Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jim Gogolinski (Senior Threat Researcher)

    Recent events – both in the United States and in Japan – have forced IT administrators everywhere to reevaluate the possibility of insider threats. Because of their very nature, it can be difficult to handle these problems, particularly because the mindset needed to handle them can vary.

    The insider threat can be broken down into three issues: why do people within become threats, what damage can they do, and how these can be prevented.

    Why do people become insider threats?

    It can be difficult to understand the motivation of people who are insider threats: they act against an organization that they are (or were) a part of and indirectly act against their own interests.

    One model we can use to examine motives is espionage. If not quite as severe, the basic question is similar. The motives of would-be spies are frequently described using the acronym MICE:

    • M – Money
    • I – Ideology
    • C – Coercion
    • E – Ego

    Frequently, more than one of these motives is in play. Depending on what the motivation is, the nature of the attack may also differ: for example, an insider interested primarily in monetary gain might prefer to set up a quiet way to steal (and sell) confidential or proprietary information. Someone else driven by a sense of personal grievance might do a series of attacks like defacing the company’s website or, worse, conducting information theft- in either case, they would be a more “demonstrative” attack meant to highlight that something did happen.

    What is obvious is that trying to determine what drives somebody to become a “threat” to their own organization is a complex, multi-faceted question with no single answer.

    However, employee discontent is a powerful incentive towards becoming an insider threat. Example of these include pay cuts, layoffs, or other activities that can cause otherwise placid employees to become disgruntled. If an organization is slow to remove access, former employees can still pose an “insider threat” if they still have access to the network.

    Employee discontent is just one of the possible motives behind an insider attack. Another would be ego: an employee who may have not received the response he believes he deserves (be it blame or praise) may lash out. Other insider attacks are deliberate and premeditated; these are performed by employees who join companies to specifically gather insider information.

    Read the rest of this entry »


    Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

    • Military agencies, embassies, and defense contractors in the US and its allies
    • Opposition politicians and dissidents of the Russian government
    • International media
    • The national security department of a US ally

    The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages.

    A Closer Look at SEDNIT

    Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.


    Figure 1. Phases 1 and 2 in an Operation Pawn Storm attack

    The spear phishing emails sent by Pawn Storm attacks can be aimed at very specific targets. In one example, a spear phishing email was sent to only 3 employees of the legal department of a billion-dollar multinational firm. The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage.

    This attack, however, is just one of the many attacks launched, and there will surely be more. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Just in June 2014 they compromised government websites in Poland and in September 2014 the website for Power Exchange in Poland,, by inserting a malicious iframe pointing to an exploit server at yovtube[dot]co and defenceiq[dot]us. The exploit server was however very selective in infecting victims with SEDNIT, so that SEDNIT malware only got installed on selected systems.

    Another technique used by the Pawn Storm attackers is a very clever phishing attack that specifically targets Outlook Web Access users. We will discuss that part in another entry that we will release soon. In the mean time, check the full details of our research in our paper: Operation Pawn Storm.

    Posted in Malware, Targeted Attacks | Comments Off on Operation Pawn Storm: The Red in SEDNIT

    The year so far has been a particularly stressful one for enterprise IT staff. Early in the year, concerns over data breaches and point of sale POS malware gave retailers something to worry about.

    The long-simmering headache of Windows XP migration came to a head when support for the venerable OS ended in April. That would normally have been the security headline of the month, but a vulnerability in OpenSSL known as Heartbleed reared its less than welcome head.

    All in all, then, IT security personnel can be a bit excused if they’re tired and just a bit weary of patching holes as they happen. Hopefully, these teams are able to properly recuperate from these rather stressful times, as the importance of trained and empowered security personnel cannot be underestimated.

    While the role of technical solutions gets more attention (and, frequently, funding), these solutions are worthless without trained personnel that know how to use them. Dealing with today’s attack environment is not just about using more sophisticated tools; it is also about trained IT security people making decisions, with the best information provided by their tools as well as threat intelligence at their disposal.

    Unfortunately in many organizations, these teams get the short shrift and are viewed as nothing more than a cost center. This sounds good until a major breach or other security failure happens – which ends up costing an organization far more.

    So how exactly can organizations take care of their information security personnel? Here are four areas where organizations can help.

    Give them the tools they need – and let them experiment, too. 

    First of all, the information security teams must have the resources they need. This can include hardware, software, and headcount.  Teams should be able to do their job without having to worry that they don’t have the resources to do it. Yes, this can be expensive, but: so are attacks and data breaches.

    In addition, organizations should let teams have some leeway to experiment. If they want to try new tools, or use new methods to gather or analyze threat information – let them experiment. These ideas don’t have to be production quality right out of the gate, all that’s needed is a proof of concept to check if the idea will work.

    Let them learn and make mistakes.

    New threats and problems are always emerging. As we just saw in rather lurid detail this year, things we thought were secure sometimes aren’t. Learning has to be a key part of a team’s goals. in order to stay in front of the threats encountered in day-to-say usage.

    Information about threats is not always precise; things that appear to be threats may turn out to be completely harmless, and the reverse is also true. Mistakes happen; trying to reduce them is obviously desirable, but it shouldn’t turn your security team into an overcautious group that is afraid of pointing out an obvious attack.

