Our security researchers have discovered yet another Advanced Persistent Threat (APT). “Icefog” targets government institutions, military contractors and industrial companies, mostly in Japan and South Korea. The Icefog backdoor uses standard techniques to infiltrate its targets: spearphishing emails deliver a set of exploits focused on vulnerabilities in popular software like Microsoft Office and Java.
These two programs are widely used all over the world, so cybercriminals have gone into great detail to analyze their code and find vulnerabilities that allow them to exploit and infect victims. The creators of Icefog enthusiastically harvested the fruits of this research to use them at will. The exploits used in these attacks are not like the so-called “0-days,” dangerous exploits that are unknown to software developers, they are instead widely known and patches for them are available.
However, making patches available is one thing, but applying them promptly is another. Patching is a critical task for system administrators, especially in government institutions or industrial companies. Here, admins usually place maximum availability ahead of information security. Sometimes they prefer not to apply patches at all for fear of causing instability elsewhere in the system. Others maybe lack the time or inclination, especially on large infrastructures where patching is done manually and some workstations can easily be overlooked. Cybercriminals are fully aware of this. That’s why an effective targeted attack like Icefog does not necessarily require the development of sophisticated zero-day exploits.
How can we minimize the risks of falling victim to an APT like this? First, take advantage of the existing technologies that can reinforce your infrastructure against known exploits. Patch Management and Vulnerability Assessment technologies offer an ideal symbiotic approach to protection against known exploits.
Vulnerability Assessment is a technology which addresses this type of threat by tracking and detecting known vulnerabilities in software applications, including operating systems and widely used 3rd party applications such as Microsoft Office, Java-based applications, Adobe Flash/Acrobat and others. Kaspersky’s Vulnerability Assessment technology is built around a substantial product database that draws on information from our unique information stream developed by Kaspersky Lab experts. This in-house data, which is the largest source for our vulnerability database, comes from Kaspersky Security Network , a constantly updated stream of intelligence about vulnerabilities and malware derived from scanning millions of computers all over the world. This data is assessed by Kaspersky Lab’s systems and malware experts before being added to the global vulnerabilities database.
Patch management technology helps to monitor, download and apply Operating System, which is more important than third-party application patches. Kaspersky’s technology can ensure that all vulnerabilities are automatically patched as soon as third-party software vendor makes a patch available. The sooner patches are put in place, the easier it is to stay ahead of targeted malware that uses known exploits. Kaspersky Patch management allows scheduling patch distribution, depending on their importance and also testing patches in isolated network segments before deployment for the whole network. Independent test results confirm the quality of Kaspersky Patch management solution.
But what if an attacker discovers a zero-day vulnerability, a vulnerability that no one knows about and that has no patch from the vendor? It’s a difficult problem, but Kaspersky Lab has the solution that will help you lower the risks. Automatic Exploit Prevention (АЕР) is a comprehensive set of technologies that prevent exploits from using vulnerabilities in a wide range of programs and operating systems. Even if an exploit manages to launch itself, AEP can still prevent malicious behavior from escalating. This technology is based on real-time behavior analysis, as well as information on the applications which are most often attacked by cybercriminals , Adobe Acrobat, Java, Windows components, Internet Explorer and others. Any time these programs attempt to launch suspicious code, safety controls immediately intervene, interrupt the launch and trigger a scan of the system and will initiate our technology emergency system restore. Independent test results repeatedly confirm that our AEP technology is a truly effective way of combating unknown and 0-day vulnerabilities.
Master of puppets
One of Icefog’s distinguishing features was the extent to which the operators of the malware would interact with it manually. Usually, malware infections are designed to perform automated data exfiltration tasks. With Icefog, a human operator follows up each infection, connecting to the machine, personally identifying the victim and deploying tools to steal valuable data. The operator can deploy any other malicious tool having full access to the system, as if he was sitting at the desktop console. For example, he could install seemingly legitimate versions of remote control admin applications that an antivirus engine would not recognize as malware. If this happens, even after the initial Icefog code is detected, the attackers can maintain direct control of the infected machine(s).
Sophisticated attacks like this demand a sophisticated defense – the Application Control. Only trusted applications are allowed to run and, moreover, a strict list of such trusted applications can be created while no other application is allowed to execute. This technology is called Default Deny. In that mode, a workstation operates in an isolated software environment and an Icefog simply cannot be launched. He can’t launch and hide his remote software tools if they are not in the “allowed applications” list.
Icefog is a newly discovered threat that is increasingly active in cyberspace, but by exercising the right security approach and using the described technologies that are a part of Kaspersky Endpoint Security for Business, you’ll be fully protected.