Technology organizations are among the most frequently attacked by cyber-criminals and the majority of Advanced Persistent Threat (APT) attacks—89 percent—are associated with tools developed and disseminated by Chinese hacker groups, according to cyber-security specialist FireEye’s “The Advanced Cyber-Attack Landscape” report.
The report found 184 nations house communication hubs, or command-and-control (CnC) servers, with Asia and Eastern Europe accounting for the majority of activity. CnC servers are used heavily during the life cycle of an attack to maintain communication with an infected machine by way of callbacks, enabling the attacker to download and modify malware to evade detection, extract data or expand an attack within a target organization.
FireEye drew the information from blocking more than 12 million callback events from 184 countries logged by the FireEye platform, deployed behind firewalls, intrusion prevention systems (IPS), anti-virus (AV) and other security gateways, across thousands of user appliances during 2012.
“The threat landscape has evolved, as cyber-threats have outpaced traditional signature-based security defenses, such as anti-virus, and permeated around the world, enabling cyber-criminals to easily evade detection and establish connections inside the perimeter of major organizations,” FireEye CEO David DeWalt said in a statement. “The FireEye research puts in proper perspective the global pandemic of this new breed of advanced cyber-attacks.”
Technology companies are targeted for the theft of intellectual property, sabotage or modification of source code to support further criminal initiatives. FireEye found that CnC servers are hosted in 184 countries, a 41 percent increase when compared to the FireEye findings in 2010 with 130 countries.
Worryingly, attackers are increasingly sending initial callbacks to servers within the same nation in which the target resides. This approach not only improves evasion for the cyber-criminals but it also gives organizations a strong indicator of which countries are most interesting to attackers, the report said. To further evade detection, CnC servers are leveraging social networking sites such as Facebook and Twitter for communicating with infected machines.
“In order to appear as normal network traffic and evade network deep packet inspection technologies, attackers now embed commands or stolen information within files that look standard, such as JPGs,” the report warned. “Depending on your organization’s industry and location, the scope, frequency and nature of attacks your organization encounters can vary substantially. By assessing callback information, you can begin to take a more realistic look at the threats your organization will likely face, and the steps needed to guard against these attacks.”
The study follows a report last week from security specialist Lookout, which issued an alert that a new malware family, BadNews, was found in the Google Play Store in 32 applications, from four different developer accounts. BadNews masquerades as an innocent, if somewhat aggressive, advertising network. It uses its ability to trigger application installation prompts and display fake news messages in order to push out other types of monetization malware and promote affiliated apps.
“BadNews is a significant development in the evolution of mobile malware, because it has achieved very wide distribution by using a server to delay its malicious behavior–in fact, this is the highest distribution Lookout has ever seen,” the advisory stated.