Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Targeted Attacks on the Rise

Most attacks target a single user, report says

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Most of the email attacks came in the form of malware hidden in a Microsoft Office document. Some 45 percent of the attachments were PowerPoint; 35 percent were MS Word files. Only 15 percent were .exe files, according to MessageLabs.

Nearly 180 of the 249 attacks were sent to a single individual in the company via a single message, MessageLabs said. Fewer than 20 of the attacks identified as "targeted" were sent to more than 10 people in a company.

The number of targeted attacks has grown since 2006, but that may simply reflect the fact that vendors are becoming more adept at identifying them, MessageLabs said. "Previously, they may have been lost in the general noise of one to two million pieces of malware per day," the report states.

There doesn't appear to be any pattern to the types of companies that are targeted for attack, MessageLabs found. Military organizations were among the most targeted, followed by electronics, aviation, and retail. "Target organizations are those with data worth stealing," the report says.

Many of the targeted attacks come from a single gang in Taiwan, MessageLabs says. "One gang has been using the same two attack files since November 2006," the report says. "In the month of March, they used these files 151 times, which makes them one of the highest-profile gangs, accounting for just over 20 percent of all targeted emails."

The Taiwan gang changes its source IP address frequently, making it hard to detect, MessageLabs says. It loads an index.exe file on the victim's machine, usually from an Apache Tomcat/4.1.24 server. The IP address hosting the Web server that dishes out the malware is registered to China United Telecommunications Corp. in Beijing.

Emails from the Taiwan gang are not particularly attractive, generally showing only a string of unreadable characters and carrying attachments. "We are not sure what bugs these files exploit," MessageLabs says. "It may be a PowerPoint record length exploit, but there are several other areas of interest in the files which may be the trigger." Microsoft is currently investigating the exploit, MessageLabs says.

The attachments carry malware, according to MessageLabs. "A cursory investigation of the shellcode implies that the code downloads and executes a file.index.exe," the company says. "This is a back door Trojan which gives the attacker control of the PC." Many antivirus applications do not yet detect the Trojan, according to the messaging security company.

The inability of antivirus applications to recognize the targeted attacks from Taiwan may be a reason why gangs such as the one in Taiwan use the same exploit over and over, MessageLabs says. When such files are detected, attackers are usually forced to change their approach vector, the company notes.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.
  • Microsoft Corp. (Nasdaq: MSFT) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Mobile Banking Malware Up 50% in First Half of 2019
    Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
    Active Directory Needs an Update: Here's Why
    Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
    New Attack Campaigns Suggest Emotet Threat Is Far From Over
    Jai Vijayan, Contributing Writer,  1/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: I've never actually seen the corporate ladder before.
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    How Enterprises are Attacking the Cybersecurity Problem
    How Enterprises are Attacking the Cybersecurity Problem
    Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-5216
    PUBLISHED: 2020-01-23
    In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
    CVE-2020-5217
    PUBLISHED: 2020-01-23
    In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
    CVE-2020-5223
    PUBLISHED: 2020-01-23
    In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
    CVE-2019-20399
    PUBLISHED: 2020-01-23
    A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
    CVE-2020-7915
    PUBLISHED: 2020-01-22
    An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.