Targeted Attacks Aren't As Targeted As You Think: Page 2
It's scary just how easy it is to launch sophisticated cyber attacks, writes eSecurityPlanet contributor Gunter Ollmann of Damballa.
The operators, processes, infrastructure and technologies that helped deliver the malicious payload (which initially compromised the corporate systems) are rarely orchestrated by a solitary attacker. Instead, would-be attackers can procure all the tools and expertise they need from a diverse and vibrant cyber-criminal ecosystem.
With a little web browsing and some carefully crafted search criteria, it is all too easy to uncover an increasingly broad array of tools and services designed to aid would-be attackers. The attack instigator doesn't need to be an expert, or even particularly technical, in order to launch an advanced or sophisticated attack against a list of potential victims. Every phase of an attack can be outsourced or purchased off-the-rack.
Today, the tools necessary for creating polymorphic malware designed to evade the desktop anti-virus products used within large organizations can be acquired for free. Better, more feature-packed, DIY (do-it-yourself) malware construction kits can be acquired for a few tens of dollars – while fully supported (24x7 response), money back guaranteed, DIY construction kits complete with flash management consoles and "starter pack" phishing materials can be secured for a few thousand dollars. Then there are literally hundreds of armoring tool providers – each offering easy-to-use products that, with the selection of a few optional tick-boxes, will guarantee evasion against some of the most advanced automated analysis systems being deployed by would-be victim organizations. Then to top it all off, there are online service operators which, for a nominal monthly fee, will accept newly generated malware samples from their criminal subscribers and test them against every commercial anti-virus product on the market – effectively providing QA services and a guarantee that the malware is not currently detected by future victims.
But the malicious binary is merely one component of an attack. The trick lies in getting the malware component through the corporate defenses and installed on the victim devices. Never fear though, there is an entire criminal service industry that specializes in dealing with this problem.
Armed with a solitary malware binary, a would-be attacker can subscribe to one of many pay-per-install (PPI) services and get them to distribute the binary to vulnerable victims. For a fee as low as $17, PPI service providers will install the binary upon 1,000 newly compromised victims. These criminal groups operate thousands of malicious drive-by download web sites scattered all around the Internet and seek to exploit vulnerabilities in the poorly patched systems of unwary visitors. They too have their own service industry. Specialist teams offer blackhat-SEO services designed to drive new traffic to the malicious pages or ensure that a particularly insidious page makes its way to the top of certain Google search result pages. Meanwhile groups of vulnerability researchers and engineers weaponize new exploits and distribute them within commercial drive-by download exploit packs for a few hundred dollars per month.
Even the personalized aspects of a targeted attack can be outsourced. Complete corporate personnel hierarchies can be purchased from lead provisioning companies – "leads" that may have been acquired through past successful malware intrusions and laundered through a number of grey or white marketing agencies.