Sheltering From Pawn Storm: How Multi-Layered Protection Can Combat Zero Day Threats

by Bharat Mistry

We’ve been raising awareness around the dangers of targeted attacks and APTs for several years now. There are many things organisations can do to minimise the risk of serious data loss via such an incident – not least to invest in cyber security tools from an industry leader. But sometimes we come across groups whose advanced attack techniques can overwhelm all but the most heavily defended organisations.

Pawn Storm is one such campaign. Recently we discovered a new weapon in the group’s formidable arsenal, which has already been fired at several foreign ministries around the world.

The zero day threat
Pawn Storm operatives are particularly good at finding new zero day vulnerabilities to exploit in their attacks. For example, in a previous run they found an undiscovered flaw in Java – the first that had been found in the software for two years. This time they’ve discovered a new zero day in Adobe Flash, since identified as CVE-2015-7645. Our threat analyst Peter Pi has already described it as “the most interesting Flash vulnerability I have ever analysed.”

Without comprehensive multi-layered protection, there’s a high likelihood that organisations will fall victim to such attacks. There are no vendor patches available for zero day vulnerabilities when they are first discovered, exposing them to a high risk of infection. The gang behind Pawn Storm also crafted convincing spear phishing emails containing malicious links leading to the exploit. As usual, plenty of time and thought went into social engineering, with the emails and links in question referencing current events of interest to the target. These include topics such as “Suicide car bomb targets NATO troop convoy Kabul” and “Syrian troops make gains as Putin defends air strikes”.

The risk with spear phishing attacks like this is that the user rarely recognises they have been infected. Thanks to the zero day exploit and clever social engineering their machine is compromised silently in the background with no warning to the individual and no red flag raised for the IT department. Once the attackers are inside the network they typically then escalate privileges until they find the data and systems they’re looking for – using obfuscation techniques to stay hidden from traditional warning systems. It could be weeks, months or even years before the victim organisation finds out.

Strength in depth
Popular software like Adobe Flash is frequently targeted by malware writers and APT groups looking to find previously undiscovered flaws to exploit. One look at the monthly patch update cycle from Adobe is enough to tell you just how regularly such threats are found. One way to guard against zero day exploits is via vulnerability shielding or “virtual patching”. This is intrusion detection and prevention technology which protects flaws before they can be exploited – reducing risk, extending the life of legacy systems and lowering admin expenses.

Another key technology is sandbox analysis – designed to detect threats via their behaviour rather than according to reputation or other filters. This is key because as a zero day exploit, there will be no known information on it. Researchers therefore have to run it in an environment designed to replicate the target’s desktop and see if it tries to do something malicious.

We have technology to protect against zero day threats at every layer:

Endpoints: vulnerability shielding in Trend Micro Vulnerability Protection secures desktops with virtual patching. Browser exploit protection in Trend Micro OfficeScan, Worry-Free Security, and Trend Micro Security blocks the exploit if a user tries to access the malicious web page.

Servers: vulnerability shielding in Deep Security protects systems until a patch can be applied.

Network: Sandbox Script Analyzer in Trend Micro Deep Discovery detects threats by their behaviour, without any engine or pattern updates.

Leave a Reply

Your email address will not be published. Required fields are marked *