Trends in targeted attacks

Gastone Nencini
Country Leader Trend Micro Italy e Senior Technical Manager Trend Micro Southern Europe TRENDS IN TARGETED ATTACKS
Sommario
Abstract
Gli at ac hi mirati costituiscono una categoria di minac e Targeted at acks constitute a threat category that refers to specifiche da parte di criminali informatici che, at raverso l’in- computer intrusions staged by threat actors that aggressively trusione nel e reti, perseguono obiet ivi e strategie molto preci- pursue and compromise specific targets. Often leveraging social se. Facendo spesso leva su malware e tecniche di social engi- engineering and malware, these at acks seek to maintain a neering, questa tipologia di at ac hi è finalizzata a stabilire e persistent presence within the victim’s network so that the mantenere una presenza persistente nel a rete del 'organizza- at ackers can move lateral y throughout the target’s network zione colpita, con il fine di potersi muovere al suo interno al a and extract sensitive information. These at acks are most com- ricerca di informazioni sensibili. monly aimed at civil society organizations, business enterprises Questo genere di at ac hi ha generalmente come obiet ivo and government/military networks. Given the targeted natu- enti e organismi pubblici, aziende e organizzazioni militari. re of these at acks, the distribution is low; however, the impact Considerata la loro specifica natura, questi at ac hi mirati non on compromised institutions remains high. sono molto dif usi, tut avia il loro impat o sul e organizzazio- As a result, targeted at acks have become a priority ni che ne sono vit ima è molto elevato, con possibili gravi con- seguenze; riuscire quindi a prevenire e contrastare in modo ef i- This paper wil examine the stages of a targeted at ack cace questo tipo di minac e è estremamente importante e prio- from the reconnaissance phase through to the data ex-filtration ritario. Questo articolo esamina le varie fasi di un at ac o phase and wil explore trends in the tools, tactics and proce- mirato: dal a ricognizione preliminare fino al a fase di furto dures used in such at acks. It wil conclude with a high-level dei dati, analizzando in det aglio le tendenze relative ai tool, examination of mitigation strategies that leverage threat intel- al e tat iche e al e procedure utilizzate. Segue un esame appro- ligence and data security in order to provide organizations with fondito del e diverse strategie di risposta, basate sul a ricerca e the information they need to increase their human capacity, to conoscenza del e varie minac e e del e misure di protezione analyze and respond to threats and to customize technical at ualmente disponibili, fornendo così al e imprese e al e orga- solutions in ways that best fit their own defensive posture. nizzazioni tut e le informazioni necessarie per impostare una ef icace strategia di difesa, identificando soluzioni tecniche per- sonalizzate in funzione del e diverse specifiche esigenze. 1. Introduction
Prior to the highly publicized “Aurora” attack on Targeted attacks that exploit vulnerabilities in Google in late 2009, which also affected at least 20 popular software in order to compromise specific other companies, there was little public awareness target sets are becoming increasingly commonplace.
regarding targeted malware attacks1.
These attacks are not automated and indiscriminate However, such attacks have been taking place for nor are they conducted by opportunistic amateurs.
years and continue to affect government, military, These computer intrusions are staged by threat corporate, educational, and civil society networks actors that aggressively pursue and compromise spe- today. While such attacks against the U.S. govern- cific targets. Such attacks are typical y part of broa- ment and related networks are now fairly wel - der campaigns, a series of failed and success com- known, other governments and an increasing num- promises, by specific threat actors and not isolated ber of companies are facing similar threats. Earlier attacks. The objective of the attacks is to obtain sen- this year, the Canadian, South Korean, and French governments have al experienced serious security breaches into sensitive networks2. Recently, the sector, the government and military sector as wel European Commission and the External Action as civil society could be linked to the same threat Service were also compromised and there was a significant breach at the International Monetary In 2009, the New York Times revealed the exi- stence of GhostNet, a cyber-espionage network that The security firm RSA was also recently compro- had compromised over 2000 computers in 103 coun- mised as a result of a targeted malware attack4.
tries15. Among the victims there were high concen- Fol owing the breach at RSA, the data stolen during trations of compromised computers at Ministries of that attack may have aided subsequent attacks against Foreign Affairs, Embassies and Diplomatic missions around the world. The attackers used social y engi- Lockheed Martin5. The trend continues 2011 with neered emails to lure victims into clicking on malwa- compromises at the Oak Ridge National Laboratory re-laden attachments that al owed the attackers to and the Pacific Northwest National Laboratory in gain control over the compromised system. After the the United States6. Such targeted attacks leveraging initial compromise, the attackers would instruct the social engineering have been ongoing since at least compromised computers to download a Trojan, 20027. The first of such campaign to receive signifi- known as gh0st or gh0stRAT, which al owed the cant press coverage occurred in March 2004 and was attackers to take real-time control over the compro- known as Titan Rain8. The attacks were revealed by TIME magazine in 2005 and highlighted the emer- gence of “cyber-espionage” and threat is poses to attackers’ use of gh0stRAT. The attackers were able government and military networks. In 2006, The to maintain persistent control over that compromi- Guardian reported on a series of attacks against sed computers. In fact, the average length of com- British MP’s which leveraged highly targeted emails promised was 145 days; the longest infection span and attempted to instal malware capable of stealing sensitive documents9. The fol owing year Der Spiegel This discovery highlighted the fact that attackers reported on attacks against the German government do not need to be technical y sophisticated or advan- that used malware embedded in popular office files ced. With some functional but less-than-impressive such as Microsoft Word and Excel10. In 2007, the code along with the publicly available gh0stRAT tool New York Times revealed that the Oak Ridge these attackers were able to compromise and main- National Laboratory in the Unites States was com- tain persistent control of embassies around the promised and that the attackers had used targeted world. This research also showed that attackers can phishing emails11. In 2008, BusinessWeek documen- and do make mistakes which al ow researchers to ted the extension of such threats to defense contrac- uncover the hidden components of their operations.
