APT and the side effects: are you an attack vector ?

There was a lot of debate about Advanced Persistent Threat" (APT) after the Google vs China “incident”.
Some focused on the malware itself, some on who can be an APT target, others on the bigger picture.

My two cents about this: what I want to mention is a little part of the bigger picture: the side effects, but not the “regular” side effects. For example, such a “regular” one can be concerns regarding the end users(say if their information was also compromised during the incident or not). As said, this is not my point.

If there is an APT target, then there is(or will be) an attack vector. Such an attack vector can be standalone software, SaaS, social engineering, .etc.

An organization can become an indirect APT target if it sells/manufacture/.etc “something” that can be used as an attack vector against the direct APT target. As a side note, for an APT target it does not matter if they use less popular products or so in order to shrink the attack window, as the attackers are explicitly after them.

I know that what follows bellow is at a glance a mean thought, but if we think a little deeper, not quite so. It’s just business. :)

For example, as it surfaced, Microsoft’s IE browser was an attack vector during the Google vs China “incident”(it’s unclear if other attack vectors were used, and if so, what such attack vectors).
After exploit code for the vulnerability used in this incident appeared in public, some expressed concerns that the situation may escalate in that it may lead to large-scale attacks on users using the vulnerable Microsoft Internet Explorer browser. The “premier” target might be IE6 on Windows XP. The vulnerability is harder to exploit for IE8 on Windows 7.
It has emerged that Microsoft knew about this vulnerability from around August/September 2009.
Nothing new here, one may say. Actually there is something new: the context.

Anyway, the situation did not escalate in the ‘large-scale attacks’ direction. As writing, limited public use of the vulnerability was detected. Details so far from Microsoft itself can be found here.
Instead the situation escalated in respect with Microsoft’s IE browser.
This browser got a lot of attention, from a negative point of view(again something not necessarily new, except the context). Some voices criticized IE6 and the fact that is still in use, some criticized IE as a whole(IE6, IE7, IE8).
The German government, for example, has recommended to its citizens  to stop using IE and use alternative browsers till a patch will be available. Apparently the French and Australian governments did the same.

So where Microsoft weny wrong ?
Microsoft’s situation is a tragi-comic one, on one side they have an excellent attack vector(IE6 + Windows XP), and on the other side they have one of the most secure combination on the market to date(IE8 + Windows 7).
Coming back to the question, simply put, Microsoft failed to adopt a proper upgrading strategy.
A strategy in making their customers(end users and enterprise users) upgrading from IE6 to its latest version(IE8, out for quite a long now) and from Windows XP to at least Windows Vista(actually Vista’s situation is a little different, as Microsoft misfired in another area here, but that’s another story)-Windows 7 is rather new-.
One may say this has little to do with Microsoft, end users and companies decide when and what to upgrade. But that’s not the point, one point is that Microsoft failed to discontinue IE6, IE6 which has written ‘discontinued’ all over it, and this failure reflects now on IE as a whole, because it’s somehow natural in such a situation for people to just point fingers to the whole. It may matter little that IE8 is more secure than IE6. And Microsoft persist in this failure, they still haven’t said ‘no’ to IE6, despite the current situation.
It matters little if Microsoft knew or not about this vulnerability, the attackers would have used another one and the attack vector could remain the same(IE6).

What am I saying here ?
The thing is that it is more likely to use as an attack vector for an APT target something that is more insecure by design than something that is more secure by design. The “Advanced” part of the APT does not mean that the attack attempts to exploit the most advanced piece of technology an organization uses, still the weakest link is “desirable”. The attackers can attempt to go the “all way” if needed, but probably this is not necessary.
Microsoft put themselves in quite a situation: they are on both sides of the story in the same area.
Without courtesy(no such thing when it comes to business), another vendor could have been under fire right now instead of Microsoft after its products would have been used as an attack vector. From a business perspective this is a good thing for a vendor and a bad thing for another.
All the products have vulnerabilities, some have more, some have less, but more important some vulnerabilities are more exploitable than others. This means that such products can stay more within the negative spotlights of the public, and very important, stay in the “persistent lights” of the APT.
One’s security unveils others’ insecurities, in Microsoft’s case: how to kick yourself in the nuts.

Although the organization that sells/manufactures/.etc the attack vector is not the direct target of the APT, the attack can directly affect its business through side effects: negative publicity –> market share loss –> sales dropping, quick money loss(it may have to spend to re-establish its image), .etc.

Microsoft is a big player, in both the end users and enterprise arena, so it’s hard to call right now in what shape Microsoft will get out from the center of attention.
However, what we see right now from Microsoft, various efforts(like this), an out-of-band patch and more, are, IMO, merely responses to the side effects we spoke above.

So it’s interesting to see some numbers after things settle down a little bit: if Microsoft lost any shares on the browsers market, how much it costs Microsoft this situation: to pull an out-of-band patch, any attempts to revitalized their browser’s image, etc.

And it’s also interesting to see who will fill Microsoft’s shoes when a new such situation will go public, it will be again Microsoft, maybe Adobe or somebody else ?
Are you an APT target or an APT attack vector, or maybe both ?

Comments are closed