Much has been reported about the recent discovery of a cyber-espionage campaign that was launched by a group known as the “Sandworm Team.” At the very heart of this incident—a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.
In our analysis, the vulnerability may allow attackers to execute another malware through a flaw in the OLE package manager in Microsoft Windows and Server. Early reports shared that the vulnerability was being exploited in targeted attacks against several organizations and industry sectors. Analysis by Trend Micro researchers revealed that the attacks had ties to SCADA-centric targets. Furthermore, this vulnerability was soon used in yet another attack that employed a new evasion technique in the form of malicious files embedded in .PPSX files.
Sometimes Old, Sometimes New
Zero-day exploits aren’t the only exploits used in the targeted attack landscape. In the first half of 2014, we saw that attackers still heavily target older vulnerabilities. One prime example would be CVE-2012-0158, a vulnerability related to Windows Common Controls. Despite the existence of a patch since early 2012, this vulnerability has proven to be an integral tool in targeted attacks, including that of the PLEAD campaign.
Of course, this doesn’t mean that zero-day vulnerabilities didn’t make an impact in 2014 so far. A targeted attack was discovered exploiting a Windows zero-day vulnerability was found to have targeted several embassies. The bug was patched a couple of days after—which was notable as this occurred prior to the end of support for Windows XP, which was an affected platform. Another zero-day vulnerability also figured heavily in the attacks conducted by the threat actors behind the Taidoor campaign. Discovered in the latter portion of March, a patch for this zero-day was made available in the April Patch Tuesday.
Vulnerabilities are almost always patched by vendors, especially if the vulnerability is considered critical. But despite the existence of patches, not all users and organizations apply them or apply them immediately. One reason would be that applying the patch might disrupt operations. Or there might be a significant delay in applying the patches as the patches first need to be tested before being applied to corporate environments.
In this sense, attackers go for older vulnerabilities for their “reliability.” These are the tried-and-tested vulnerabilities that can be found in targeted networks and organizations. And since these vulnerabilities have been around for years, it would appear easier for attackers to create the perfect malware or threat that can exploit this bug.
On the other hand, newer vulnerabilities can give attackers the upper hand. Zero-day exploits can catch all parties, including security vendors, off-guard. With vendors scrambling to create the necessary security measures and corresponding patch, zero-day exploits can use this “window of insecurity” to attack and affect even the most secured environments. In that sense, zero-day vulnerabilities can be considered more effective and even, riskier.
Payoff in the Targets
Zero-days can be even more effective if the affected platform or application is outdated or has reached its end of support. With no patches made available, the window of “insecurity” initially exploited by zero-days becomes a permanent one.
That was initially the case for an Internet Explorer vulnerability that was being exploited in targeted attacks. The vulnerability (CVE-2014-1776) garnered much attention as it was initially reported that Microsoft would not be releasing a patch for Windows XP. However, a patch was soon made available for the platform.
Countermeasures and Mitigations
Addressing targeted attacks requires not only the right set of tools but also the right mindset. In our entry, “Common Misconceptions IT Admins Have on Targeted Attacks,” we enumerated several misconceptions that might greatly affect the security of a network. Included there is the misconception that targeted attacks always involve zero-day vulnerabilities. As we have seen, attackers do not limit themselves with zero-day vulnerabilities. In fact, older vulnerabilities are more favored than zero-days. This stresses the importance of applying all security patches once they are available.
Addressing zero-days can be more difficult but not impossible. Tactics like virtual patching can help mitigate threats in the presence of zero-days and unsupported systems. Honeypots (which can attract attackers) can flag attacks at the earlier stages. Technologies like heuristic scanning and sandbox protection can help identify suspicious files and execute said files in a protected environment without compromising the network. Organizations should also look into employee education. Email lures are often the first stage in targeted attacks; if employees are trained to flag suspicious emails, network defense can improve greatly.
Trend Micro Deep Security protects users from zero-day vulnerabilities mentioned in this entry via the following rules:
- 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
- 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
- 1006045 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776) – 1
- 1005989 – Identified Malicious C&C Server SSL Certificate (For CVE-2014-1761)
- 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)
- 1006000 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761) – 1
With additional insight from Ziv Chang