tors and other large, private enterprises12. This report A year later, the New York Times again reported revealed the social engineering techniques used to on the existence of another cyber-espionage net- lure potential victims into executing malware al o- work16. The report enumerated a complex and tiered wing the attackers to take ful control of their com- command and control infrastructure. The attackers puters. Final y, the BusinessWeek also revealed that misused a variety of services including Twitter, the same attackers had expanded their target set to Google Groups, Blogspot, Baidu Blogs, blog.com include the civil society sector as wel . In the same and Yahoo! Mail in order to maintain persistent con- year, researchers demonstrated the connection bet- trol over the compromised computers. This top layer ween targeted malware attacks using social enginee- directed compromised computers to accounts on ring and malicious documents13. Several presenta- free web hosting services, and as the free hosting ser- tions at security conferences revealed that attackers vers were disabled, to a stable core of command and were using exploits in popular software packages to control servers. While less than 200 computers were send malicious documents (such as PDFs, DOCs, compromised, almost al in India, the recovered data XLSs and PPTs) using contextual y-relevant, social y included Secret, Confidential and Restricted docu- engineered emails to a variety of targets. Moreover, an analysis of the malware as wel as the command In 2010, the Christian Science Monitor report and control infrastructure revealed that attacks that there were significant breaches in the networks of three major oil companies: Marathon Oil, loosely considered as targeted, involved the use of ExxonMobil, and ConocoPhil ips17. The CSM repor- ZeuS and a wel known cybercrime infrastructure to ted that senior executives were targeted with social y extract documents from U.S. government networks25.
engineered emails that contained malware. In 2011, Moreover, there have been some suggestions that McAfee reported similar attacks against oil compa- threat actors involved in cyber-espionage are directly nies around the world. Companies in the energy and petrochemical industries were also targeted18.
The boundaries between online crime and espio- McAfee released another report, “Shady RAT” that nage appear to be blurring, making issues of attribu- documented intrusion into at least 70 organizations tion increasingly more complex. At a minimum, these developments indicate that attacks that are Trend Micro discovered an ongoing series of tar- often considered to be criminal in nature, such as the geted attacks, known as “LURID,” that have succes- targeting of banking credentials of individuals, also sful y compromised 1465 computers in 61 different pose a threat to those in the government and military countries. The Lurid Downloader attacks appear to sectors. It is wel understood that these attackers aim be another separate but related Enfal network with a to maximize their financial gain from malware geographic focus. Although there is clear evidence attacks. Therefore, these developments may indicate that the Tibetan community is also a target, intere- that there is an emerging market for sensitive infor- stingly the majority of victims of this attack are con- mation as criminal networks seek to monetize such centrated in Russia and other CIS countries. From information and develop their capabilities in this our analysis, we ascertained that numerous embassies and government ministries, including some in Western Europe, have been compromised as wel as 1.1 Targeted Attacks
research institutions and agencies related to the Targeted attacks constitute a threat category that While targeted malware attacks are currently used refers to computer intrusions staged by threat actors to steal data, future attacks could aim to modify data.
that aggressively pursue and compromise specific The emergence of Stuxnet in 2010 revealed that tar- targets. Often leveraging social engineering and mal- geted malware attacks could be used to interfere with ware, these attacks seek to maintain a persistent pre- industrial control systems21. Stuxnet was designed to sence within the victim’s network so that the attac- modify the behaviors of programmable logic con- kers can move lateral y throughout the target’s net- trol ers (PLCs) for specific frequency converter dri- work and extract sensitive information. While infor- ves manufactured by two companies, one in Finland mation may trickle out in the press about a single vic- and the other in Iran22. The target of the attack is tim or a single attack, there are usual y many more.
widely believed to be Iran’s uranium enrichment Moreover, they are often geographical y diverse and capability23 Stuxnet demonstrates that future threats most commonly aimed at civil society organizations, could focus on sabotage, not just espionage.
business enterprises and government/military net- While the distribution of targeted attacks remains works. Given the targeted nature of the attacks, the low, the impact on high profile institution remains distribution is low; however, the impact on compro- high. Most Internet users wil never be victims of mised institutions remains high. As a result, targeted targeted attacks and are much more likely to face a attacks have become a high priority threat.
