Old vs. new vulnerabilities in targeted attacks

Much has been reported about the recent discovery of a cyber-espionage campaign that was launched by a group known as the “Sandworm Team.” At the very heart of this incident—a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.
In our analysis, the vulnerability may allow attackers to execute another malware through a flaw in the OLE package manager in Microsoft Windows and Server. Early reports shared that the vulnerability was being exploited in targeted attacks against several organizations and industry sectors. Analysis by Trend Micro researchers revealed that the attacks had ties to SCADA-centric targets. Furthermore, this vulnerability was soon used in yet another attack that employed a new evasion technique in the form of malicious files embedded in .PPSX files.
Vulnerabilities are almost always patched by vendors, especially if the vulnerability is considered critical. But despite the existence of patches, not all users and organizations apply them or apply them immediately. One reason would be that applying the patch might disrupt operations. Or there might be a significant delay in applying the patches as the patches first need to be tested before being applied to corporate environments.
Addressing targeted attacks requires not only the right set of tools but also the right mindset. In our entry, “Common Misconceptions IT Admins Have on Targeted Attacks,” we enumerated several misconceptions that might greatly affect the security of a network. Included there is the misconception that targeted attacks always involve zero-day vulnerabilities. As we have seen, attackers do not limit themselves with zero-day vulnerabilities. In fact, older vulnerabilities are more favored than zero-days. This stresses the importance of applying all security patches once they are available.
Addressing zero-days can be more difficult but not impossible. Tactics like virtual patching can help mitigate threats in the presence of zero-days and unsupported systems. Honeypots (which can attract attackers) can flag attacks at the earlier stages. Technologies like heuristic scanning and sandbox protection can help identify suspicious files and execute said files in a protected environment without compromising the network. Organizations should also look into employee education. Email lures are often the first stage in targeted attacks; if employees are trained to flag suspicious emails, network defense can improve greatly.
Trend Micro Deep Security protects users from zero-day vulnerabilities mentioned in this blog post.
All the best,

Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

New EU Data protection directive: Serious business impact

A recent research on data breach incidents in Europe found that people lost some 645 million personal records from 2005 to 2014. However, despite the din of media coverage discussing data breach and personal privacy, it was also found that over a third (36%) of citizens from Europe aren’t even aware of the EU Data Protection Regulation.

The new data protection laws integrate the “right to be forgotten,” which was strengthened by a positive ruling during the second quarter of 2014. This allows users to request for search engines to remove search results related to them on search results. In addition, businesses will be required to explicitly ask for consent when processing data, instead of just assuming that the user agrees to it. Breaches will stop being secret to customers as the new regulations dictates that a notification must be made within 24 hours after a breach has happened.

Businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.
A interesting calculation example of how much 5% of annual turnover is:
Statoil: 40 billion EUR
IKEA: 1,5 billion EUR
Maersk: 2,5 billion EUR
H&M: 700 million EUR

This is business critical. 

eu tm

http://www.trendmicro.com/vinfo/us/security/news/online-privacy/a-visual-guide-to-the-eu-data-protection-law

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Russian hackers infects via Powerpoint

Problem description:
A zero-day vulnerability was exposed today in desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group.

By using a PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means. The severity of the vulnerability is highly critical because it fairly simple to exploit. Threat researchers at Trend Micro detected the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A.

 

Solution:
Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network.  Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability.

Users are strongly advised to patch their systems once Microsoft releases their security update for this. In addition, it is recommended for users and employees not to open Powerpoint files from unknown sources as this may possibly lead to a series of malware infection.

More details:
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/

 All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Dropbox again…

Problem definition:

If you use Dropbox, you need to change your password immediately; by all indications, there has been a breach in account security. In a leak on Pastebin the user claims to have the usernames and passwords of nearly 7 million Dropbox users. To prove that the information is real, 420 usernames and passwords have been posted.

It goes without saying that this will hurt Dropbox’s reputation, but it will also affect the entire industry too, as some users are already nervous about giving other companies the ability to store their content.

This is the third time that Dropbox has been in the news this week with a headline it likely wishes it could bury. Earlier this week we reported that there was a bug with the service that could permanently delete a file, and Edward Snowden said you should not use the platform as well.

Solution:
Trend Micro SafeSync. Works where you want it to, backing up and syncing files between your computers and mobile devices. Secure sharing with passwords or expiry dates and disable the link when you’re finished. 25+ years of Trend Micro Internet security expertise goes into every single aspect of SafeSync. Bank-level encryption means your files are protected from the bad guys.

SafeSync for Enterprise gives your employees a secure and familiar way (functions like Dropbox or Google Drive) to get data onto their devices while ensuring that sensitive data remains protected when it moves off the device. You can maintain control of shared data by storing your sensitive data in a controlled corporate environment and by defining which file types are too sensitive to synchronize to mobile devices.

http://www.trendmicro.com/us/enterprise/product-security/safesync-file-sharing/

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

 

 

We all hold our thumbs

We should not have to but we do – accepting that our systems leaks like an old wooden boat.

So, how your security patching routines look like? Late Friday nights? Weekends? It’s a pain and we have to live with it.

bottomhole

But the most critical question here is not when we have time to patch or who does the actual job. But rather when is a security patch available??? As soon as the vulnerability is found, the hackers go to work and the clock is ticking. And we all hold our thumbs that the patch comes before the hackers.

We saw Shellshock vulnerability used in botnet attacks immediately after the announcement. Much before any security patch was released.

The hackers have an unfair advantage. That’s the brutal fact. We just have to do what we can to minimize the risk.

So, wouldn’t it be nice to have a security system that could just make a temporary security patch until your software vendor has published the official patch?

We at Trend Micro try to deliver the facts to you about threats we see AND a solution. Hope you stay tuned.

All the best,
Frederick
Technical Lead Nordics
https://www.linkedin.com/profile/view?id=203862061

Frederick Wennmark - Trend Micro

Trend Micro virtual patching solutions deliver immediate protection while eliminating the operational pains of emergency patching, frequent patch cycles, and costly system downtime. Our Deep Security virtual patching keeps your servers and endpoints protected while preventing costly emergency patching and upgrades as well as reducing the risk of breach disclosure costs. It even helps to extend the life of legacy systems and applications.

http://www.trendmicro.com/cloud-content/us/pdfs/business/sb_virtual-patching.pdf

Two videos describing how it works, real life reference and the benefits:
http://www.trendmicro.co.uk/video/save-time-and-money-with-virtual-patching/index.html

http://www.trendmicro.co.uk/video/save-time-and-money-with-virtual-patching/index.html