1. Due to the very nature of targeted attacks, attribution remained arduous because threat actors made it a point not to leave identifiable traces in target networks. However, no matter who is behind campaigns, all targeted attacks aim to gather intelligence and exfiltrate confidential data.
- In 2013, some of the major attackers were from the United States, North Korea, Russia, China, Vietnam, and India. In 2014, some were from Syria, Iran, the United Kingdom, and France.
- One example of a state-sponsored attack is Operation Pawn Storm. The actors behind it aimed to commit political and economic espionage against military organizations, diplomatic bodies, defense agencies, and media outfits in the United States and its country allies.
- Examples of nonstate-sponsored attacks include Operation Arid Viper, an ongoing attack since 2013 that targeted Israeli government agencies and military institutions, among others; and "Pitty Tiger", which, according to reports, was for various pornographic activities.
2. Highly specific applications, programs, OSs, and setups did not prevent threat actors from launching effective attacks in 2014.
- In October 2014, our threat researchers uncovered an attack that used GE Intelligent Platform’s CIMPLICITY, as an attack vector. CIMPLICTY is an automation platform for device monitoring and control purposes in industrial environments.
- Apple devices were specifically targeted in 2014 as well to get into target networks and further threat actors’ espionage goals. Two iOS apps were, for instance, used in Operation Pawn Storm. These apps can steal victims’ text messages, contact lists, pictures, geographical location data, audio files, and lists of installed apps, which are then sent to attackers.
3. Further refinements in targeted attack methodologies were observed.
These observations include the following:
- Open source/Free and weaponized tools were used to speed up cross-platform attacks.
- Zero-day exploits were used with diskless malware to obfuscate threats against forensic analyses. 64-bit malware also figured in targeted attacks. Some notable examples of these include KIVAR, which had ties to the Poison RAT; HAVEX, a RAT used in a campaign that targeted industrial control systems (ICS); and WIPALL, the notorious malware behind the Sony Pictures hack attack.
4. Tried-and-tested and newly discovered zero-day vulnerabilities continued to be exploited in attacks.
- Attackers continued to exploit CVE-2012-0158, a flaw in Windows Common Controls, despite being patched via MS12-027. The actors behind PLEAD and Operation Pawn Storm abused this to infiltrate target networks.
- EvilGrab malware exploited CVE-2012-0158
- The following zero-day exploits were employed in targeted attacks in 2014:
- Two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan.
- Critical vulnerabilities already addressed by MS14-021 gained more notoriety when Microsoft ended support for Windows XP. The attack even prompted the vendor to recant its statement and release a patch.
- News of the Sandworm vulnerability (CVE-2014-4114) prompted Microsoft to immediately release a patch, only to find out a week later that the solution could be bypassed.
- In October 2014, Microsoft announced the discovery of a new zero-day exploit for CVE-2014-6352 that could be abused with the aid of malicious Office® files. Attacks seen in the wild used specially crafted PowerPoint® presentations.
5. Targeted attacks remained a global problem.
- Top Countries That Communicated with Targeted Attack C&C Servers in 2014: - Algeria
- South Korea
- United Kingdom
- United States
- Top Countries Where Targeted Attack C&C Servers Were Hosted in 2014: Note: attackers need not physically reside in the countries identified below to launch attacks because C&C servers can be remotely accessed - Australia
- Hong Kong
- South Korea
- United States
- Government agencies remained the most favored attack targets in 2014. A spike in the number of attacks targeting hardware/software companies, consumer electronics manufacturers, and health care providers was seen in the second half of the year though, too.
6. Cybercriminals adopted techniques more commonly associated with targeted attacks because these proved effective in increasing their financial gain.
- The actors behind Predator Pain and Limitless, for instance, went after small and medium-sized businesses (SMBs) instead of individuals, allowing them to earn as much as US$75 million in just six months.
7. Organizations would need to adapt to keep up with the dangers that targeted attacks pose.
- Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to exactly understand what a shift in mindset from prevention to detection entails. This means accepting that targeted attacks are or will eventually hit their networks, so no suite of blacklisting technologies will be able to keep determined threat actors at bay.
About Trend Micro
Trend Micro Incorporated (TYO: 4704), a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, Trend Micro™ Smart Protection Network™ provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. Leveraging these solutions, organizations can protect their end users, their evolving data center and cloud resources, and their information threatened by sophisticated targeted attacks.
All of solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe.
For more information, visit www.trendmicro.com/en_ae/. Or follow our news on Twitter at @trendmicro_mea.