variety of common threats such as fake security soft- In a typical targeted attack, a target typical y recei- ves a social y engineered message—such as an email SpyEye, Bancos)24. However, the methods used in or instant message—that encourages the target to targeted attacks being adopted by the criminal actors click on a link or open a file. The links and files sent have a much larger target set. For example, exploits by the attacker contain malware that exploits vulne- used in a targeted attack may eventual y find their rabilities in popular software such as Adobe Reader way into exploit packs that are sold in underground (e.g. pdf’s) and Microsoft Office (e.g. doc’s). The forums. Moreover, those in the cybercrime under- payload of these exploits is malware that is silently ground may be increasingly interested in and pos- executed on the target’s computer. This al ows the sibly profiting from the extraction of sensitive infor- attackers to take control of and obtain data from the mation. In fact, a recent series of attacks, that can be The attackers may then move lateral y throughout tion after successful social engineering, that the target’s network and are often able to maintain results in a compromise that delivers control control over compromised computers for extended of the target system to the attackers.
lengths of time. Ultimately, the attackers locate and • Command and Control—communication
ex-filtrate sensitive data from the victim’s network.
These targeted attacks are rarely isolated events. It under the attacker’s control. This could be a is more useful to think of them as campaigns—a server component of a remote access Trojan series of failed and successful attempts to compro- (RAT) or a server that receives “check ins” mise a target over a period of time. Therefore the that notify the attacker of a successful com- specificity of the attacker’s prior knowledge of the promise and al ows the attackers to issue com- victim affects the level of targeting associated with a single attack. As a result, some attacks appear to be less precise, or “noisy,” and are aimed at acquiring • Persistence/Lateral Movement—mecha-
information to be used in a future, more precise nisms that al ow malware to survive a reboot, continued remote access (e.g. through legiti- Such “spearphishing” attacks are “usual y direc- mate VPN credentials and/or additional back- ted toward a group of people with a commonality” doors) and lateral movement throughout the as opposed to a specific target but are useful for gai- network enumerating file systems and seeking ning an initial foothold in a future target of interest29.
When technical information regarding the target’s • Data Ex-filtration—staging and transmitting
preferred antivirus products and specific versions of of sensitive data, often involving encryption, instal ed software is combined with intel igence compression and chunking, to locations under acquired from previous attacks and/or harvested from publicly available information and social net- The threat actors behind targeted malware attacks working platforms, an advanced combination of do not always use zero day vulnerabilities—exploits social engineering and malicious code can be deplo- for vulnerabilities for which there is no patch availa- ble. While some might believe that the threat actors Analyzing the stages of an attack can provide behind targeted malware attacks have mythical capa- insight into the tools, tactics and procedures of the bilities, both in terms of their operational security attackers31. This behavior helps indicate whether an and the exploits and malware tools used, they, in fact, attack can be linked to a broader campaign and helps often use older exploits and simple malware32. The build intel igence that can be used to inform incident objective of these attacks is to obtain sensitive data; response procedures and help mitigate future advan- the malware used in the attacks is just an instrument.
ces by the attacker. While there is considerable over- They wil use whatever is required to gain entry lap, the anatomy of an attack can be segmented into based on reconnaissance. In addition, they wil adjust their tactics in reaction to the defenses of the victim.
• Reconnaissance/Targeting—profiling the
Therefore, an active defense requires a combina- target in order to acquire information concer- tion of technical and human capacity with an empha- ning their defensive posture and deployed sis on data protection. First, technical solutions for software as wel as a contextual understanding defense, monitoring and remediation must be in of roles and responsibilities of key personnel place. While organizations typical y maintain defen- and relevant themes to inform social enginee- ses such as antivirus software, intrusion detection/prevention systems, firewal s and other • Delivery Mechanism—selection of a deli-
security products, monitoring, logging and analysis very mechanism, such as Email or IM, in con- of the outputs of these tools is critical y important33.
junction with social engineering and embed- The ultimate objective behind targeted attacks is the ding malicious code into a delivery vehicle acquisition of sensitive data. Therefore data loss pre- (such as exploit code and malware embeddd vention strategies that focus on identifying and pro- tecting confidential information are critical y impor- • Compromise/Exploit—execution of mali-
tant. Enhanced data protection and visibility across cious code, usual y involving human interac- the enterprise provides the ability control access to sensitive data and to monitor and log successful and functions related to the target. Since malware attacks unsuccessful attempts to access it. Enhanced access are more likely to be successful if they appear to controls and logging capabilities al ow security have originated from someone the target knows, the analysts to locate and investigate anomalies, respond delivery mechanism, usual y an email, is often speci- to incidents and initiate remediation strategies and fical y addressed to the target and appears to have originated from someone within the target’s organi- Building human capacity is an integral compo- zation or someone in target’s social network35. In nent of defense. The threat actors behind targeted extremely targeted cases, attackers may actual y send attacks make considerable effort to improve their email directly from a compromised, but real, email social engineering because they know that exploiting account of someone the target knows and trusts. the human factor is a critical component of a suc- There are a variety of social engineering techni- cessful compromise. As a result, education and trai- ques that are commonly seen in the wild. In order to ning programs are a key. Staff and employees must masquerade as a real person that is known to the tar- be aware of targeted attacks and must be expecting get, attackers wil actual y register email addresses them. In addition, the policies and procedures must with popular webmail services such as Gmail, be in place to both minimize exposure and provide Yahoo! Mail and Hotmail using the names of the tar- clear and consistent processes that al ow staff to get’s col eagues. While there are stil attacks that report suspected attacks. In order to ensure that spoof legitimate business or governmental email reporting and investigation occur, it is important to addresses in order to convey legitimacy, these identify who owns that process and can trigger the attempts may be more easily detected36. The attacke- remediation and damage assessment strategy if a r’s shift to personal email addresses also reflects the fact that employees often check their personal email Information security analysts armed with threat accounts from work and sometimes use these intel igence are a critical component of defense.
