CybersecurityNumber, diversity of targeted cyberattacks increased in 2011

Published 7 May 2012

The number of vulnerabilities decreased by 20 percent in 2011, but the number of malicious attacks leaped by 81 percent in the same period; targeted attacks have spread to organizations of all sizes and types

The number of vulnerabilities decreased by 20 percent in 2011, but the number of malicious attacks leaped by 81 percent in the same period, according to Symantec Corporations latest Internet Security Threat Report. The report says targeted attacks have spread to organizations of all sizes and types.

Symantec notes that spam attacks have declined substantially, concluding that attackers have embraced easy to use attack toolkits efficiently to leverage existing vulnerabilities. Attackers appear to be moving away from spam, and are using existing social networks. The nature of these networks causes users to feel they are not at risk, and make it easier for attackers to target new victims. By applying social engineering techniques to the viral environment of social networks, attackers are able to acquire new targets easily.

Targeted attacks, Symantec’s report notes, had increased from seventy-seven to eighty-two per day, and the nature of the target has changed.

In the past, targeted attacks were directed at executives, large corporations, and governments Now, much smaller entities are targeted as well. Symantec has found that 58 percent of attacks now are launched against non-executives in roles such as human resources, sales, and public relations. These employees may not have access to the information the attacker seeks, but they provide a link into the company that can be further exploited.

More than 50 percent of attacks target companies of fewer than 2,500 employees, and nearly 20 percent are directed at companies of fewer than 250 employees. Symantec speculates that these smaller firms may be part of larger corporations’ supply chains, or part of a partner ecosystem, and also because it is likely that they are less well-defended.

Nor are Apple users and networks immune from attack as they were in the past. The comparatively smaller number of computers running the Mac OS X operating system made it less attractive to attackers. Increasing numbers of iPad tablets and Apple computers in use have made Apple products a worthwhile pursuit by attackers.

Kaspersky Labs has issued a release on new malware designed to target Apple devices and has been confirmed as an Advanced Persistent Threat.

The new malware, known as Backdoor.OSX.SabPub, was first spotted in the wild in early April of this year. Kaspersky notes the relatively low number of machines that have been infected, and concluded that it was used in targeted attacks.

After activation on an infected system, it connects to a remote website for instructions. The command and control server was hosted in the United States, and used a free dynamic DNS service to route the infected computers’ requests.

Subsequent testing has confirmed the original targeted-attack suspicion. Kaspersky engineers set up a fake victim machine, infected with the SabPub malware. Soon after, the engineers noted some unusual activity.

The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use.

The connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.