Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Targeted Attacks on the Rise

Most attacks target a single user, report says

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Most of the email attacks came in the form of malware hidden in a Microsoft Office document. Some 45 percent of the attachments were PowerPoint; 35 percent were MS Word files. Only 15 percent were .exe files, according to MessageLabs.

Nearly 180 of the 249 attacks were sent to a single individual in the company via a single message, MessageLabs said. Fewer than 20 of the attacks identified as "targeted" were sent to more than 10 people in a company.

The number of targeted attacks has grown since 2006, but that may simply reflect the fact that vendors are becoming more adept at identifying them, MessageLabs said. "Previously, they may have been lost in the general noise of one to two million pieces of malware per day," the report states.

There doesn't appear to be any pattern to the types of companies that are targeted for attack, MessageLabs found. Military organizations were among the most targeted, followed by electronics, aviation, and retail. "Target organizations are those with data worth stealing," the report says.

Many of the targeted attacks come from a single gang in Taiwan, MessageLabs says. "One gang has been using the same two attack files since November 2006," the report says. "In the month of March, they used these files 151 times, which makes them one of the highest-profile gangs, accounting for just over 20 percent of all targeted emails."

The Taiwan gang changes its source IP address frequently, making it hard to detect, MessageLabs says. It loads an index.exe file on the victim's machine, usually from an Apache Tomcat/4.1.24 server. The IP address hosting the Web server that dishes out the malware is registered to China United Telecommunications Corp. in Beijing.

Emails from the Taiwan gang are not particularly attractive, generally showing only a string of unreadable characters and carrying attachments. "We are not sure what bugs these files exploit," MessageLabs says. "It may be a PowerPoint record length exploit, but there are several other areas of interest in the files which may be the trigger." Microsoft is currently investigating the exploit, MessageLabs says.

The attachments carry malware, according to MessageLabs. "A cursory investigation of the shellcode implies that the code downloads and executes a file.index.exe," the company says. "This is a back door Trojan which gives the attacker control of the PC." Many antivirus applications do not yet detect the Trojan, according to the messaging security company.

The inability of antivirus applications to recognize the targeted attacks from Taiwan may be a reason why gangs such as the one in Taiwan use the same exploit over and over, MessageLabs says. When such files are detected, attackers are usually forced to change their approach vector, the company notes.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.
  • Microsoft Corp. (Nasdaq: MSFT) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Mobile Banking Malware Up 50% in First Half of 2019
    Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
    Exploits Released for As-Yet Unpatched Critical Citrix Flaw
    Jai Vijayan, Contributing Writer,  1/13/2020
    Microsoft to Officially End Support for Windows 7, Server 2008
    Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    [Just Released] How Enterprises are Attacking the Cybersecurity Problem
    [Just Released] How Enterprises are Attacking the Cybersecurity Problem
    Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-7227
    PUBLISHED: 2020-01-18
    Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
    CVE-2019-15625
    PUBLISHED: 2020-01-18
    A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
    CVE-2019-19696
    PUBLISHED: 2020-01-18
    A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
    CVE-2019-19697
    PUBLISHED: 2020-01-18
    An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
    CVE-2019-20357
    PUBLISHED: 2020-01-18
    A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.