Prioritizing Security vs Maximizing Online Presence

Threat actors begin their research using "open source" information. As businesses today cannot survive or compete without an online presence, it becomes very easy for threat actors to obtain useful information that will be useful for the APT campaign. For instance:
  • Company website
  • Articles by the press and media
  • Company employees’ social networking and social media accounts
As threat actors gain more information about the target, they launch social engineering attacks meant to get even more information.

One of the techniques attackers use to further increase their knowledge about the target’s network is the "res://" protocol, a feature present in Internet Explorer (version 4.0 and later).

The attacker need only convince a user to click on a webpage and information about what software are present in the user’s system will be returned. The attacker can then look for an exploit that uses holes in the particular software the user has.

With the knowledge obtained using social engineering and the "res://" protocol, attackers can create attacks that have a higher degree of success.

Point of Entry

Based on APT campaigns our researchers investigated, intrusions into the target network typically begin with an email message that comes with an attachment, such as a PDF or Microsoft Office files like Word or Excel. In the cases of LUCKYCAT and IXESHE, custom-fit email messages were sent to employees. However, this does not mean that threat actors cannot use other delivery mechanisms like instant messaging services or email messages with links that lead to exploit pages.




Industries targeted (varied)

Aerospace, energy, engineering, shipping, military research, Tibetan activists

Electronics manufacturers, a German telecommunications company, East Asian governments

Point of entry

Contextually relevant targeted emails

Contextually relevant targeted emails

Exploits used (old reliable exploitsused)

CVE-2010-3333 (aka, Rich Text Format [RTF] Stack Buffer Overflow Vulnerability) in several instances, also Adobe Reader and Flash Playervulnerabilities

PDF exploits for CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, andCVE-2011-0611

Studying the entry point details of these two also reveal that different industries were targeted depending on the intent of the threat actor. Furthermore, the specific exploits used were not necessarily using new vulnerabilities, instead, they are proof that the threat actors have done their research.

Awareness Programs for Employees: An Important Ingredient

Once a system is compromised, detection is highly difficult and easily rectified by attackers. Therefore, as part of an overall security strategy against targeted attacks, organizations should seriously review the effectiveness of user training geared towards being ready for social engineering and spear phishing attacks. Actually testing employees’ responses to simulated attacks may be better than making users just read about them.

According to Trend Micro Threat Researcher Nart Villenueve, "Those that are trained to expect targeted malware attacks are better positioned to report potential threats and constitute an important source of threat intelligence. Ultimately, education can generate a more security conscious culture within an organization."


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.