APTs Becoming Privatized; Gaining New Levels of Concealment

Advanced Persistent Threats (APTs) are becoming more sophisticated on two levels: The first involves the technologies themselves; the second involves the ’privatization’ of their use by the criminal element.

So says Tom Kellerman, vice president, cyber security at Trend Micro, which has released a report on ’IXESHE,’ (pronounced I-Sushi), an APT that the company has been studying for the past 18 months.

’They have added an eighth stage, a maintenance stage, to the cyber kill chain,’ said Kellerman. ’They’ve actually moved the command-and-control to within your network so the malware basically goes into a sleep cycle until it is manually activated by the adversary to exfiltrate data at random manual times. That's what's unique about this malware.

[Related: New Worm Challenges Industry ]

Kellerman added that moving the command and control to within the targeted network is a distinct game-changer in the battle to keep information secure.

’Everyone is looking for external command-and-control, and as this capability moves within the targeted networks, much of the great work that companies have done to thwart botnets will be bypassed through this evolution in the kill chain.’

The attackers’ deliberate use of compromised machines and dynamic Domain Name System (DNS) services allows them to conceal their presence by confusing the activities of the attackers with data belonging to legitimate individuals.

Kellerman added that Trend Micro has products that can identify and resolve IXESHE.

The IXESHE attack uses of targeted emails to specific individuals that carry malicious attachments, such as PDF files that drop malware executables onto targeted systems, leveraging vulnerabilities in Adobe Reader, Acrobat and Flash Player. Zero day exploits have been used on at least two occasions. Compromised machines receive a tag that apparently helps the attackers track when the machine was infected, as well as the nature of the attack. Approximately 40 of such tags were found by Trend Micro investigators.

Initially, the malware steals credentials and attempts to escalate privileges. Then it gathers local information to see what systems and networks are within its reach. Finally, the adversaries receive in-depth data, or the ’crown jewels of the organization,’ as Kellerman describes it.

NEXT: IXESHE Targets Governments, Manufacturers And Telcoms

At this point, IXESHE has mostly been aimed at East Asian governments as well as Taiwanese electronics manufacturers and a German telecommunication providers with operations in East Asia. According to Kellerman, this malware has only been seen sporadically outside of that region.

But Kellerman also says the use of APTs has been spreading beyond use by nation-states, and it has now been gaining ground amongst industrial spies and criminal elements.

’We’re seeing the privatization of APT's,’ explained Kellerman. ’We have a lot of non-state actors using APT's for financial gain or for blackmail. In the latter case, they have to deal less with law enforcement, which makes that option especially compelling. Or, they try to sell the information to other corporations that are wishing to gain competitive intelligence. So if you are a Fortune 1000 organization, you're not just being targeted by nation-states and other corporations, you have these mercenaries-for-hire who are using sophisticated APTs.’

Suggested countermeasures include ongoing patch management; endpoint and network security; the use of firewalls, and effective data loss prevention strategies.