Phishing Attack Uses Office Flaw as Entry Point
Trend Micro is reporting a sophisticated cybercrime ring that has already targeted and infected over 12,000 unique IP addresses worldwide with malware.
The new targeted campaign, called "SafeNet," has been using an already-patched Office vulnerability (fixed in April's security update) in the attacks as the distribution method, and is finding success due to those lax on patching. Trend Micro also believes those responsible are located in Asia.
"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," said researchers at Trend Micro in a blog post. "However, the relationship between the malware developers and the campaign operators themselves remains unclear."
Even though Trend Micro has been vague about the intent of the operation, it is believed SafeNet's ultimate goal is to steal sensitive data.
While the number may seem high for those infected, Trend Micro said that only about an average of 71 IP addresses actually communicate with the cyber ring's command and control (C&C) servers on a daily basis.
According to a white paper going into an in-depth look at the operation, the campaign has been targeting government entities, research institutions, media organizations and technology corporations.
Unlike the typical, vague spear-phishing e-mail scams, the group has been sending personally specific-crafted e-mails to recipients with a malicious link embedded. One example given by Trend Micro was an e-mail to an anonymous media outlet that provided a fake link to a taped NBC interview with the Dalai Lama. And if the link is opened (and your Office isn't up-to-date), malware is then silently loaded on your system.
During its investigation, Trend Micro was able to identify a list of IPs infected through the two C&C servers being used in the operation, both believed to be located in China. According to the security firm's numbers, India was by far the most-targeted region, with 4,305 IP addresses attacked. The U.S. came in second with 709.
Because targets have been identified as high-profile organizations and groups (and not individual users), Trend Micro suggests the most important prevention steps should include both making sure a comprehensive plan to secure sensitive data is in place and informing employees on the important of being vigilant for potential attacks.
"Security-related policies and procedures combined with education and training programs are essential components of defense," said the white paper. "Traditional training methods can be fortified by simulations and exercises using real spear-phishing attempts sent to test employees. Employees trained to expect targeted attacks are better positioned to report potential threats and constitute an important source of threat intelligence."