2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 15EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>CVEsCommon Vulnerabilities and Exposures (CVEs) is a dictionary of common names forpublicly known security vulnerabilities. CVEs are each assigned a unique identifiercode, with the form CVE-YYYY-NNNN, where YYYY indicates the year they wereidentified and NNNN are arbitrary digits. We identified 24 distinct CVEs used in 483of the email attacks as displayed in Figure 4.FIGURE 4: CVEs identified in samples during the study period.(Vertical gray bars represent the date the CVE was created and orange dots represent targeted attacks using that CVE.)The most common CVEs we observed were CVE-2010-3333 (used in 112 attacks)and CVE-2012-0158 (used in 294 attacks), which are both vulnerabilities in the wayMicrosoft Word handles RTF documents. Figure 4 clearly illustrates the shift in usefrom CVE-2010-3333 to CVE-2012-0158 in March and April of 2012. The popularityof these vulnerabilities is not limited to our dataset. They have been widely used inother attacks against a variety of targets.
Communities @ Risk 16EXTENDED ANALYSIS: 2.1 Summary, Methodology and Data <strong>Analysis</strong>During four years of tracking attacks against our groups, we observed only one zerodayexploit. This attack used the Flash vulnerability CVE-2012-5054, and was sent 22days before the CVE entry was created.These results show that vulnerabilities exploited by targeted malware attacks againstCSOs are typically not technically advanced (compared with financially-motivatedmalware and commercial lawful intercept kits), and often use old (patched) vulnerabilities.For example, CVE-2012-0158 has been patched since April 10, 2012, buthas remained the most common vulnerability used in attacks against the Tibet Groupsfor well over a year after the fix was issued. The repeated use of this vulnerability suggeststhe attackers are achieving successful compromises because target systems didnot have the latest security updates. A possible explanation is that licensed software iscost-prohibitive for many organizations in the developing world, while pirated copies areeasily available, leading many to use pirated operating systems and software.ANTIVIRUS DETECTIONVirusTotal is a service that scans files through 53 different AV engines and provides asummary of malware detection results. We find that 369 of the 659 samples we received(56%) had been submitted to VirusTotal at the time of writing, with a median AV detectionrate of 24% and mean detection rate of 25%. Detection rates were generally low,as 86% of these samples had a detection rate below 50%, meaning that less than halfof the AV packages tested were able to identify them as malicious. These results suggestthat simply running AV software, although potentially helpful, is not a very effectivedefence against these attacks.FIGURE 5: Histogram of antivirus detection rates provided by VirusTotal
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 67 and 68:
Communities @ Risk 66EXTENDED ANALY
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?