2012年7月29日 星期日

Prepare for the "Advanced Persistent Threat" Warfare

Advanced Persistent Threat (APT) has became a tough security challenge that large organizations and important individuals must be prepared for worst sooner or later. Last year at Defcon 2011, we shared our novel DNA approach in detecting and clustering APT document exploits. We were able to find 8 sizable APT attacker groups from our collections. At that time, it was a pool close to one thousand APT samples. A year later, we expand our study to cover more than a dozen thousand samples. Last week we had shared these interesting results to the attendees of HITCon 2012.
In this talk, we co-speak with Mr. Li (Director of Computer Center, National Police Agency of Taiwan) on the current status of APT cyber operations. Highlights of our findings include:

  • APT happens almost everywhere. Some locations were confirmed as the targets were willing to share with us their stories. Other than that, we studied the content of APT samples, looking for clues of the potential targets. The legitimate content could be in some unique languages, e.g. Traditional Chinese, Simplified Chinese, etc. The exploits might required unique environment to be triggered. We also found some callback destinations tend to be located near the targets. 
  • Taiwan (28.2%) had most APT callbacks or C2 (command & control) servers, followed by United States (17.2%), South Korea (14.4%) and China (10.5%).
  • Document exploits (97.62%) have been an all-time favorite for APT targeted attacks. Among these malicious documents, PDF (39.31%) ranked the most commonly-seen file type, followed by the office family: RTF (22.92%), DOC (17.45%), XLS (10.51%), and PPT (7.43%).
  • In recent years, the popularity of RTF (51.4%), DOC (14.5%), XLS (24.9%) had increased dramatically, surpassing PDF. And very often RTF is being disguised as DOC.
  • We saw a significant rise of password-protected document starting this year 2012. One particular attacker group leverage this trick heavily (65.9%) as it bypassed all antivirus and sandbox.


  • A great amount of exploits could be dig from these APT documents. A 2-year old RTF exploit CVE-2010-3333 is still very popular. In the wild, this exploit is very easy to be triggered successfully. 



  • We identified 33 sizable APT attacker groups around the world. Each node in the graph represents a species (yup, DNA), the color of each species indicate the time it's firstly seen (built). Yellow color means 2012, green is 2011, blue is 2010, orange is 2009, pink/white is 2008, etc. Different species might be linked with one or several edges. Each edge represents there is some similarity of the two nodes. Each cube or rectangular means the nodes inside belong to the same APT family - the same APT attacker group.  


In summary, we found APT cyber operations are happening around the world. They mostly use document exploits and starting this year password-protection trick is added. At least one callback is located near the target for testing network connection, or it's actually the C2 server with smooth bandwidth. After all, we identified 33 notable APT attacker groups, indicating advanced cyber operations typically are conducted in groups, well-organized and highly disciplined.

Finally, we would like to say big thank you to friends in the community and our users who are willing to feedback to us. Security is all about collaborative defense. It's everyone's work.
"If we know both ourselves and our enemy, we can win numerous battles without jeopardy". (The Art of War)

Sincerely,
Jeremy Chiu (Birdman), Benson Wu and Anthony Lai
Xecure Lab