As frequently targeted, high-value companies continue fortifying their defenses, FireEye researchers claim that attackers are increasingly setting their sights on the affiliated but not-as-well-protected third-party organizations that do business with them.

By aiming phishing email campaigns at softer targets, attackers believe they can compromise the networks of more relevant organizations in a roundabout way without having to defeat their sophisticated security systems.

The FireEye Malware and Intelligence Lab illustrated this assertion in their analysis of an attack targeting a Taiwanese tech firm that frequently works with the government and financial services industry in that country. The attackers reportedly wanted to compromise both the Taiwanese Government and financial services organizations. Rather than launch a direct attack, they crafted an email purportedly coming from the Taiwanese Ministry of Finance in an attempt to phish employees at and compromise the unnamed tech firm.

Once an attacker infiltrates the tech firm, he can leverage access given to the tech firm by the higher value targets in order to piggyback his way onto the more valuable Taiwanese Government and financial service networks.

The attack itself evades pattern-based malware detection methods by hiding its payload in an encrypted and password protected word document. In this way, attackers don’t need to develop their own zero-day exploit, but can rely on their victims to execute the malware themselves.

It may seem ineffective for an attacker to password protect his malware payload, but as from Ronghwa Chong, the senior malware and forensic engineer at FireEye explained to Threatpost via email, a password protected, encrypted word document promises to be interesting and the password, in this case, was easily guessable, so a number of users made the mistake of opening the malicious document.

In his analysis, Chong claims a number of tell-tale signs indicate that this particular attack is emanating from China. You can read the more of the technical aspects of the attack in Chong’s write-up on the FireEye Malware and Intelligence Lab blog.

Categories: SMB Security, Vulnerabilities, Web Security

Comments (2)

  1. Anonymous
    1

    People will always open emails, in big and in small companies, in the government and in private sector. Keeping OS and software up-to-date is not practical, there will always be someone whose Java isn’t updated, or still uses SP2 for some reason.

  2. Anonymous
    2

    Thus the adage “security in-depth”.

    There will always be someone with a bigger gun, more allies and more resources.  There is no silver bullet so it’s the job of the security teams to patch the known holes (especially the obvious ones), and make the attackers’ jobs much more difficult.

    As for OS and software updates, I personally think this comes down to the company having a proper policy in place and enforcing it with proper guidelines, operations, solutions and user training.  For example, a mobile user’s laptop AV signature may have lagged behind by a few days (he was traveling) but a capable gateway malware solution or IPS should be able to sieve out the majority of threats from his emails or even originating from his laptop.

    Just my 2-cents.

Comments are closed.