Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Targeted Attacks on the Rise

Most attacks target a single user, report says

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Most of the email attacks came in the form of malware hidden in a Microsoft Office document. Some 45 percent of the attachments were PowerPoint; 35 percent were MS Word files. Only 15 percent were .exe files, according to MessageLabs.

Nearly 180 of the 249 attacks were sent to a single individual in the company via a single message, MessageLabs said. Fewer than 20 of the attacks identified as "targeted" were sent to more than 10 people in a company.

The number of targeted attacks has grown since 2006, but that may simply reflect the fact that vendors are becoming more adept at identifying them, MessageLabs said. "Previously, they may have been lost in the general noise of one to two million pieces of malware per day," the report states.

There doesn't appear to be any pattern to the types of companies that are targeted for attack, MessageLabs found. Military organizations were among the most targeted, followed by electronics, aviation, and retail. "Target organizations are those with data worth stealing," the report says.

Many of the targeted attacks come from a single gang in Taiwan, MessageLabs says. "One gang has been using the same two attack files since November 2006," the report says. "In the month of March, they used these files 151 times, which makes them one of the highest-profile gangs, accounting for just over 20 percent of all targeted emails."

The Taiwan gang changes its source IP address frequently, making it hard to detect, MessageLabs says. It loads an index.exe file on the victim's machine, usually from an Apache Tomcat/4.1.24 server. The IP address hosting the Web server that dishes out the malware is registered to China United Telecommunications Corp. in Beijing.

Emails from the Taiwan gang are not particularly attractive, generally showing only a string of unreadable characters and carrying attachments. "We are not sure what bugs these files exploit," MessageLabs says. "It may be a PowerPoint record length exploit, but there are several other areas of interest in the files which may be the trigger." Microsoft is currently investigating the exploit, MessageLabs says.

The attachments carry malware, according to MessageLabs. "A cursory investigation of the shellcode implies that the code downloads and executes a file.index.exe," the company says. "This is a back door Trojan which gives the attacker control of the PC." Many antivirus applications do not yet detect the Trojan, according to the messaging security company.

The inability of antivirus applications to recognize the targeted attacks from Taiwan may be a reason why gangs such as the one in Taiwan use the same exploit over and over, MessageLabs says. When such files are detected, attackers are usually forced to change their approach vector, the company notes.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.
  • Microsoft Corp. (Nasdaq: MSFT) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/17/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25789
    PUBLISHED: 2020-09-19
    An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
    CVE-2020-25790
    PUBLISHED: 2020-09-19
    ** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
    CVE-2020-25791
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
    CVE-2020-25792
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
    CVE-2020-25793
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.