Threat intel igence provides information on the Attackers wil often leverage authority relations- tools, tactics and procedures of threat actors.
hips, such as boss-employee, in order to communi- Understanding these processes al ows information cate a sense of importance so that the target wil security analysts to customize defensive strategies to open a malicious attachment. To increase the authen- counter the specific threats an organization faces. As ticity, attackers wil also use classification markings of a result, an organization can integrate threat intel i- the government and intel igence services38.
gence, increased human capacity, and technical solu- In order to help detect social engineering attacks, tions in a customized way that best fits their own messages can be assessed for accuracy, language, spel ing and grammar as wel as relevance to the tar- get. However, attackers are now using techniques such as forwarding legitimate emails, from mailing 2. Trends in Targeted Attacks
lists or from emails acquired from previously succes- sful attacks, along with malicious links and attach- 2.1 Reconnaissance/Targeting
ments. As users grow weary of unknown attach- ments and scan them with anti-malware products, The use of social engineering in targeted malwa- attackers are also now sending two or more attach- re attacks is ubiquitous. Social engineering refers to ments with one social y engineered email with one of techniques that “exploit the human element” by them containing malicious code. If the target manipulating trust34. The objective of social enginee- manual y scans one of the attachments and no mal- ring is to manipulate individuals into revealing sensi- ware is detected, the user may open the other attach- tive information or executing malicious code. In ments, including the malicious one, without having order to increase the efficacy of social engineering, manual y scanned them believing that they are al information gleaned from a variety of public sources including business profiles and social networking Attackers engage in reconnaissance not just to improve the level of social engineering used in an Social engineering attacks typical y leverage cur- attack, but to profile the software used by the target.
rent events, subject areas of interest and business One of the techniques used, in conjunction with social engineering, leverages the “res://” protocol in Typical y, attackers hide executables inside of order to determine the software present in the targe- compressed file formats such as ZIP or RAR.
t’s environment. This information can then be used Sometimes, these archive files are encrypted to avoid in future attacks to identify specific applications in network-based malware scanning and the attackers order to select an appropriate exploit39. The res:// provide the password to decrypt the archive within protocol, which was built into Internet Explorer since version 4.0, can be used to remotely detect spe- Final y, rather than include an attachment with a cific software present on a computer by simply get- social y engineered email, attackers wil simply inclu- ting a user to visit a Web page from a browser40. de links to web pages that contain exploit code.
We have found attacks that have used the res:// Known as “drive by” exploits, these web pages con- protocol to check a target’s environment for file-sha- tain code designed to exploit vulnerabilities in popu- ring programs, web browsers, remote administration lar browsers and browser plug-ins to instal malware tools, email clients, download managers, and media on the target’s computer. Rather than send the target players. In addition, attackers are able to detect secu- to a completely unknown web page, attackers are rity software, including major antivirus products and now compromising legitimate 39 http:// websites personal firewal s, as wel as the PGP encryption that are contextual y relevant to the target and software and Microsoft security updates. They also embedding “iframes” that silently load exploits from check for virtual machine software, such as VMWare, locations under the attackers control43.
which may indicate that they are being investigated While email has been the most common delivery mechanism for targeted attacks, there are increasing The information obtained via social engineering, reports of attempts made using instant messaging whether or not the attack was a success or a failure, and social networking platforms. There have been is incorporated by attackers in future attacks. reports of Facebook messages being used as delivery mechanisms and the New York Times reported that 2.2 Delivery Mechanism
the “Aurora” attack on Google originated with an The delivery mechanism in a targeted attack is typical y an email. However, attackers may also use 2.3 Compromise/Exploit
instant messaging services to entice the target into clicking a malicious link or downloading malware.
In order to instal malware on the target’s compu- The emails are often sent from webmail accounts, ter, attackers wil use malicious code that is designed especial y Gmail, or from spoofed email addresses, to exploit a vulnerability, or “bug,” in a particular such as government email addresses, through com- piece of software. Typical y, attackers are most often promised mail servers41. Often, the email wil contain exploiting flaws in Adobe’s PDF reader, Adobe Flash an attached document, such as a PDF a Word and Microsoft Office. The attack surface among Document, Excel spreadsheet or PowerPoint presen- these software packages is being extended by embed- tation. These attachments contain malicious code ding one file format inside another. For example, a designed to exploit vulnerabilities is specific version recent attack involved embedding a malicious Flash Adobe’s PDF reader or Flash and versions of object inside a Microsoft Excel spreadsheet45. As the vulnerabilities are fixed, or “patched” attackers seek However, attackers stil use executables as attach- new exploits known as zero day exploits. The term ments, or provide links to download them. Recently, “zero day” refers to exploits for which there is no malware has been discovered that uses Unicode cha- patch available from the software vendor. racters to disguise the fact that it is an executable.
While several high profile campaigns, such as the This technique al ows the attackers to make executa- “Aurora” attacks against Google and the recent bles files that end with an “.exe” suffix, appear to end breach of RSA, have leveraged zero day exploits in in “.doc.” In order to take advantage of default order to compromise their targets, many targeted Windows configurations that do not show file exten- attacks do not employ the use of zero day exploits46.
sions, attackers have attempted to trick users into In fact, some older, reliable exploits such as CVE- thinking that executables are simply directories by 2009-3129, CVE-2010-3333, CVE-2010-2883 for making their executable’s icon an image of a folder42.
Adobe PDF Readers and Microsoft Office are stil in use. In addition, attackers may use “drive-by The attackers wil commonly instruct the com- exploits,” such as the zero day exploit for Internet promised computer to download second stage mal- Explorer that was used in “Aurora” (as described in ware, such as a remote access tool/Trojan (RAT) MS10-002), not just malicious documents.
which al ows the attackers to take real time control of Vulnerabilities in popular webmail services have been exploited to compromise email accounts.
Keeping the communication channel between the Personal email is increasingly becoming a target as compromised machine and the command and con- users who check their personal email accounts at trol server open is important to the threat actors work may provide attackers with sensitive informa- behind targeted malware attacks. As network moni- tion that may be related to their company47.
toring software improves and is able to identify mali- Moreover, their personal email account can be used cious and even anomalous traffic, an increasing to stage future targeted attacks. While there was con- amount of obfuscation and stealth is being used to siderable media attention regarding a recent phishing conceal command and control network traffic.
attack on Gmail users, there has been a variety of Increasingly, malware is making use of cloud-based recent attacks on popular Webmail platforms48. In command and control in an attempt to blend in to addition to attacks that exploited Gmail, Hotmail normal network traffic52. These services can be used and Yahoo! Mail users have also been targeted.
as update mechanisms that inform the compromised While the attacks appear to have been separately host of new command and control servers, or they conducted, these have some significant similarities.
can be used as command and control exclusively.
Google also previously revealed that attackers are For example, there are malware samples that use exploiting a vulnerability in the MHTML protocol in webmail accounts as elements of command and con- order to target political activists who use Google’s trol. When malware connects to wel known services services49. Trend Micro researchers in Taiwan revea- such as Gmail or Yahoo! Mail the session is protec- led a phishing attack that exploited a vulnerability in ted by SSL encryption and therefore network moni- Microsoft’s Hotmail service. In fact, rather than clic- toring software wil be unable to determine if the king a malicious link, even the simple act of previe- subsequent traffic is malicious or not. The attackers wing the malicious email message can compromise a use such webmail accounts to send commands to user’s account50. Trend Micro researchers also compromised hosts, update compromised hosts with recently alerted Yahoo! of an attempt to exploit additional malware tools or components, and ex-fil- Yahoo! Mail by stealing users’ cookies in order to trate data from compromised hosts. In addition to gain access to their email accounts51.
webmail services, could-based storage services are Attackers are able to successful y exploit their tar- being used to host additional malware components.
gets because their reconnaissance, along with kno- The use of such services provides the attackers with wledge gained from previous attacks, al ows them to command and control infrastructure that cannot be determine what exploits to deploy. If certain attack vectors are wel secured, attackers wil locate areas of Some threat actors use compromised legitimate sites as command and control servers. This al ows the attackers some element of deception because 2.4 Command and Control
even if the network communication is detected as anomalous, upon further inspection the website wil When malware is executed on the target’s system, be determined to be legitimate. One threat actor it “checks in” with one or more servers under the simply embeds commands within HTML comment control of the attackers. Command and control tags in web pages on compromised, legitimate web mechanisms al ow the threat actors to confirm that sites. The malware simply visits these pages and an attack has succeed, typical y supplies them with extracts and decodes the commands. The use of some information about the target’s computer and custom base64 alphabets and XOR makes decoding network and al ows the attackers to issue commands the command and the network traffic increasingly to the compromised target. The initial malware is difficult. In addition, attackers are making use of sto- often a simple, smal “dropper,” so the attackers wil len or forged SSL certificates in an attempt to make often instruct the compromised computer to down- their network traffic appear to be legitimate.
load components that have additional functionality.
Some threat actors continue to register domains names for their own exclusive use while others rely However, there are other methods used to main- on dynamic DNS services for free sub-domains. The tain persistence that are less wel known. One free sub-domains provided by Dynamic DNS servi- method known as “DLL search order hijacking” ces are often used in conjunction with often off-the- involves placing malicious DLL’s in specific locations shelf RAT’s such as gh0st and poisonivy. While the with specific names so that they are loaded by legiti- threat actors are offline, the domain names wil often mate applications leaving no forensic traces56.
resolve to localhost or invalid IP addresses, and when Once inside the system, attackers wil move late- they come online the domains wil resolve to the IPs ral y throughout the network. They typical y down- of the threat actors. Third-party locations can be load remoteaccess-Trojans (RATs) or tools that al ow them to execute shel commands in real time on the Trend Micro uncovered a campaign of targeted compromised host. In addition, they may seek to attacks that have successful y compromised defense escalate their privileges to that of an administrator industry companies in Japan, Israel, India and the using techniques such as “pass the hash” and seek USA. The second stage of the attacks involved two out key targets such as mail servers57. The attackers components one of which contained custom DLLs often download and use tools to “bruteforce” attack created for specific targets and the other a RAT database servers, extract email from Exchange ser- known as “MFC Hunter.” This RAT contains three vers and attempt to acquire legitimate access, such as components, the malware that is instal ed on the vic- VPN credentials, so that they may maintain access to tim’s computer, the client through which the attacker the network even if their malware is discovered. As controls the victim’s computer and a “hub” which the attackers move throughout the target’s network acts as an intermediary disguising the true location of they explore and col ect information that can be used the attacker53. Joe Stewart was able to track the use in future attacks or information that can be prepared of a similar hub known as “htran” through error messages that disclosed the attackers’ true loca- 2.6 Data Ex-filtration
In addition to redundancy, the attackers also seek to obfuscate their malicious network traffic by leve- The primary objective of the threat actors behind raging intermediaries and attempts to blend in with targeted attacks is the transmission of sensitive data legitimate traffic. As a result, threat actors are able to to locations under the attacker’s control. In order to leverage a variety of strategies to maintain communi- accomplish this objective, the attackers wil col ect cations between compromised hosts and their com- the desired data and compress it and then split the compressed file into chuncks that can be transmitted to locations under the attacker’s control. A variety of 2.5 Persistence/Lateral Movement
transmission methods are used such as FTP and HTTP however, attackers are now making use of Once inside the target’s network, the threat actors more secure methods such as ex-filtrating data using engaging in targeted malware attacks seek to accom- plish two objectives. First, they seek to maintain per- With some attacks, data ex-filtration wil occur sistent access to the targets network and second they quite quickly. Often, the malware wil send directory seek to move lateral y throughout the network loca- and file listings to the command and control server.
ting data of interest for ex-filtration. In order to The attacker may then request specific files or direc- maintain persistence, the initial malware payload wil tories to be uploaded. Threat actors that rely on have some method to ensure that it is restarted after RATs may use the built-in file transfer functionality a reboot of the compromised computer. In many cases, the persistence mechanism wil consist of sim- In cases where the attackers have an established ple methods such as adding the malware executable presence, data, such as the contents of mail servers, to the windows “startup” folder, modifying the Run wil be col ected and moved to a staging area for ex- keys in the Windows Registry or instal ing an appli- filtration59. The attackers wil typical y use compres- cation as a Windows Service. The security form sion tools, such as Rar, to package the data for ex-fil- Mandiant found that 97% of the targeted malware tration. The attacker wil then return from time to they analyzed used these simple mechanisms55.
3. Detection and Mitigation
within an organization that can be processed for anomalous behaviors that could indicate a The precise nature of targeted attacks increases the difficulty of defense. With significant reconnais- • Integrity Checks—In order to maintain per-
sance, and possibly information gained from pre- sistence, malware wil make modifications to viously successful incursions into the target’s net- the file system and registry. Monitoring such work, the threat actors behind targeted attacks are changes can indicate the presence of malware.
able to customize their attacks to increase the proba- • Empowering the human analyst—Humans
bility of success. For example, they can ensure that are best positioned to identify anomalous the malware they send to their targets exploits speci- fic software on the targets computer and they can aggregated logs from across the network. This modify the malware so that it is not detected by the security solutions deployed in the target’s environ- custom alerts based on the local and external ment. Therefore, defenses against targeted attacks need to focus on detection and mitigation and not Security solutions that protect at the endpoint simply on prevention. Moreover, it is important to and network levels are important, but the technical recognize that the ultimate objective of target end solutions deployed against targeted malware attacks attacks is the acquisition of sensitive data; therefore, need to empower analysts with both the tools and defensive strategies need to include the discovery the threat intel igence required to identify and miti- and classification of sensitive data and take into gate targeted attacks. Security analysts with access to account the context in which the data is being used.
real-time views of the security posture of their orga- Once identified, appropriate access controls can be nization are better positioned to detect, analyze and remediate targeted attacks. In order to do so, they The ability to develop and act on threat intel i- require visibility across the network through the use gence underpins any defensive strategy. Threat intel- of monitoring and logging tools. Most of the hosts ligence refers to indicators that can be used to iden- within a network, whether they are workstations, ser- tify the tools, tactics and procedures of threat actors vers or appliances, create logs and event data that, engaging in targeted attacks. This information can once aggregated, can be used to detect anomalous include the domain names and IP addresses used by behavior indicative of a targeted attack.
attackers to send spear phishing emails or to host Education and training programs combined with their command and control servers. It can refer to explicit policies and procedures that provide avenues the presence of certain files or registry modifications for reporting and a clear understanding of roles and on compromised computers. Threat intel igence not responsibilities is an essential component of defen- only refers to such malware artifacts, but also to se. While traditional training methods are important, behavioral characteristics such as the preferred tools simulations and exercises using real spear phishing and movement patterns of threat actors after the attempts can be used to engage and educate61. Those that are trained to expect targeted malware attacks While organizations wil benefit significantly are better positioned to report potential threats and from threat intel igence derived from external sour- constitute an important source of threat intel igence.
ces, it is important that an organization begin to Ultimately, education can generate a more security develop local threat intel igence based on its own conscious culture within an organization. unique circumstances. The ability to detect suspi- Final y, the primary objective of targeted attacks cious behaviors indicative of targeted attacks wil is access to sensitive dat Today, sensitive information depend on how effectively this threat intel igence is is not only stored in databases but in the cloud and leveraged. The core components of a defensive stra- is accessible through a variety of methods including tegy based on leveraging local and external threat mobile devices. While securing the network layer remains an important component of any defensive • Enhanced Visibility—Logs from endpoints,
strategy, it is also critical y important to specifical y servers and network monitoring are an impor- protect data as wel . Identifying and classifying sensi- tant and often underused resource that can be tive data al ows the introduction of access controls and enhanced monitoring and logging technologies that can alert defenders of attempts to access or ex-filtration. The impact of successful attacks can be severe and any data obtained by the attackers can be used in future, more precise attacks. However, defen- sive strategies can be dramatical y improved by 5. Conclusion
understanding how targeted attacks work as wel as trends in the tools, tactics and procedures of the per- Targeted attacks remain a high priority threat that petrators. Since such attacks focus on the acquisition is difficult to defend. These attacks leverage social of sensitive data, strategies that focus on protecting engineering and malware that exploits vulnerabilities the data itself, wherever it resides, are extremely in popular software to slip past traditional defenses. important components of defense. By effectively While such attacks are often seen as isolated using threat intel igence derived from external and events, they are better conceptualized as campaigns, internal sources combined with context-aware data or a series of failed and successful intrusions. Once protection and security tools that empower and inside the network, the attackers are able to move inform human analysts, organizations are better lateral y in order to target sensitive information for positioned to detect and mitigate targeted attacks.
BIOGRAFIA
Gastone Nencini vanta una carriera significativa nel settore IT, iniziata oltre 25 anni fa con un’esperienza come programmatore presso Elsi Informatica e proseguita in Genesys come Technical Manager. Nel 1998 Nencini approda in Trend Micro Italy dove viene nominato Senior Sales Engineer per il Centro e Sud Italia, per passare successivamente a un ruolo di maggiore responsabilità e prestigio, diventando prima Technical Manager South Europe (Italia, Francia, Spagna e Portogal o) per poi focalizzarsi sul mercato Italiano e assumere l’incarico di Senior Technical Manager Italy, coordinando un team di persone Pre Sales e Nel 2012 Nencini diventa Senior Technical Manager Southern Europe e, nel 2013 anche Country leader di Durante questi anni in Trend Micro, Gastone Nencini ha gestito e supervisionato una serie di importanti progetti di sicurezza per i maggiori clienti, fra cui, a livel o italiano, si possono citare: Telecom, Fiat, Poste, Vodafone, Ferrari, Banca Nazionale del Lavoro, Banca Intesa San Paolo.
Nencini ha, inoltre, introdotto servizi innovativi di assistenza e supporto per i clienti Enterprise e per il 1) For the attacks on Google, see http://googleblog.blogspot.com/2010/01/new-approach-to-china.html 2) For the compromises in Canada, South Korea and France, see www.cbc.ca/news/technology/story/2011/02/17/cyber-attacks- www.computerworld.com/s/article/9213741/French_gov_t_gives_more_details_of_hack_150_PCs_compromised, Http://english.yonhapnews.co.kr/national/2011/03/07/86/0301000000AEN20110307002200315F.html 3) http://euobserver.com/9/32049, www.bbc.co.uk/news/technology-13748488 4) www.rsa.com/node.aspx?id=3872010/01/new-approach-to-china.html, www.comodo.com/Comodo-Fraud-Incident-2011-03- 5) www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/, www.nytimes.com/2011/06/04/technology/04security.html 6) www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/, www.reuters.com/article/2011/07/06/us-energylab-hackers 7) Diplomatic cables leaked by WikiLeaks reveal that the U.S. government suffered ongoing intrusions by one particular threat actor http://cablesearch.org/cable/view.php?id=08STATE116943. The fol owing overview of targeted attacks build off initial research www.threatchaos.com/home-mainmenu-1/16-blog/571-strategic-industries-should-go-on-high-alert 8) www.time.com/time/printout/0,8816,1098961,00.html 9) www.guardian.co.uk/politics/2006/jan/19/technology.security 10) www.spiegel.de/international/world/0,1518,502169,00.html 11) www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?ref=technology 12) www.businessweek.com/print/magazine/content/08_16/b4080032218430.htm 13) http://events.ccc.de/congress/2007/Fahrplan/attachments/1008_Crouching_Powerpoint_Hidden_Trojan_24C3.pdf, http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf, http://isc.sans.edu/diary.html?stor- 14) http://isc.sans.org/presentations/SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf 15) www.nytimes.com/2009/03/29/technology/29spy.html, www.nartv.org/mirror/ghostnet.pdf 16) www.nytimes.com/2010/04/06/science/06cyber.html, www.nartv.org/mirror/shadows-in-the-cloud.pdf 17) www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved 18) www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf 19) www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf 20) http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdf 21) http://threatinfo.trendmicro.com/vinfo/web_attacks/Stuxnet%20Malware%20Targeting%20SCADA%20Systems.html 22) www.symantec.com/connect/blogs/stuxnet-breakthrough 23) http://threatpost.com/en_us/blogs/report-iran-resorts-rip-and-replace-kil -stuxnet-072211 http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp04_cybercrime_1003017us.pdf Zeus: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf FAKEAV: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/unmasking_fakeav_ _ 25) www.nartv.org/mirror/kneber_spearphishing_crimeware.pdf, www.nartv.org/2010/08/27/crime-or-espionage/ www.nartv.org/2010/09/09/crime-or-espionage-part-2/, http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov- 26) www.theregister.co.uk/2011/09/13/apt_botnet_symbiosis/print.html, http://krebsonsecurity.com/2011/01/ready-for-cyber- 27) www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/ 28) http://blog.trendmicro.com/how-sophisticated-are-targeted-malware-attacks/ 29) www.cisco.com/en/US/prod/col ateral/vpndevc/ps10128/ps10339/ps10354/targeted_attacks.pdf 30) http://blog.trendmicro.com/highly-targeted-attacks-and-the-weakest-links/ 31) http://computer-forensics.sans.org/blog/2009/10/14/security-intel igence-attacking-the-kil -chain/, http://computer-forensics.sans.org/blog/2010/06/21/security-intel igence-knowing-enemy and www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf 32) http://news4geeks.net/2011/08/04/researcher-fol ows-rsa-hacking-trail-to-china/ 33) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/datalossprevention/wp02_dlp-compliance-solu- 34) http://portal.acm.org/citation.cfm?id=1067721.1067728&col =ACM&dl=ACM 35) www.nartv.org/mirror/shadows-in-the-cloud.pdf and http://portal.acm.org/citation.cfm?id=1290958.1290968&col =GUIDE&dl=GUIDE&CFID=74760848&CFTOKEN=96817982 36) For example, the information contained in the email headers can be processed for anomalies, and information such as origina- ting IP address and the route an email took to get to its destination can indicate that an email did not originate from the sender it 37) www.computerworld.com/s/article/print/9015092/White_House_use_of_outside_e_mail_raises_red_flags?taxonomyName=I+ www.computerworld.com/s/article/print/9114934/Update_Hackers_claim_to_break_into_Palin_s_Yahoo_Mail_account?taxonomy 38) www.nartv.org/2010/09/09/crime-or-espionage-part-2/ 39) http://blog.trendmicro.com/how-sophisticated-are-targeted-malware-attacks/ 40) http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/ 41) http://contagiodump.blogspot.com/2011/04/contagio-data-spear-phish-email-senders.html 42) www.nartv.org/2010/03/07/malware-attacks-on-solid-oak-after-dispute-with-greendam/ and www.f-secure.com/weblog/archives/00001675.html 43) www.nartv.org/2010/07/29/human-rights-and-malware-attacks/ 44) www.nytimes.com/2010/04/20/technology/20google.html and http://blogs.aljazeera.net/asia/2011/03/23/china-and-google- 45) http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html 46) For example, of the 251 targeted malware attacks received by contagiodump.blogspot.com, only 10 were zeroday.
47) http://blog.trendmicro.com/targeted-attack-exposes-risk-of-checking-personal-webmail-at-work/ 48) http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html and http://blog.trendmicro.com/targeted- attacks-on-popular-web-mailservices-signal-future-attacks/ http://contagiodump.blogspot.com/2011/08/targeted-attacks-against- 49) http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html 50) http://blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail 51) http://blog.trendmicro.com/targeted-attacks-on-popular-web-mail-services-signal-future-attacks/ 52) www.nartv.org/2010/10/22/command-and-control-in-the-cloud/ and http://blog.zeltser.com/post/7010401548/bots-command-and-control-via-social-media 53) http://blog.trendmicro.com/japan-us-defense-industries-among-targeted-entities-in-latest-attack/ 54) www.secureworks.com/research/threats/htran/ 55) www.mandiant.com/products/services/m-trends/ 56) http://blog.mandiant.com/archives/1207 57) www.mandiant.com/products/services/m-trends/ 58) www.nartv.org/mirror/shadows-in-the-cloud.pdf 59) www.mandiant.com/products/services/m-trends/ 60) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/datalossprevention/esg_outside-in_approach.pdf 61) www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf 62) http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/leakproof/wp01_leakproof_dlp_100105us.pdf

Source: http://www.isticom.it/documenti/rivista/rivista2013/2013_13_135-146_trends_in_targeted_attacks.pdf