One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks.
Let’s see why cybercriminals are taking a closer look at these techniques, and how this can affect their actions in the near future.
In underground forums, we have seen more interest in learning how to create exploits using vulnerabilities seen in targeted attacks. The individuals who express interest are involved in creating RATs (remote access Trojans) which are used in criminal operations.
Figure 1. Post showing interest in vulnerability
There are similar levels of interest in information related to PDF exploits and vulnerabilities. Again, these are commonly seen in targeted attacks.
Figure 2. Post showing interest in vulnerability
Some of the vulnerabilities that criminals have shown interest in include:
- CVE-2010-3333 (Microsoft Office)
- CVE-2012-0158 (Microsoft Office)
- CVE-2013-0640 (Adobe Acrobat/Reader)
- CVE-2013-3906 (Microsoft Office and Windows)
New attack methods
We cannot be 100% sure about why cybercriminals have adapted these methods. However, we can say that cybercriminals will start looking into attack methods, commonly seen in targeted attacks, which may make the following possible:
- Attacking the weakest link in the chain – humans – is relatively successful. If attackers are selecting targets with relatively little IT experience, they are more likely to open an attachment that appears to come from their bosses, for instance.
- The attackers know that many systems aren’t patched. Many vulnerabilities in existence today that targeted attackers attempt exploitation on work because the systems they target aren’t patched. This makes the exploit relatively successful when utilized against unpatched systems.
- Easy access to builders and other tools make carrying out attacks easier. Even a layman or script kiddie can create malicious PDF or DOCX files, which can then be used in spear phishing attacks.
- A cybercriminal can more precisely target individuals with access to information they want. For example, if they want to gain access to personal information of a company’s employees, they would target HR personnel directly.
- These improvements can be implemented easily and at relatively little cost. Chaining together exploit documents and infostealers like the Citadel banking Trojan is fairly simple; similarly, an infrastructure similar to that used in targeted attacks can be cheaply added. They both improve the effectivity of these attacks.
In this post, we looked at the big picture as to why criminal actors are now using methods associated with targeted attacks. In a later post, we will look into an example of how a cybercriminal used these methods, and explore how he was able to gain access to his target.
In this post, we probed into why criminal actors are now using methods associated with targeted attacks. This is part of Trend Micro’s predictions for 2014, in which we present an expert’s view of the current threat landscape and how it will likely change in the near future. To know more about these, you may read Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond.