Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Bernadette Irinco (Technical Communications)

    Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.

    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks


    Our findings (based on cases that we have analyzed) indicate that 80% of targeted attack-related incidents affect government institutions. This is followed by the IT sector (both hardware and software) and the financial services (banks).  In terms of countries affected, Taiwan and Japan are the two most hit by targeted attacks.

    In addition, we also monitor the locations of various IP addresses that accessed known C&C servers associated with targeted attacks. Our data show that Taiwan, Japan, and the United States were the most targeted countries.

    Figure 2. Countries with the most number of users who accessed C&C servers related to targeted attacks

    Tools of the Trade

    Nearly 60% of malware used in targeted attacks are Trojans or Trojan spyware. These types of malware steal user credentials that provide the gateway for threat actors to exploit other areas of a penetrated network. This is followed by backdoors (22%) employed to establish C&C communications and lead to the next stages of targeted attacks. It is also interesting to note that almost 10% of malware related to targeted attacks run only on 64-bit platforms.

    Figure 3. Non 64- and 64-bit malware distribution

    Spear phishing is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks.

    Custom Defense against Targeted Attacks

    Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of.

    Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions.

    For more details on the trends in targeted attacks in the second half of 2013, read the full report here.

     To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks. 

    Posted in Targeted Attacks | Comments Off on Targeted Attack Trends: A Look At 2H 2013

    Patch-Tuesday_grayThis February, Microsoft released 12 security bulletins addressing 57 vulnerabilities. Out of the security updates, 5 are tagged Critical and the rest rated as Important.

    One of the notable advisories for this round is (MS13-009) Cumulative Security Update for Internet Explorer (2792100), which covers the vulnerabilities in Internet Explorer. These vulnerabilities affecting all versions of IE, which include the latest version IE 10 on Windows 8 and Windows RT, could lead to remote code execution. The other notable Critical-rate updates are MS13-011 and MS13-012, which affect Microsoft Exchange and Microsoft Windows and can allow a potential attacker to execute any malicious commands onto the vulnerable system.

    Users should immediately apply patches, whenever possible, for these vulnerabilities. Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are protected from any attacks that may leverage these vulnerabilities. For more information on the bulletins and corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on February 2013 Patch Tuesday: 12 Security Bulletins for 57 Vulnerabilities

    Microsoft has recently released a patch to address the zero-day exploit affecting certain versions of Internet Explorer. The said exploit was found to be hosted on the compromised Council on Foreign Relations website. When exploited, this IE vulnerability could allow attackers to execute arbitrary codes thus compromising the security of the systems. In addition, this vulnerability only affected older versions of Internet Explorer (i.e. 6, 7, and 8). Internet Explorer versions 9 and 10 are not affected. Initially, Microsoft has provided workarounds until the patch was released yesterday.

    On the other hand, last week we also received reports of a zero-day exploit which affected Java. The said exploit was used by cybercriminal toolkits such as Blackhole Exploit Kit (BHEK) and Cool Exploit Kit (CEK) respectively. Based on our investigation, the exploit code (detected as JAVA_EXPLOIT.RG) leads to the download of REVETON malware or police ransomware.  In response to this zero-day exploit, Java has issued a software update. Prior to this release, the U.S. Department of Homeland Security has recommended users to disable Java on their web browsers to armor their systems against attacks leveraging this.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on Microsoft, Oracle Release Security Fixes for Zero-Day Exploits

    A new zero-day exploit in Java has been found in the wild. Currently, this exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

    CEK is the creation of the same author responsible for Blackhole Exploit Kit. It appears to be a high-end version of the more accessible BHEK. Zero-day exploits are first incorporated into CEK and only added into BHEK once they have been disclosed. It has been reported that CEK was being used to distribute ransomware, particularly Reveton variants.

    Currently, we detect the exploits as JAVA_EXPLOIT.RG, with the sites that load this exploit code detected as HTML_EXPLOIT.RG. The Reveton payloads are detected as TROJ_REVETON.RG and TROJ_REVETON.RJ.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Java Zero-Day Exploit In The Wild, Spreading Ransomware

    To jumpstart the new year, both Microsoft and Adobe release their security updates today. Microsoft, in particular, releases seven bulletins to address 12 vulnerabilities while Adobe issues its fix for Adobe Reader and Acrobat.

    Two of the seven bulletins from Microsoft are tagged as Critical as they could lead to remote code execution, in which a successful attacker can execute a malware onto vulnerable systems. Five of these are rated Important and among these, three bulletins may lead to a possible attacker gaining administrator privileges.

    What is noteworthy, however, is the absence of security update for the unpatched vulnerability in Internet Explorer reported last December. Just before 2012 ended, we blogged about the incident, in which the Council on Foreign Relations website was compromised to host a zero-day exploit by way of a user-after-free vulnerability in IE. To address this issue, Microsoft opted to release a workaround solution.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off on Microsoft, Adobe Start 2013 with Security Updates


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice