Spammers aren’t the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims’ networks, according to a new report from Mandiant.
Mandiant’s latest “M-Trends” report, released on Thursday, says that the company has observed an increasing number of so-called “Advanced Persistent Threats” that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported.
The use of social networks for command and control by malware used in targeted attacks mirrors a similar development in the malware mass-market. Social networks and Web based services, like IM, are being used to send instructions to malicious programs installed on victim networks. Mandiant consultants observed a downloader program that used Facebook’s messaging feature for command and control, Trojan horse programs that parsed command and control instructions from HTML based comments on compromised Web pages, and a Trojan that used MSN and Google Chat for command and control.
Stealing data is still the top objective in attacks by advanced persistent threats (sometimes referred to as adaptive persistent adversaries). In other trends, Mandiant has observed sophisticated attackers focusing on legitimate PKI (public key infrastructure) encryption credentials as part of their canvas of victim networks. PKI credentials can be used by attackers to create legitimate seeming remote VPN connections into victim networks, or to decrypt and snoop on SSL encrypted traffic in and out of victim organizations, Mandiant said.
Even hardware based PKI, such as that used in so-called smart card deployments like the U.S. Department of Defense’s Common Access Card, are subject to attacks. Mandiant said it has seen evidence of attackers canvassing networks for vulnerable systems that have smart card readers attached, then installing key logger software to snoop the password associated with a given smart card. In some cases, attackers were able to use compromised hosts as “smart card proxies” by detecting when a smart card was inserted into the reader on the system, then using that second factor, with the stolen password, to initiate malicious sessions with restricted resources on the network.
Mandiant said that targeted e-mail “spear phishing” campaigns were still the weapon of choice for establishing a foothold on victim networks. Spear phishing campaigns using infected ZIP, PDF, Word and Excel files were common. Furthermore, the majority of intrusions observed at over 120 organizations started with e-mail campaigns, with attackers leveraging wide spectrum targeted email campaigns in the hope of snaring just a handful of users. Those compromised hosts can then provide access to victim networks for months or years to come, Mandiant said.
The company recommends that companies deploy more systems that might detect compromises, including host and network based IDS and more thorough event logging. Companies that fear they’ve been the victim of a targeted attack should also respond deliberately to it, rather than reacting quickly to end the infection and secure compromised accounts. Understanding the full dimensions of a malicious attack makes recovery easier, while a hasty response can allow some compromised assets to go undetected, Mandiant said.