Night Dragon or Red Herring !!!

Night Dragon or Red Herring?

TAP into Smart Protection Network

Targeted Attack Prevention is a key component of the Trend Micro Smart Protection Network

In the wake of the recently published report about Night Dragon, Trend Micro wants to assure its customers that they are already protected from the attack.
Following analysis, based on the Smart Protection Network, we know that this incident has not compromised the security of any Trend Micro customer.
The most recent enquiry regarding malicious files and compromised web servers associated with the incident, was raised to us back in early January. This was dealt with swiftly, since then we have had no reports or inbound calls regarding possible infections, only inquiries into our protection. Additionally, Smart Protection Network has not registered any notable detection related to the event for email, web or file threats.

Summary of Protection:

1. Compromised WebPages directing users to malicious web servers in this attack: Web Reputation is blocking the malicious domains and WebPages
2. Spear-Phishing emails with links to malicious web servers: Web reputation is blocking the emails using Secure Click and access to the malicious web servers
3. Malware infecting machines: File reputation includes signatures to detect the malicious files associated with this attack
4. Compromised machines communicating with outside servers controlled by hackers: Web reputation blocks the communication to these servers
Additionally Deep Security will mitigate the initial attack vectors viz. SQL injection and dropping the malware/RAT tools on to the web server.
The DPI rules that should be configured and deployed are as follow:

• 1000608 - Generic SQL Injection Prevention (already available)
This rule may require configuration and will block SQL injection attacks.

• 1003025 - Web Server Restrict Executable File Uploads (Already available)
This rule blocks all executable file uploads to the web server when deployed.

• 1004596 - Detected Night Dragon Network Communication (Expected availability today)

This emergency security update is to issue a specific DPI rule to detect network communication between hosts compromised as part of the “Night Dragon” attack and the CnC servers.

Smart Protection Network contains Targeted Attack Prevention technology designed to proactively identify and mitigate events such as this, so that they never become an issue for our Customers networks. Therefore, we do not view Night Dragon as a major threat incident, because our customers are not affected by the event.
Attacks such as this are notable and on the increase. Already in 2009, Raimund Genes predicted that targeted attacks would be on the increase. In recognition of this fact, we already developed technology able to stop targeted attacks before they become a problem.

Targeted attacks regularly employ Spear-Phishing as a key component. Trend Micro advises all Security specialists to ensure their corporate end users are well versed on this type of attack tool to help protect themselves effectively.
For detailed technical information regarding Night Dragon, please view our Web Attacks entry http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=REMOSH+Hacktool+Used+in+Targeted+Attack

Opportunities
1. Part of this attack was compromising a customer’s web servers. This is an opportunity to discuss Deep Security as a prevention tool which can block a hacker from attempting to compromise their web servers.
2. Malware infections: Opportunity to discuss File reputation and why faster deployment of updates is needed in the case of a targeted attack.
3. TMS - Threat Discovery and Threat Mitigator will minimize their attack surface and risks associated with a targeted attack.
4. PSP - As targeted attacks become more prevalent on larger organizations, they need a security partner who can support them quickly and effectively to mitigate their risks associated with the attack.