Microsoft, Trend Micro Identify Surge in PDF Attacks


 

Trend Micro said this week that some of the document attacks it has identified are associated campaigns that target an Adobe Reader and Acrobat flaw patched by the software maker in February. The flaw was acknowledged by Adobe and deemed serious because it could bypass sandbox security restrictions in the latest version of the software. Trend Micro provided analysis Monday of one attack it detected that has similarities to MiniDuke and Zegost, spear phishing campaigns that had been seen targeting government agencies in Europe.

"Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal," Nart Villeneuve, a senior threat researcher at Trend Micro, wrote in his analysis of the threats. "At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability."

The attacks analyzed by Trend Micro targeted people in Japan, South Korea and India. The malicious PDFs drop different PlugX variants, often mirroring Microsoft, Lenovo and McAfee processes in an effort to evade detection. PlugX drops have been identified by security firms as a common component in nation-state-driven targeted attack campaigns.

The 2013 Verizon Data Breach Investigations Report found an increasing number of targeted attacks aimed at manufacturers and other groups. The campaigns are believed to be stealing intellectual property and other data. Phishing was a common technique used in 95 percent of targeted attacks, Verizon found. The email attacks give cybercriminals an initial foothold onto a victim's machine.

Still, financially motivated attacks that use malicious PDF files and links are the most widespread, according to security experts. The splurge of targeted attacks has been "sensationalized," according to Shane Shook, global vice president of consulting at Irvine, Calif.-based security incident response startup Cylance.

"Email is the most popular attack vector because people, for whatever reason, naturally and intuitively click on a link or a file attachment," Shook told CRN. "We've been saying that you should keep your software patched, using the latest version and constantly stay on top of that, but in the enterprise it is functionally impossible to achieve that."

PUBLISHED ON APRIL 30, 2013