SEPTEMBER 20, 2013
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Joomla! and WordPress, Under Botnet Assault

Security for Home Users
New iPhone 5 Launch Comes with Phishing Mails

Security for Business
Racing Attackers to Your Data

Security for Business

Racing Attackers to Your Data

Once attackers get in to your network, you’ll have to race against time. The longer they’re in, the more footholds and information they can gain and steal.”

Targeted attacks against government sites like the distributed denial-of-service (DDoS) attacks on South Korean government Domain Name System (DNS) servers recorded this past quarter will not end anytime soon.

2Q Targeted Attacks and the EvilGrab Campaign

The second quarter of 2013 saw a spate of targeted attacks on government sites, as seen in campaigns like IXESHE, which targeted East Asian governments; ELISE, which targeted Asia/Pacific governments; and ZEGOST, which targeted Asian governments.

Our 2Q report further illustrates that:

  • The majority (83%) of targeted attack victims were government agencies.
  • Asia was most affected by targeted attacks, particularly Taiwan (62%) and Japan (29%).
  • Australia (32%) topped the list in terms of command-and-control (C&C) server activity worldwide.
  • Attackers mostly used .ZIP (37%) and .RTF (27%) file formats to compromise systems (see the breakdown below).

Most commonly used file types in targeted attacks

The EvilGrab campaign targeted certain European and Asian government organizations. Activities were mostly seen in China (36%) and Japan (18%) and primarily began with the distribution of spear-phishing emails with malicious Microsoft® Excel® and Word® as well as PDF attachments.

The attackers exploited the DLL preloading vulnerability then uses the Windows Shell (explorer.exe) and fax server to load the main backdoor. The backdoor can grab media samples using the Windows DirectShow technology’s Sample Grabber filter and audio samples using Wave application programming interfaces (APIs). It can also steal victims’ HTTP, Internet Access Message Protocol (IMAP), Internet Explorer®, Tencent QQ, and other credentials.

Winning the Compromise Race

Once attackers get in to your network, you’ll have to race against time. The longer they’re in, the more footholds and information they can gain and steal. As such, organizations need to make sure to tick these items off their anti-APT checklists:

  • Know how targeted attacks operate, why attackers would target your company, how long their campaigns usually take, and how exactly they get inside a network.
  • Configure your corporate network properly by creating logical segments separated by firewalls and other security measures. Invest in data-logging and log-analysis tools, and implement white-listing and management solutions for all user accounts and workstations.
  • Build a response team in case of a breach, covering technical, legal, public relations, and other relevant areas of expertise.
  • Gather raw data and form concrete threat intelligence analysis to understand and predict potential threat concerns.
  • Perform regular penetration tests to identify areas for improvement, identify monitoring gaps, and provide a realistic scenario for security and monitoring teams.

Copyright ©2013 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.