How threat actors conduct complicated attacks at the lowest cost
Kaspersky Lab researchers are observing a new and rather important trend in how sophisticated threat actors operate. It is becoming more and more common for threat actors to not use sophisticated and expensive attack techniques, such as zero-day vulnerabilities, but instead utilize extremely targeted social engineering campaigns in combination with known effective malicious techniques.
This shift in how threat actors operate demonstrates that, in general, modern organizations’ IT infrastructure contains enough weaknesses to potentially allow attackers with relatively inexpensive attack toolsets to achieve their criminal goals. Microcin, a malicious campaign recently researched by Kaspersky Lab specialists, is an example of such an inexpensive, yet dangerous attack.
It all started when Kaspersky Anti Targeted Attack Platform (KATA) discovered a suspicious RTF-file. The file included an exploit (malware that exploits security weaknesses in widely used software to install additional malicious components) to a known and already patched vulnerability in Microsoft Office.The suspicious spear-phishing document was distributed through sites for a very specific group of people: forums for discussing issues related to obtaining subsidized housing – an exemption available mostly for employees of government and military organizations in Russia and some neighboring countries.
In order to protect their IT infrastructure from attacks like Microcin, Kaspersky Lab experts advise organizations to use security tools that allow the detection of malicious operations, rather than malicious software.
Such complex solutions, like Kaspersky Anti-Targeted Attack Platform, include not only endpoint protection technologies, but also technologies that enable the tracking and correlation of events in different parts of the organization’s network, thus identifying the malicious patterns present in sophisticated, targeted attacks.
Kaspersky Lab products successfully detect and block Microcin and similar campaigns. The details of Microcin campaign can be found at the Securelist blog , which also includes further technical information on the attack.