Microsoft, Trend Micro Identify Surge in PDF Attacks

Microsoft and Trend Micro have identified a sudden surge in document attacks that appear to be stemming from both automated attack toolkits and targeted attacks that exploit older vulnerabilities in Adobe Reader and Acrobat software.

Microsoft said exploits that target vulnerabilities in document readers and editors rose sharply in the fourth quarter of 2012 and there's evidence of the trend continuing in 2013. Nearly 3 million computers detected a document attack in the fourth quarter of 2012, doubling the detection rate in the previous quarter.

Victims of the attacks are being compromised by visiting a malicious webpage or opening a PDF in an email attachment, said Tanmay Ganacharya, lead security researcher at Microsoft's Malware Protection Center.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches ]

Sponsored post

"These files contain a JavaScript that executes when the file is opened," Ganacharya wrote in an analysis of the attacks this week. "The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware."

The cybercriminals are exploiting vulnerabilities in Reader and Acrobat that were patched by Adobe as far back as 2008. The critical flaws are a variety of memory corruption errors, easily exploitable on victims' computers that have failed to keep the software updated.

The most commonly targeted error, a flaw that was repaired in 2010, can cause the application to crash, enabling malicious code to execute and ultimately an attacker to take control of the affected system. An exploit targeting the flaw is available in Black Hole and a number of other exploit toolkits, Ganacharya said. Microsoft has identified five malware variants targeting the coding error.

"This vulnerability is still being exploited widely even though a fix has been available for over 2 years," Ganacharya wrote.

NEXT: Targeted Attack Campaigns

Trend Micro said this week that some of the document attacks it has identified are associated campaigns that target an Adobe Reader and Acrobat flaw patched by the software maker in February. The flaw was acknowledged by Adobe and deemed serious because it could bypass sandbox security restrictions in the latest version of the software. Trend Micro provided analysis Monday of one attack it detected that has similarities to MiniDuke and Zegost, spear phishing campaigns that had been seen targeting government agencies in Europe.

"Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal," Nart Villeneuve, a senior threat researcher at Trend Micro, wrote in his analysis of the threats. "At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability."

The attacks analyzed by Trend Micro targeted people in Japan, South Korea and India. The malicious PDFs drop different PlugX variants, often mirroring Microsoft, Lenovo and McAfee processes in an effort to evade detection. PlugX drops have been identified by security firms as a common component in nation-state-driven targeted attack campaigns.

The 2013 Verizon Data Breach Investigations Report found an increasing number of targeted attacks aimed at manufacturers and other groups. The campaigns are believed to be stealing intellectual property and other data. Phishing was a common technique used in 95 percent of targeted attacks, Verizon found. The email attacks give cybercriminals an initial foothold onto a victim's machine.

Still, financially motivated attacks that use malicious PDF files and links are the most widespread, according to security experts. The splurge of targeted attacks has been "sensationalized," according to Shane Shook, global vice president of consulting at Irvine, Calif.-based security incident response startup Cylance.

"Email is the most popular attack vector because people, for whatever reason, naturally and intuitively click on a link or a file attachment," Shook told CRN. "We've been saying that you should keep your software patched, using the latest version and constantly stay on top of that, but in the enterprise it is functionally impossible to achieve that."