2012年7月29日 星期日

Prepare for the "Advanced Persistent Threat" Warfare

Advanced Persistent Threat (APT) has became a tough security challenge that large organizations and important individuals must be prepared for worst sooner or later. Last year at Defcon 2011, we shared our novel DNA approach in detecting and clustering APT document exploits. We were able to find 8 sizable APT attacker groups from our collections. At that time, it was a pool close to one thousand APT samples. A year later, we expand our study to cover more than a dozen thousand samples. Last week we had shared these interesting results to the attendees of HITCon 2012.
In this talk, we co-speak with Mr. Li (Director of Computer Center, National Police Agency of Taiwan) on the current status of APT cyber operations. Highlights of our findings include:

  • APT happens almost everywhere. Some locations were confirmed as the targets were willing to share with us their stories. Other than that, we studied the content of APT samples, looking for clues of the potential targets. The legitimate content could be in some unique languages, e.g. Traditional Chinese, Simplified Chinese, etc. The exploits might required unique environment to be triggered. We also found some callback destinations tend to be located near the targets. 
  • Taiwan (28.2%) had most APT callbacks or C2 (command & control) servers, followed by United States (17.2%), South Korea (14.4%) and China (10.5%).
  • Document exploits (97.62%) have been an all-time favorite for APT targeted attacks. Among these malicious documents, PDF (39.31%) ranked the most commonly-seen file type, followed by the office family: RTF (22.92%), DOC (17.45%), XLS (10.51%), and PPT (7.43%).
  • In recent years, the popularity of RTF (51.4%), DOC (14.5%), XLS (24.9%) had increased dramatically, surpassing PDF. And very often RTF is being disguised as DOC.
  • We saw a significant rise of password-protected document starting this year 2012. One particular attacker group leverage this trick heavily (65.9%) as it bypassed all antivirus and sandbox.


  • A great amount of exploits could be dig from these APT documents. A 2-year old RTF exploit CVE-2010-3333 is still very popular. In the wild, this exploit is very easy to be triggered successfully. 



  • We identified 33 sizable APT attacker groups around the world. Each node in the graph represents a species (yup, DNA), the color of each species indicate the time it's firstly seen (built). Yellow color means 2012, green is 2011, blue is 2010, orange is 2009, pink/white is 2008, etc. Different species might be linked with one or several edges. Each edge represents there is some similarity of the two nodes. Each cube or rectangular means the nodes inside belong to the same APT family - the same APT attacker group.  


In summary, we found APT cyber operations are happening around the world. They mostly use document exploits and starting this year password-protection trick is added. At least one callback is located near the target for testing network connection, or it's actually the C2 server with smooth bandwidth. After all, we identified 33 notable APT attacker groups, indicating advanced cyber operations typically are conducted in groups, well-organized and highly disciplined.

Finally, we would like to say big thank you to friends in the community and our users who are willing to feedback to us. Security is all about collaborative defense. It's everyone's work.
"If we know both ourselves and our enemy, we can win numerous battles without jeopardy". (The Art of War)

Sincerely,
Jeremy Chiu (Birdman), Benson Wu and Anthony Lai
Xecure Lab

5 則留言:

  1. Even we didn't speak at DEF CON, hopefully, this piece of update could be helpful to APT researchers and industry.

    回覆刪除
  2. Is there any chance it might be possible to get a look at a copy of that APT actor diagram that's blown up large enough to actually see the notations on the individual sample entries?

    回覆刪除
    回覆
    1. The APT actor diagram is for our internal research and even our paying customers do not get a large resolution but an overview abstract one, there are details that we couldn't disclose at this moment. If you do have special need about APT actors, please write us, we might be able to help further. Thank you. benson at xecure-lab.com

      刪除
  3. And when you enter the password for those Office exploits and open/drop the file to disk, what happens to detection rates then? When it actually matters.

    回覆刪除
    回覆
    1. Right now we simply rely on VirusTotal to give us a quick idea on the AV detection rate of this password-protected APT document as we do not have the resources to test all 42 antivirus product against this APT sample in the use case you mentioned. (Gee... Google acquired VirusTotal, would they have the crazy ideas of offering sandbox versions of 42 AV product? :D)

      刪除