attacks since the beginning of 2012:
1. Ongoing Targeted Attack Campaign Going After Defense, Aerospace Industries (Threatpost, January 13)
Target: defense contractors, government agencies, and other organizations.
Duration: since 2009.
Summary: Emails containing malicious attachments were sent to executives and officials in various industries using fake conference invitations. The phishing emails included a malicious PDF attachment with a fake invitation to some relevant conference. The malicious PDF exploited a vulnerability in Adobe Reader that was first shown to be used in September 2010 as part of an ongoing phishing campaign. Although the vulnerability is now patched by Adobe, many of these attacks occurred before the vulnerability was exposed to the public.
2. New Unusual Targeted Attack Exploiting MS-Office in the Wild (Symantec, February 9)
Target: defense contractors, government agencies, and other organizations.
Duration: since 2009.
File: Trojan.Activehijack
Summary: The exploitation vector used in this attack was a Word document containing a specially crafted ActiveX control. Upon opening the Word document, the ActiveX control loads and executes fputlsat.dll. It is important to note that this is also the name of a legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library. However, a malicious .dll with the same file name was attached to an email containing the crafted Word documen, and so the attacker’s .dll was the one to get executed via DLL hijacking. On successful exploitation, a malware was dropped onto the system, the malicious .dll got deleted, and a malicious Thumbs.db was created instead.
3. Targeted Attacks Against Tibetan Organizations (AlienVault Labs, March 13)
Target: Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet.
Vulnerability: CVE-2010-3333.
Malware: variant of Gh0st Remote Administration Tool (RAT).
Summary: The attackers launched a spear phishing campaign, with emails relating to the Kalachakra Initiation (a Tibetan religious festival). The emails contained a malicious Office file that exploited a known vulnerability in Microsoft Office. The dropped malware was a variant of Gh0st RAT, which enabled the attackers to have full control over the compromised machine. Quoting Jamie Blasco: “Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.”
4. Nissan Motor Information Systems were Hacked (DailyTech, April 20)
Target: Nissan global information systems network.
Damage: Some user IDs and hashed passwords were transmitted. No customer, employee or program data had been compromised.
Summary: On April 13, 2012 Nissan motor security team had detected an intrusion into the company’s global information systems network. The Japanese automaker said that a malicious malware had stolen employees’ usernames and encrypted passwords and was transmitting them to an outside server. The company’s security team tried to track the transmission, but said it didn’t give much indication who was behind the attack. American officials and security researchers had pointed the finger at China, due to the widespread computer attacks on companies in Japan and India in the previous months, by a Chinese hacker group.
5. Major Cyber-Attack Aimed at Natural Gas Pipeline Companies (CS MONITOR, May 5)
Vulnerability: CVE-2010-2883 (affects older versions of Adobe Reader and Acrobat).
Malware: Sykipot.
Summary: In March 2012, multiple indications helped ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) identify targeted attempts and intrusions into multiple natural gas pipeline sector organizations. The attack was described as a sophisticated “spear phishing” attack, with the attackers utilizing both public and private information on their targets, and using personalized malicious emails with attachments. This way, the victim was not suspecting a thing. Analysis of the malware and the artifacts associated with these cyber attacks had identified that they all belonged to a single campaign.
6. State Government Facility (ICS-CERT, February)
Target: Energy Management System (EMS) of a state government facility.
Summary: In January, a cyber intrusion into a building Energy Management System (EMS) used to control heating and cooling for a state government facility was identified by ICS-CERT. ICS-CERT contacted the facility’s personnel, informed them of the compromise, and advised to disconnect the EMS from the internet. The employees reported that indeed, the measured temperature was not normal.
7. UK Ministry of Defense breach (The Guardian, May 3)
Target: Ministry of Defense’s top secret computer systems.
Summary: Major General Jonathan Shaw, the British military’s Head of Cyber Security, told reporters that the Ministry of Defense (MOD) had been attacked by hackers. He admitted that the hackers had managed to hack into some of the Ministry of Defense’s top secret computer systems. According to Shaw, the number of serious incidents was “quite small”, but he conceded it was likely that some attacks had gone undetected. Shaw refused to provide any more details about the nature of the attack, or about who was behind it.
8. Several Targeted Attacks Exploiting Adobe Flash Player (AlienVault Labs, May 6)
Vulnerability: CVE-2012-0779.
Summary: An infected Word document attachment containing a reference to a Flash file was sent to the victims. This Flash file exploits the CVE-2012-0779 vulnerability, triggering the execution of a shellcode that looks for the payload within the original Word document. The payload then gets decoded, dropped onto the system, and finally executed. Most of the malicious Flash files had low AV detection rates at the time of analysis, so it was very important to apply the vendor’s patch.
9. London Olympics 2012 (F-secure, May 28)
Vulnerability: CVE-2010-2883.
Summary: The exploit was mounted on top of a PDF file containing a copy of the London 2012 Olympic schedule. That PDF was shown to the victim while the attack took place, making it much less suspicious. Following a successful exploitation, the payload tried to contact a site registered to “student travel” in Baotoushi, China.
10. Targeted Attacks Against Aerospace Industry Use Sykipot Malware (Network World, July 4)
Vulnerability: CVE-2011-0611, CVE-2012-1889.
Malware: Sykipot.
Summary: The rogue emails contained links to compromised websites that exploited a 2011 Flash Player vulnerability and a vulnerability in Microsoft XML Core Services (MSXML) that was unpatched at that time. Successful exploitation of the vulnerability was followed by installation of the malware.