Many highly effective hacking groups associated with malware and advanced persistent threats (APTs) appear to lack an understanding of the technical exploits they use. They also fail to adequately test their exploits for effectiveness before unleashing them on their victims.
Gabor Szappanos of SophosLabs evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office.
In a just-published technical paper, Gabor details how none of the groups he analyzed were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.
Many groups’ efforts to modify the initial exploit resulted in buggy code and/or minimal changes to the original exploit. Interestingly, the APT groups — often billed as the most sophisticated of attackers — showed the lowest proficiency in both modification and QA. It was the “mainstream” or “opportunistic” criminal groups that were most effective in revising the code to suit their purposes.
Gabor points out, however, that these groups are in many cases still highly effective in infecting their targets and getting what they want (typically data or money). To use a physical world simile, it’s like they’re able to use lockpicks effectively, but they’re unable to effectively modify the lockpicks or craft new styles.
One conclusion, Gabor says, is that “if security researchers and system administrators follow and act upon vulnerability announcements, they are likely to be prepared for these groups.”
In other words, patching vulnerabilities as updates become available and using other technologies (e.g., intrusion prevention systems, or IPS) to block known attack vectors should be highly effective in protecting against the majority of targeted and opportunistic attacks.
However, he also warns, “one should never underestimate the malware authors mentioned in this report. They develop sophisticated Trojan families, and they manage to deploy them successfully to high profile organizations. The fact that they are not the masters of exploitation doesn’t mean that they are any less dangerous.”
“But they are not omnipotent either,” Gabor adds. “Understanding their limitations helps us to prepare our defenses.”
Download Gabor’s technical paper here: Exploit This: Evaluating the Exploit Skills of Malware Groups.
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.
Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.