The recent zero-day exploit targeting a use-after-free vulnerability in Internet Explorer highlights one thing: how important it is to use the least-privilege principle in assigning user profiles.

Imagine if most user accounts are configured to have administrator rights or root access on their endpoint. (This is surprisingly frequent with older OSes, like Windows XP.) A simple social engineering trick can allow a threat actor using this (or a similar) vulnerability to gain the same user rights as the current user. This may include anything from modifying system files, installing a new program, or managing other configuration settings.

Network administrators must make it incredibly hard for threat actors to ever gain administrative rights.  After all, a user profile that is not allowed to install and run downloaded programs on his system is, conversely, less impacted in our example. This will cause some inconvenience for users and administrators, but the tradeoff in increased security is worthwhile. Because of the risks of threat actors gaining elevated rights, Microsoft recently introduced in Windows 8.1 certain measures to prevent this from happening and allows users better control of privileged account.

Jim Gogolinksi’s earlier paper titled Suggestions to Help Companies with the Fight Against Targeted Attacks is a solid and much-needed treatise on why enterprises should take the time to review how their network infrastructures are set up. The paper focuses on five avenues: infrastucture, data, incident response teams, threat intelligence, and performing penetration testing.

According to Gogolinski, a secure infrastructure is largely dependent on three factors: proper and logical segmentation of the network, the ability to log and analyze logs, and secure configuration of user profiles and workstations. The inability to lay the groundwork for security can be fatal to an enterprise. Our latest enterprise primer titled The Enterprise Fights Back: Securing Your Network Infrastructure Against Targeted Attacks talks about the security repercussions in relation to targeted attacks of not finding the time and resources towards this endeavor.

Data exfiltration is the unauthorized transfer of sensitive information from a target’s network to a location which a threat actor controls. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups.

Figure 1. Targeted Attack Campaign Diagram

Related Costs of Exfiltrated Data

The costs of cyber-espionage to a target organization is only clear after the fact. Risk calculators typically consider the up-front expenses of breach discovery: incident response activities, crisis management, and compliance-related penalties.

Losing competitive advantage in the event that proprietary information is sold to a rival company can threaten the survival of a business enterprise on a broader scale. The “loss” represents not only the research and development expenses to refine a product, but also the sales opportunities and market leadership lost.

Furthermore, as exemplified in the Shadow Network attacks, the attackers were able to lift out documents classified as Secret, Confidential and Restricted. Documents tagged as such, when exposed publicly, may endanger national security. For instance, restricted documents have to do with data involving the design, creation, and use of nuclear materials or weapons.

Varied Means of Exfiltrating Data

While the impact of targeted attacks is noticable, the effort to siphon data from inside an infiltrated network is not.

We recently released a report about a targeted attack campaign that used EvilGrab, where threat actors put in place backdoors that can capture keystrokes, as well as video and audio of the system’s environment, using attached audio microphones and video cameras. These features are part and parcel of any remote access Trojan worth its salt. As with typical data exfiltration activities, these stolen information can then be uploaded to a remote server to be accessed by the threat actor.

One way is to use the built-in file transfer capabilities of remote access Trojans, which are malware that allow a remote user to have full control of a compromised system. Remote access Trojans or other attack tools like them will probably already be in use anyway, because the earlier stage in a targeted attack would require real-time communication and control by the attacker of the compromised system.

Attackers can abuse legitimate Windows features as well. For instance, attackers can abuse WMI (Windows Management Instrumentation) to monitor and capture recently opened files. The attacker can use FTP or HTTP to send the file/s in order to trick the IT admin analyzing network traffic that the communication is legitimate. Alternatively, the attacker can use Tor to mask location and traffic.

Our researchers predict that in the future, attackers may focus on not only stealing data but on modifying data, turning the main theme of targeted attacks from espionage into sabotage. Our recently published primer on Data Exfiltration: How Threat Actors Steal Your Data goes into detail about the kinds of tools and techniques threat actors use in this component of targeted attack campaigns.

The primer is actually the 5th of the series of primers we’ve developed, all discussing the different stages of an APT. To check the others, click the corresponding thumbnail below:

Advanced persistent threats and targeted attacks often use socially engineered email as their point of entry into a target network.* Considering the volume of email traffic that an average business user sends (41) and receives (100) in a single working day and the relative ease by which social engineered emails are crafted and sent, enterprises need to reexamine how they secure this aspect of business communication.

