RSSExecutives targeted in trojan attack
At a time when most of us have finally become accustomed to big, bot-generated, impersonal attacks becoming the primary threat vector for malicious external attacks on corporate IT systems, it appears that some criminals are going old school and giving penetration attempts the personal touch again. SANS reports this morning that an unnamed Swedish company's executives received forged sender e-mail messages directed to them explicitly and with a realistic sounding "Excel" report attached, a file which in fact contained a specifically crafted variant of the Poison Ivy trojan.
Massive bot-generated attacks have their own risks, but their generic nature has made them easy to spot and relatively easy to defend against for most organizations. They continue to work because they are a numbers game; there are still enough organizations which do not sufficiently secure their systems that such massive shotgun attacks are bound to score a few hits. It's not clear whether this return to a targeted approach is due to a drop in the success rate of the shotgun approach or whether the criminals involved realized some specific advantage in focusing on this particular company. There are many possible motives, of course, but I believe that this portends a trend back toward target-oriented attack patterns. The shotgun approach was inevitable with so many holes, and so many new systems coming online over the past decade… it was bound to hit home against organizations who were eager to get online and only secondarily concerned with security.
Today, while the rate of growth may not have diminished much, there is certainly a greater likelihood that new hosts will be managed by experienced service providers specializing in such operations, who have good security awareness and practices. You no longer have to spin up your own servers internally to provide any sort of internet-based service anymore; indeed, it's no longer typically cost-effective to do so. With the burgeoning expansion of cloud-based service providers, which allow even more specialized computing functions to be performed while still existing in a environment hosted by experienced, dedicated professionals with a focus on running secure systems.
This, together with the general improvement in security among most popular hosting operating systems, has to reduce the hit rate of generic attacks. At the same time, online crime is becoming more systematized and more organized. It was inevitable that those criminals would realize that a more specific approach, with more attention to a particular target's weaknesses and potential benefits, could prove to be more lucrative. Switching the primary attack interface from generic e-mail addresses or internet-facing company machines to generally non-security-aware executives signals a discomfiting level of insight into modern corporate IT vulnerability… vulnerability which has been widely neglected by IT security teams during the past decade as the ubiquitous but predictable botnets took up most of their resources.
There are many possible motives for this specific attack, from revenge to corporate espionage, and perhaps it would have been launched, as a few have, even during the height of the botnet era. But you can bet that there will be more like it coming soon.
