Trouble in the Tropics

Recently, there has been an uptick in activity in the Philippines and Taiwan related to two old vulnerabilities. The Operation Tropic Trooper attacks, as announced by Trend Micro, have been targeting government and military organizations in these two countries. What is alarming about these attacks is that they exploit old Microsoft Office vulnerabilities: CVE 2012-0158 is three years old, while CVE-2010-3333 is five years old!

What went wrong?

Independent of the specific techniques that are used by Operation Tropic Trooper to achieve penetration, the fact is that these attacks are entirely preventable. Some key observations:

• Given the age of the vulnerabilities, the machines that were compromised were not well maintained
• Regular vulnerability assessment was likely not being performed
• Operation Tropic Trooper is targeted at penetrating client machines, not servers
• The attacks circumvented any perimeter defenses these organizations had in place

Prevention

The success of the Tropic Trooper attacks serves as a vivid reminder that security policies and procedures must actively address all systems in the infrastructure

The success of the Tropic Trooper attacks serves as a vivid reminder that security policies and procedures must actively address all systems in the infrastructure. Client machines buried deep within your organization are just as likely to be targeted and leveraged in an attack as are well maintained server machines near the perimeter. These client machines cannot be ignored.

You need to proactively and continuously find and maintain all of the systems in your network. Maintenance should include frequent vulnerability assessments as well as regular patching.

In addition, continuous network monitoring is crucial, acting as a “last line of defense” and facilitating the detection of intrusions that make it through the security infrastructure that you have in place. Continuous monitoring can detect the presence of malware, unusual network communications patterns, and communications with Command and Control servers. The deeper in your infrastructure that you monitor, the more likely that you will catch attacks and malware infestations early, before any major damage is done.

Tenable can help

Continuous network monitoring is crucial

When combined with a proper security policy, Tenable’s SecurityCenter Continuous View™ can help shield organizations against attacks such as Tropic Trooper by:

• Detecting unknown or poorly maintained machines through Nessus® discovery scans or by using the Passive Vulnerability Scanner™
• Creating a detailed inventory of all installed software on client machines, including the detection of obsolete, unmaintained or unnecessary components
• Detecting systems which your patch management system may have missed, and auditing patch compliance for those machines that are under maintenance
• Detecting the presence of active malware in scanned systems
• Detecting indicators of compromise on the network, such as communications with Command and Control servers, unusual communications patterns or traffic anomalies

These five capabilities of SecurityCenter can help your organization eliminate the risks and blind spots that Tropic Trooper and other malicious activities take advantage of. Being proactive and preventive in your security stance is just as critical as having active, reactive technologies employed.