Different social engineering techniques have been used in past targeted attacks. For instance:

• Attackers send these email via popular webmail accounts
• Attackers send these from previously compromised email accounts
• Attackers use spoofed email addresses that mimic departments or figures of authority

These email often carry exploit attachments that leverage vulnerabilities in popular software in order to compromise the victim’s computer. Upon compromise, the rest of the APT campaign folds out into the network.

Enterprises and especially the security groups that defend the network need to become more aware how simplistic it is for attackers to take advantage of email, seeing as email is the most common form of business communication. TrendLabs developed the primer Are Your Business Communications Secure? and the infographic Covert Arrivals: Targeted Attacks Via Employee Boxes, both of which tackle the dangers of email when it comes to advanced persistent threat campaigns. Click on the thumbnails below to download the materials:

Developing and utilizing external and local threat intelligence is a key enabler in any APT defense strategy. The Threat Intelligence Resources page is a reliable source of the latest in research and analysis on advanced persistent threats for IT, system and network administrators: the enterprise’s network defenders. Visit this page as it will be updated with new content to keep you posted on the latest developments in targeted attacks.

* This is not to say all APTs arrive via email, as there is definitely a wide range of entry points available to threat actors.

Do standard security solutions work against advanced persistent threats (APTs)? Are APTs crafted to extract specific files from an organization? Are data breaches caused by APTs? IT groups today face the challenge of protecting/shielding their networks against APTs—computer intrusions by threat actors that aggressively pursue and compromise targets. To help organizations formulate strategies against APTs, TrendLabs prepared an infographic that illustrates the different stages of intrusion.

By analyzing each stage of an attack, IT groups can gain insight on the tactics and operations of an active attack against their networks. This analysis helps build local threat intelligence—internal threat profiles developed through intimate knowledge and observation of attacks against a specific network. It is key to mitigate future attacks by the same threat actors. The stages our researchers have identified are intelligence gathering, point of entry, command-and-control (C&C) communication, lateral movement, asset/data discovery, and data exfiltration.

Certain realities make dealing with each stage of an APT attack more difficult than dealing with ordinary cybercrimes. For instance, in the asset discovery stage where the attacker is already inside the network enumerating which assets are valuable enough to extract, a data loss prevention (DLP) strategy can prevent access to confidential information. However, according to a survey, while company secrets comprise two-thirds of a company’s information portfolio, only half of security budgets are allocated to protecting these.

More of these realities are highlighted in the infographic, “Connecting the APT Dots.”

We regularly blog about how cybercriminals misuse newsworthy events in order to gain profit for themselves. In the past 24 hours, TrendLabs^SM has tracked multiple FAKEAV attacks that try and trick users searching for help following the recent McAfee update 5958 incident.  This determination by cybercriminals to cause further problems and inconvenience to innocent end users and businesses is, in many respects, not surprising.

We at Trend Micro are keen to help users identify these FAKEAV scams before they can be affected.

In a recent post on how blackhat SEO leads to FAKEAV, “Doorway Pages and Other FAKEAV Stealth Tactics,” advanced threats researcher Norman Ingal described important telltale signs of malicious search results, specifically that their URLs follow this pattern:

This can help users spot malicious results. Ingal further adds that the title of the page (the text that appears in bold heading style in search results lists) is generally the same as the keywords used. The same pattern has appeared time and again in our investigations related to blackhat SEO attacks.

Only this week, the search results to the following keywords were also found to carry redirections leading to rogue antivirus software:

• who got voted off american idol april 21
• dancing with the stars elimination april 2010
• goldman sachs sec filings
• boston marathon results
• april 20th weed day

The following is a demonstration of what our engineers found when they began to track search results leveraging the recent security incident:

These results lead to redirections that end up in now-usual extortion schemes where users are presented with fake infection signals to convince them to pay for software they do not actually need. Trend Micro detects variants and components of these attacks as FAKEAV.

Trend Micro™ Smart Protection Network™ already protects product users from blackhat SEO attacks of this kind by preventing access to malicious sites and domains via the Web reputation service.

Web reputation is a much faster option for blocking new threats than waiting for signatures. With this attack, we could be looking at thousands of new malicious files that have to be processed versus a single domain.

Users should, by now, be aware that trusting results from search engines is no longer as safe as previously thought. The clues we mentioned above can help users weed out legitimate results from suspicious ones.  For users who are concerned about being infected, Trend Micro HouseCall is a free tool that scans for malware infections and other security threats.

Other blackhat SEO attacks in the recent weeks from the Malware Blog include:

• Kids’ Choice Awards Used for FAKEAV
• Moscow Subway Explosions Result in FAKEAV
• Another Earthquake, Another FAKEAV