You don’t have to know how to rebuild an engine even how to change your own oil to drive a car. You don’t have to understand how Intel fits billions of transistors on a processor the size of a postage stamp, or how those transistors turn billions of 1’s and 0’s into you surfing the Web or playing a game on your PC. Apparently, you also don’t have to know how to write code, or develop exploits to launch an effective malware campaign.
Sophos researcher Gabor Szappanos analyzed attacks against a recent vulnerability and found that perpetrators of APTs (advanced persistent attacks) don’t seem to have the skills to effectively modify a given exploit.
I wrote about the Sophos report in this blog post:
Advanced persistent threats (APT) have emerged as a new class of malware threat in recent years. APTs are more insidious than your run-of-the-mill malware attacks. They manage to fly under the radar and evade detection. They’re also commonly believed to be more sophisticated than average malware attacks, but new research from Sophos contradicts that theory.
Gabor Szappanos, principal researcher for Sophos Labs Hungary, evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit—a sophisticated attack against a specific version of Microsoft Office. He found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.
In the Sophos report, Szappanos describes how the popular exploit (CVE-2014-1761) targeted only one particular version of Microsoft Office despite the fact that 18 different variations of Office were vulnerable. Targeting other versions would require only minor modifications to the initial exploit, but Szappanos discovered that these groups have a very limited understanding of, or ability to modify, the underlying code.
“Surprisingly, known APT groups showed less sophistication than more mainstream criminal groups,” exclaimed Szappanos, adding, “Even so, these groups are able to work with what they have to infect their targets.”
The report reaches a number of interesting conclusions. Despite the aura of skill and complexity that seems to surround APTs, they are much less sophisticated than they’re given credit for. The APT groups are lacking in quality assurance. Many attacks are not thoroughly tested and attackers fail to recognize when some functionality of the attack is not working properly.
Check out the full story on CSOOnline: Most APTs are no so ‘sophisticated’ after all.