2 mins read

Threat Actors Targeting APAC Region Continue to Enhance Attack Tactics whilst Exploiting Old Vulnerabilities

Trend Micro’s 1H 2014 Targeted Attack Trends Report finds that threat actors are still largely able to avoid detection by refining their targeted attack methods

Trend Micro Incorporated (TYO: 4704; TSE: 4704), has released its H1 2014 Targeted Attack Trends Report for the Asia Pacific (APAC) region. The trend_micro_logoreport has found that threat actors targeting the region are continually refining their targeted attack tactics, which allows them to remain undetected. At the same time, old vulnerabilities resulting from unpatched software and applications are being exploited to the fullest. With Trend Micro’s 2015 security predictions further predicting targeted attack campaigns in APAC to increase in size and scale, 2015 may very well become the year where targeted attacks come of age.

According to the report, spear-phishing emails are still the most common infection vector for infiltrating networks, with almost 80% of the targeted attack malware arriving via email. Typically sent to employees in target organizations, spear-phishing emails convince recipients to either click a malicious link or download and execute a malicious file. Some of the most common email attachments used to deliver payloads include Microsoft Office documents (57%) and RAR files (19%), as they commonly change hands in any organization. Another method used to infiltrate target networks is compromising the websites an organization’s employees commonly visit. When their target employees visit these compromised sites, their systems get infected.

Zero-day as well as tried-and-tested exploits both figured in the targeted attack landscape. This worked as some IT administrators in the region forwent applying security fixes to their networks due to a fear of disrupting critical business operations. For example, a zero-day vulnerability caused by Windows XP’s end of life in April 2014 was exploited in a targeted attack against embassies earlier this year. Threat actors favored Microsoft Office (53%) and Adobe Reader (46%) as the most common software vulnerability exploitation targets.

Most of the malware used in targeted attacks were Trojans or Trojan spyware (53%), followed by backdoors (46%). Backdoors typically aid in establishing C&C communications and executing remote commands while Trojans and Trojan spyware aid in downloading the final payload and exfiltrating data.

Some of the notable campaigns for 1H 2014 included:

  • Siesta – a campaign which was so named due to its final payload’s ability to receive sleep commands, which allowed it to stay dormant for various periods of time and in turn evade detection. Threat actors behind the campaign sent emails containing legitimate-looking links to chosen executives in specific organizations using fake email addresses of supposed colleagues
  • ESILE – a campaign targeting APAC government institutions, ESILE was delivered via spear-phishing emails sporting varying social engineering lures that had to do with health care and taxes, among others. The emails contained a seemingly harmless document that, when opened, actually executes a malicious file in the background

Other APAC targeted attack campaigns that were still actively running in 1H 2014 include IXESHE, PLEAD, ANTIFULAI, and Taidoor.

The efficacy of targeted attacks this year so far indicates that organizations still struggle to understand targeted attacks. One possible misconception is that targeted attacks are one-time efforts, whilst in reality they are well-planned and can be launched several times until they successfully compromise intended network targets,” said Dhanya Thakkar, Managing Director, APAC, Trend Micro. “To fight back, organizations today need a custom defense strategy, which uses advanced threat detection technologies and shared intelligence to detect, analyze, and respond to attacks that are invisible to standard security products.”