How Targeted Attacks Changed in 2014

2014 was a year in which we saw further refinements in targeted attack methodologies. As more organizations upgraded to newer versions of Windows, we saw the increased use of 64-bit malware in several campaigns. Examples of 64-bit malware include HAVEX, a remote access Trojan (RAT) used in a campaign that targeted industrial control systems (ICS), and WIPALL, the notorious malware behind the Sony Pictures hack.

The move to newer versions of Windows also led to the abuse of legitimate tools/features in attacks. An example is Windows PowerShell®, a feature in versions for Windows 7 and higher that allows system administrators to access other features without the use of graphical user interfaces (GUIs). PowerShell commands were abused to download malicious files and bypass execution policies, which allowed the downloaded files to be executed.

A document exploit template, detected as TROJ_MDROP.TRX, was found in several targeted attacks. This exploit was most likely sold and distributed underground because of its use in several campaigns. Threat actors could simply modify the exploit template to fit their intended payload.

Based on our data, .RTF and .DOC files were the two most frequently used email attachments, most likely because Microsoft Word® is used in any organization.

Figure 1. Most frequently used email attachment file types in targeted attacks in 2014

Old and New Vulnerabilities in Attacks

Several zero-day exploits were used in targeted attacks in 2014. For example, two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan, with a window of exposure of 15 days. Exploiting new vulnerabilities has been proven to be more effective because security vendors have yet to create patches. Zero-day exploits can catch vendors and victims alike unawares.

The use of new vulnerabilities doesn’t mean that threat actors have done away with older ones. In fact, targeting old vulnerabilities also proved reliable because attackers can just use tried-and-tested exploits that may be easily bought.

Despite being patched via MS12-027, CVE-2012-0158 remained a favored vulnerability for attackers. Additionally, it was the most exploited vulnerability used by targeted attacks in the first half of 2014. Two notable campaigns, PLEAD and Operation Pawn Storm, abused this vulnerability to infiltrate target networks.

A Global Problem

Government agencies remained the most favored attack targets in 2014. In the second half of the year, we saw a spike in the number of attacks that targeted hardware/software companies, consumer electronics manufacturers, and health care providers.

We also determined the global distribution of targets accessing C&C servers. As shown in the heat map below, the United States, Russia, and China were no longer the only favored targets. Other targets included Taiwan, South Korea, France, and Germany.

Figure 2. Top countries that communicated with targeted attack C&C servers in 2014 (click the image to enlarge)

Keeping Up with Threats

Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to adapt a shift in mindset from prevention to detection. This means accepting that targeted attacks will eventually hit their networks; without an assurance that a suite of blacklisting technologies will be able to keep determined threat actors at bay.

Building threat intelligence is crucial in the fight against targeted attacks. Knowledge of the tools, tactics, and procedures that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action. But organizations shouldn’t limit themselves to simply knowledge of the attacks. Establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security can also help mitigate the risks involved with targeted attacks.

For full details on our findings, you may read our Targeted Attack Trends: 2014 Annual Report.