    Ensure data is freely accessible

    This ties in with our first statement. If an organization really wants their teams to experiment, it should ensure that its logs and databases should be in easily accessible and open formats. All files being archived should be stored in plain text files such as comma separated values (CSV) rather than a proprietary binary format.  Plain text can be easily processed by many viewers and scripting languages.

    Why is this important? This allows for searches to be performed in a relatively quick and efficient manner. This provides an organization security professionals the best possible access to potential threat information. Depending on the information an organization logs and archives, it also offers intriguing possibilities for data correlation. The available threat intelligence to an organization’s defenders may improve as a result.

    Listen to them.

    In many organizations the security professionals are not listened to, either by other IT staff or by upper management. That is a mistake, as security professionals know what they’re talking about and can provide helpful insights if asked. It’s true for any profession, but in the security field it is of particular importance that its practitioners be engaged and considered by the rest of the organization.

    All in all, the lesson is simple: the foundation of any organization’s security posture is the individuals actually putting that posture into force on the ground. To ensure the success of any policies, the individuals implementing them must receive the proper support and resources necessary to do their job.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    Are you an information security professional? Let us know what you think in the comments.

    Posted in Targeted Attacks | Comments Off on The First Line of Defense: IT Personnel

    There are various reasons why targeted attacks can happen to almost any company. One of the biggest reasons is theft of a company’s proprietary information. There are many types of confidential data that could be valuable. Intellectual property is often the first thing that comes to mind. There are also other, less obvious items of value that can be acquired: for example financial information, employee and customer personal information, information related to pending sales, financial deals, and legal actions. However, companies can also be targeted for reasons having nothing to do with their products or information.

    Targeted Attacks Serve as Launch Pads

    Attackers may target a company so that they may use the newly compromised infrastructure as a launching ground for attacks against other organizations. In certain cases, the attackers may want to use the victim’s e-mail accounts to gain some legitimacy in a spear-phishing campaign.

    Another reason for targeting may be who the company’s networks are connected to. A small vendor may supply parts to a larger integrator and this may require them to have access to the integrator’s networks. It may be easier and/or stealthier for the attacker to come in through the vendor’s network rather than try and gain a foothold in the integrator’s networks.

    Additionally, a company may be targeted for the sole purpose of being used as a stepping stone or hop point to help obscure the path between the attacker and his target.

    What Can Be Done to Deal with Targeted Attacks?

    Unfortunately, time and the odds are on the side of the attacker. No matter how good a company’s defenses are, it takes just one configuration mistake or a single user to open a malicious file or visit an infected watering hole for the company to become infected. Once an attacker is inside a network, the goal must be to detect and contain them as quickly as possible. At that point, a full forensic investigation can be conducted to see where the attackers have been and what damage they have done.

    So, is there anything that companies can do to deal with targeted attacks? The answer, is yes.

    This process can be very time consuming, but there are two areas a company can address ahead of time to help minimize the damage, as well as make the investigation as quick and successful as possible. The first area involves changes to infrastructure –proper logging policies, network segmentation, tightening user security policies, and protecting critical data. The second area involves personnel. Companies should have their own threat intelligence group as well as a forensic team that is already trained and operational.

    To help improve security posture, penetration testing can be a great help to companies. There is a lot to be learned from these tests, regardless whether they are required or not. At the very least, network testing should be done, but if possible allow social-engineering and physical security tests as well. Once completed, the penetration testing can be used as a training tool for the forensic team and provide lessons learned to the company regarding overall security issues.

    Security as an Investment

    There is a cost associated with these preparations, but they will be dwarfed by the cost of a single extensive targeted attack investigation. In addition to the actual amount to run the investigation, there are the harder to characterize costs including possible loss of contracts, investor confidence, or lawsuits. It is simply too expensive for companies to ignore the risks of being the victim of a targeted attack.

    More details on how organizations can take steps to minimize the risks of being victimized by targeted attacks are in the report I put together titled Suggestions to Help Companies with the Fight Against Targeted Attacks. We have other resources that discuss targeted attacks in the Threat Intelligence Resource on Targeted Attacks portion of our website.

    I hope you will find these tips useful in keeping your network secure.

    Posted in Targeted Attacks | Comments Off on Can Companies Fight Against Targeted Attacks?

    One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares.

    These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?

    • Give these programs a good name. This may sound trivial, but there’s a reason to do this. “Catchy” names may well become the butt of jokes, but it keeps training programs – and their lessons – in the minds of users.
    • Put users on the other side of the attack – teach them basic social engineering. There’s no better way of understanding how social engineering works than teaching how to do it. By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”
    • Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. This can be dealt with culturally: let employees (and managers) know that there will never be a penalty for saying “no” and verifying with whoever’s in charge. Call/mailbacks (via information in company address books) should be part and parcel of company procedure.

    Part of a good social engineering training program is “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees. However, some organizations try to reduce costs and rely on automated tests alone. This can be a problem – obviously “fake” tests will annoy employees and make them more vulnerable to real attacks. Organizations have to ensure that any tests carried out are as realistic as possible, to realistically and accurately measure the ability to resist social engineering.

    Both testing and training have to be a continuous and never-ending process. Social engineering attacks, as with all attacks, only become stronger over time. Employees join and leave the company, or change their roles. A truly effective training program has to keep all of these in mind in order to protect an organization for the long haul.

    Posted in Social | Comments Off on How Can Social Engineering Training Work Effectively?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice