Highly specific applications, programs, operating systems, and setups did not prevent threat actors from launching effective attacks in 2014, according to a report.

Trend Micro, a global leader in security software, has revealed the nature of the activities that posed the greatest threats in a new report.

The report features targeted attack cases that Trend Micro analyzed in 2014, including information on attack-related C&C infrastructure monitored.

KEY INSIGHTS
Due to the very nature of targeted attacks, attribution remained arduous because threat actors made it a point not to leave identifiable traces in target networks. However, no matter who is behind campaigns, all targeted attacks aim to gather intelligence and exfiltrate confidential data.

•    In 2013, some of the major attackers were from the United States, North Korea, Russia, China, Vietnam, and India. In 2014, some were from Syria, Iran, the United Kingdom, and France.

•    One example of a state-sponsored attack is Operation Pawn Storm. The actors behind it aimed to commit political and economic espionage against military organizations, diplomatic bodies, defence agencies, and media outfits in the United States and its country allies.

•    Examples of nonstate-sponsored attacks include Operation Arid Viper, an ongoing attack since 2013 that targeted Israeli government agencies and military institutions, among others; and "Pitty Tiger", which, according to reports, was for various pornographic activities.

•    In October 2014, our threat researchers uncovered an attack that used GE Intelligent Platform’s CIMPLICITY, as an attack vector. CIMPLICTY is an automation platform for device monitoring and control purposes in industrial environments.

•    Apple devices were specifically targeted in 2014 as well to get into target networks and further threat actors’ espionage goals. Two iOS apps were, for instance, used in Operation Pawn Storm. These apps can steal victims’ text messages, contact lists, pictures, geographical location data, audio files, and lists of installed apps, which are then sent to attackers.

Further refinements in targeted attack methodologies were observed:

•    Open source/Free and weaponized tools were used to speed up cross-platform attacks.

•    Zero-day exploits were used with diskless malware to obfuscate threats against forensic analyses.
•    64-bit malware also figured in targeted attacks. Some notable examples of these include KIVAR, which had ties to the Poison RAT; HAVEX, a RAT used in a campaign that targeted industrial control systems (ICS); and WIPALL, the notorious malware behind the Sony Pictures hack attack.

Tried-and-tested and newly discovered zero-day vulnerabilities continued to be exploited in attacks:

•    Attackers continued to exploit CVE-2012-0158, a flaw in Windows Common Controls, despite being patched via MS12-027. The actors behind PLEAD and Operation Pawn Storm abused this to infiltrate target networks.

•    EvilGrab malware exploited CVE-2012-0158
The following zero-day exploits were employed in targeted attacks in 2014:

•    Two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan.

•    Critical vulnerabilities already addressed by MS14-021 gained more notoriety when Microsoft ended support for Windows XP. The attack even prompted the vendor to recant its statement and release a patch.

•    News of the Sandworm vulnerability (CVE-2014-4114) prompted Microsoft to immediately release a patch, only to find out a week later that the solution could be bypassed.

•    In October 2014, Microsoft announced the discovery of a new zero-day exploit for CVE-2014-6352 that could be abused with the aid of malicious Office® files. Attacks seen in the wild used specially crafted PowerPoint presentations.

Government agencies remained the most favoured attack targets in 2014. A spike in the number of attacks targeting hardware/software companies, consumer electronics manufacturers, and health care providers was seen in the second half of the year though, too.

Cybercriminals adopted techniques more commonly associated with targeted attacks because these proved effective in increasing their financial gain.

The actors behind Predator Pain and Limitless, for instance, went after small and medium-sized businesses (SMBs) instead of individuals, allowing them to earn as much as $75 million in just six months.

Organizations would need to adapt to keep up with the dangers that targeted attacks pose, the report said.

Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to exactly understand what a shift in mindset from prevention to detection entails. This means accepting that targeted attacks are or will eventually hit their networks, so no suite of blacklisting technologies will be able to keep determined threat actors at bay. – TradeArabia News Service