Nation-State Attacks Drop in Latest Google Analysis

nation-state attacks google 2019

Phishing and zero-days continue to be a core part of the APT arsenal.

Google has registered a significant drop in government-backed cyberattacks against its properties and the people who use its products.

Google sends out warnings if it detects that an account is a target of government-backed phishing or malware attempts. For 2019, the internet giant sent almost 40,000 warnings – which, while a large number, is still a nearly 25 percent drop from the year before.

Nation-State Trends

In terms of trends amongst the warnings, the analysis showed that main targets included, perhaps unsurprisingly, geopolitical rivals, government officials, journalists, dissidents and activists.

In 2019, about 20 percent of accounts that received a warning were targeted multiple times by attackers. Google also uncovered that phishing and zero-day exploits continue to be APT weapons of choice.

On the former front, Google researchers saw a growing trend emerge towards impersonating news outlets and journalists, especially when it comes to attackers from Iran and North Korea.

“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,” explained Toni Gidwani, security engineering manager at the company’s Threat Analysis Group (TAG), writing in an overview of nation-state trends, published last week. “In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign-policy expert before sending a malicious attachment in a follow up email.”

On the zero-day front, TAG discovered bugs affecting Android, Chrome, iOS, Internet Explorer and Windows over the course of last year, including CVE-2020-0674. This is a memory-corruption vulnerability disclosed in late January, a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.

Other notable bugs included CVE-2018-8653, CVE-2019-0676, CVE-2019-1367 and CVE-2019-1429 in Internet Explorer; CVE-2019-5786 in Chrome; and CVE-2019-0808 in Windows Kernel.

Zero-Day Details

Three bugs (CVE-2018-8653, CVE-2019-1367 and CVE-2020-0674) are vulnerabilities inside jscript.dll, Gidwani said. “Therefore all exploits enabled IE8 rendering and used JScript.Compact as JS engine. In most Internet Explorer exploits, attackers abused the Enumerator object in order to gain remote code execution.”

Meanwhile, CVE-2019-0676 “enables attackers to reveal presence or non-presence of files on the victim’s computer; this information was later used to decide whether or not a second stage exploit should be delivered,” according to the writeup.

And, “the attack vector for CVE-2019-1367 was rather atypical as the exploit was delivered from an Office document abusing the online video embedding feature to load an external URL conducting the exploitation.”

In one campaign, a single APT was seen using five zero-day exploits, delivered using watering-hole attacks, links to malicious websites and inemail attachments in targeted spear-phishing campaigns.

“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare,” said Gidwani. “The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”

Nonetheless, he said that it’s encouraging to see the decline in attacks.

“One reason for this decline is that our new protections are working,” said Gidwani. “Attackers’ efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.”

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.