Recently, we’ve seen a more sharpened focus on targeted attacks as a powerful tool of numerous cyber espionage campaigns affecting high-profile victims, including government organizations such as the White House and US State Department, which were attacked by CozyDuke APT.
The main problem with targeted attacks is that they can be difficult (if not impossible) to detect using a standard set of security solutions such as network and host Intrusion Detection/Prevention Systems because these systems rely on well known attack signatures, which requires a greater number of known infections than we typically see with these particular attacks. What’s more, targeted attacks can stay undetected for long periods while an attacker is building and maintain an espionage network. That is why they are called Advanced Persistent Threats.
Social engineering techniques and 0-day exploits are usually used to bypass intrusion detection scanners and install surveillance software.
Currently, attackers appear to have three main interests:
- Destroying facilities using a cyber weapon. For example, Stuxnet was used to sabotage the Iranian nuclear program by compromising SCADA servers and modifying behaviors of programmable logic controllers (PLCs) to change the rotating frequency of centrifuges for uranium enrichment, effectively taking them out of operation.
- Cyber espionage, mostly to set up surveillance over government and military organizations.
- Gaining financial profit, either by executing a cyber bank robbery (Carbanak APT), or by encrypting data using cryptolockers in order to force an organization into paying a ransom.
The cryptolocker attack can be loosely defined as targeted, because as it may cover a rather large set of targets. Cryptolockers are propagated the same way as regular targeted attacks – through phishing emails and hijacked websites daily visited by employees (otherwise known as a “watering hole attack”).
One example is the recently discovered Linux.Encode.1 targets Web hosting providers, encrypting the “apache2”, “nginx”, “mysql”, and “www” folders on Linux servers. Cryptolockers can be equipped with sophisticated passive and active self-protection methods. For example, the latest versions of TeslaCrypt use API call obfuscation to bypass antivirus protection and terminate monitors and configuration tools that malware analysts and forensics experts can use to diagnose an infection.
Another interesting aspect of these attacks is that clouds can become not only targets, but an actual component of the attack itself. Cloud infrastructure is used by attackers to upload stolen information and download backdoors’ updates. For example, CloudAtlas used the CloudMe public storage and Minidionis/CloudLook – Onedrive. Previously, Dropbox has been used to deliver new versions of malware by the NrgBot/DorkBot botnet.
If you want to learn more on how to protect your cloud against targeted attacks, please attend our OpenStack Summit talk “Using Open Source Security Architecture to Defend against Targeted Attacks” in Austin, TX. We’ll see you there!