Last time, I talked about how attackers are at an advantage when it comes to targeted attacks, and how it is important that we accept that fact in order to deal with attacks properly. Here comes the hard part: knowing that attackers have a great level of control, what do we do now?

Remember that even though we’ve come to accept that attackers have greater control, does not mean that we don’t have any of it. We do, and it is important to take note of that because using that control is highly critical in dealing with targeted attacks.

Control the Perimeter

Of course, any form of control can only be truly successful if founded on an awareness of what we truly own. Acquiring a firm grasp of what and who gets access to the network and the level of access that is provided may come at the expense of what most employees see as convenient, but considering the dangers of targeted attacks, it is important to put security first.

Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.

Once the network is defined, it is critical to have a means to monitor the network, which means having visibility and control of everything that goes in and out of it. A good example of a technology that can help network administrators do this is DNS Response Policy Zone. DNS RPZ provides a scalable means to manage connections to and from the network. If complemented with a domain name blacklist, it would create a network environment that is significantly safer.

Deploy Inside-Out Protection

Traditional defenses focus on hardening firewalls and keeping bad components out through blacklisting. Now, while this “outside-in” strategy would be effective for dealing with fairly straightforward attacks, it would be utterly unreliable against targeted attacks. Traditional defenses are made for attacks where the form and source are easily recognizable, which is not the case for targeted attacks.

Figure 1. Traditional defense

Read the rest of this entry »

Last week, Trend Micro found malware samples that had been signed with digital certificates belonging to two software companies that develop specialized software. Since the two digital certificates are used by developers making very specialized products, this can increase the chances that this attack will succeed.

We have identified several samples that were signed with these compromised certificates, which we detect as TROJ_KRYPT.SMMV or TSPY_KRYPTIK.NO. We do not know if the same author was responsible for both attacks, although they do share similarities.

Both attacks used Java exploits to get onto the affected systems, which we detect as JAVA_EXPLOIT.SO and JAVA_EXPLOIT.EOJ. It’s worth noting that the exploits used here rely on vulnerabilities from early 2012, so a patched Java install would have helped protect users.

In addition, they also used a similar packaging tool. This allows different types of malware to be launched into the memory of infected system without actually dropping the physical malware file. In addition, it makes it possible to re-use old malware code, since the packaging tool will produce an entirely different file from any original (detecting) malicious code, evading detection.

Read the rest of this entry »

Over the course of the past few weeks, we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively.

There can be no doubt that APT attacks are a real threat. Such threats are unpredictable in nature, could lead to devastating consequences, and could affect just about any organization. The recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks. That alone says that people in the know are taking this threat seriously.

But that survey also showed that fewer than 10% of those surveyed understood that these threats are significantly different from traditional threats. Awareness of the problem is a good start. But there’s work to be done to increase awareness around solutions.

As part of our ongoing work to help educate people about threats as well as solutions, we’ve partnered with Forrester Research on a new study: Mitigating Targeted Attacks Requires an Integrated Solution. This study surveyed 350 IT enterprise security decision-makers in the US, UK, France, and Germany, asking them about their technology expectations for targeted threat detection and response. It outlines some of the effective steps organizations are taking to protect themselves from APT attacks. In addition, it also highlights some areas of caution too: most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks.

Read the rest of this entry »

In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.

There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.

An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.

Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.

Figure 1. Screenshot of the dropped .PDF file

Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file

Read the rest of this entry »

Based on the number of phishing sites we observed in 2012, it appears that cybercriminals have discovered a new target in mobile devices.

For 2012, we found 4,000 phishing URLs designed for mobile Web. Though this number represents less than 1% of all the phishing URLs gathered that year, this highlights that mobile devices (smartphones, tablets and the likes) are valid platforms to launch phishing attacks.

Cybercriminals use phishing sites, which are spoofed versions of legitimate sites, to trick users into disclosing sensitive information like usernames, passwords, and even account details.

What’s more worrisome is the kind of websites these phishing attacks spoof. In 2012, 75% of mobile phishing URLs were rogue versions of well-known banking or financial sites. Once users are tricked into divulging their login credentials to these sites, cybercriminals can use these stolen data to initiate unauthorized transactions and purchases via the victim’s account.

A portion of these phishing sites were designed to spoof social networking sites (2%) and online shopping sites (4%). This small number for phishing sites for social media may be due to users preference for social media apps. Because users are unlikely to visit social networking sites by Web mobile, launching phishing equivalent of these pages may not be an effective way to target users.

These numbers are consistent with our top 10 most phished entities, in which majority are banking or credit card websites.

Figure 1. Mobile phishing URLs by industry

Read the rest of this entry »