Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May 23rd, 2014




    When we said as part of our 2014 predictions that there would be one major data breach per month, we actually hoped we’d be wrong. Unfortunately, so far, we’ve been proven right: the latest victim of a massive data breach is the well-known auction site eBay.

    To recap, earlier this week eBay disclosed in a blog post that they had suffered a breach that compromised a database containing “encrypted passwords and other non-financial data”. While they said there was no evidence of unauthorized activity or access to financial information, as a best practice they asked all users to change their passwords.

    The scale of the attack is difficult to understate. In a separate FAQ, eBay stated that all 145 million of their users would be affected. By any standard, this represents one of the largest data breaches (by number of affected users) of all time.

    The breached information included the following details of users:

    • Name
    • Encrypted password
    • Email address
    • Physical address
    • Phone number
    • Date of birth

    There’s really only one thing that end users of eBay can do: change their passwords. If you’re an eBay user and you haven’t changed your password yet – open a new tab and do it right away. If you have difficulty remembering a password, use a password manager. (We’ve previously given out tips on password security.)

    System administrators may look at this incident and think: how do I make sure this doesn’t happen to me? After all, if a large, presumably well-funded organization like eBay could be attacked and breached, what more a smaller company with fewer resources?

    We have created a special report on data breaches, which looks at the overall data breach threat. Looking at this specific incident, some things stand out that other organizations can learn from. First of all, let’s remember how the attack started: with compromised employee credentials. It is quite likely that these were compromised via some form of spear-phishing. We had earlier discussed the entry points of targeted attacks.

    Some technical and non-technical solutions are possible to improve a network’s defenses at this stage. For example, internal usage of two-factor authentication systems can lessen the risks associated with any single password being compromised. Training staff to identify and avoid potential spearphising attacks may also be useful.

    As for the data itself, all organizations should consider the increased (and correct) use of encryption. Items that people would consider as sensitive information (like those compromised in this data breach) may or may not be stored in an encrypted format.

    Just as importantly, the encryption has to be used correctly. Best practices have to be followed throughout the entire process – from what algorithms are used, to how the encryption is carried out, to how keys are generated, etcetera. In the best of circumstances, cryptography is hard, let alone when it is not done correctly.

    There’s no single solution that can remedy all potential security problems. That, however, is the point of a layered security solution: there are various ways that an attack can enter a network, and various ways that it can be detected as well. A properly designed custom defense solution will provide the best opportunity to detect and mitigate these threats.

     
    Posted in Data, Hacked Sites | Comments Off



    In the recent 2H-2013 Targeted Attack Roundup Report we noted that we have been seeing several targeted attack campaign-related attacks in Taiwan.

    We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware.

    The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable.

    In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference:

    Figure 1. Email sent to Taiwanese government agency

    When the .7z attachment is unpacked, the recipient will see two files, what seems to be a PowerPoint document and a Microsoft Word file. The RTLO technique, which basically takes advantage of a Unicode character that was created to support languages that are written right to left, is evident in the first file. By inputting the unicode command for RTLO before the P in PPT, the appearance of the complete file name makes it look like the file is a PowerPoint document, even if it is, in fact, a screen saver file.

    The threat actor included an additional decoy document, the second file in figure 2, a .DOC file, whose only function is to add to the believability of the email.

    Figure 2. Unpacked attachment shows RTLO trick at work with the .SCR file

    To further make the victim believe that the .SCR file is a .PPT file, the .SCR file actually drops the following .PPT which only serves as a decoy.

    Figure 3. The .SCR drops this .PPT file as decoy

    The RTLO trick in the above case was successful, but in some cases, it was not, as in this spear phishing email belonging to the same campaign. This time the email pretends to be about statistical data about Taiwanese business enterprises:

    Figure 4. Second email sample, this time sent to a different Taiwanese government agency

    Figure 5. Unpacked attachment reveals that the file is an executable

    We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks.

    Figure 6. Third sample email uses exploit

    The payloads in the PLEAD campaign are usually backdoors that first decrypt their code and inject themselves into another process. Installation differs from one sample to the next, but typically, the related backdoors will acquire the following information from the victim’s computer:

    • User name
    • Computer name
    • Host name
    • Current Malware Process ID

    This is often a way for threat actors to keep track of its specific victims when it is monitoring its operations. Once a connection has been established with remote servers, the backdoor executes its commands:

    • Check installed software/proxy setting
    • List drives
    • Get file
    • Delete file
    • Remote shell

    These commands are typical of reconnaissance activities.

    We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intellgence Resources on Targeted Attacks.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice