Targeted attacks: what's in store?

2013-02-04

Kurt Baumgartner

Kaspersky Lab
Editor: Helen Martin

Abstract

‘The general level of insight into network infiltration around the globe is becoming more informed.' Kurt Baumgartner, Kaspersky Lab.


Targeted attacks, determined adversaries, or the APT. Whatever label you use, this is not a new topic, but clearly the general level of insight into the reality of network infiltration around the globe is becoming more informed. There has been at least some level of public discussion about each of the following attacks from the past year: Red October, Madi, miniFlame/SPE, Gauss, Flame, Enfal, Voho, Elderwood, and various Comment Crew attacks. More details are being presented to the public, and this is progress.

The recently reported Red October attack was unprecedented in the breadth and scope of its sustained level of occupation within diplomatic targets, heavily funded research organizations, military interests and more. This was an advanced cyber-espionage campaign that collected geo-political intelligence. The Red October crew poured out a customized toolset to penetrate deeply, blend into their targets and reach beyond. We hadn’t previously seen resurrection modules used by plug in components entrenched in embassy networks around the world, which were prepared to be discovered and then re-entrench from the victim systems themselves. We hadn’t seen modules customized like these to suck data from individual mobile manufacturers’ devices and retrieve contacts and data. To date, we have not had fully comprehensive information presented in an organized fashion on large scale, targeted threats. It required months of effort to collect and research the full Red October toolset, and both interesting components and changes in the components over time and per victim continue to be uncovered. For the first time, a full list of indicators based on the OpenIOC format has been released to coincide with the large Red October public release for CERTs, network admins and legitimately interested parties. Perhaps this exhaustive report is helping to move real discussion and action forward in concrete terms that have not been available during previous incidents that were more likely pushed to generate marketing buzz than for any other purpose.

What else has changed over the past year in relation to targeted attacks? In the US, SEC guidance passed approximately a year ago was supposed to push forward public discussion and investor awareness. Unfortunately, timely, informative breach reports have not materialized. A couple of exceptions come to mind, including Adobe’s, but for the most part, organizations with breached networks (and their contractors with breached networks) seem to continue to hide or ignore the problem. On the technical side, Flash and Reader seem to be on the decline as exploitation targets at victim organizations, having been replaced with Office and Java targets. Defensive technologies and programs have improved, and public discussion around these attacks cannot be ignored at this point.

So what is in store for us this year? Offensive campaigns show no sign of letting up. Attackers will improve their toolsets, and mobile devices will come to light as an initial vector for targeted attack payloads. The demand to access data in the cloud from mobile devices as well as standard workstation/laptop devices will be exploited by the APT. Portions of various cloud implementations will be breached. Overwhelmed and underprepared CERTs across the globe will improve their capabilities, but prolonged absences in some countries (due to national holidays) will continue. Problems within critical infrastructure security will be more widely attacked – and discussed. For better or worse, some victim organizations will attempt to ‘hack back’, and full attribution and active defence will be better used and understood. Potential victims and targeted organizations will be incentivized to share data. Various categories of non-corporate victims will talk more freely about their incidents, especially human rights organizations. The concept of ‘sophistication’ will be replaced within media reports with the concept of ‘efficacy’, and quibbling over the term ‘advanced’ will finally exhaust itself. Whichever way you cut it, there will be an increased level of targeted activity this year.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.