The third issue of the FireEye Advanced Threat Report was released today. We are excited to share this report which contains the latest advanced threat information and new insights into the continued evolution of the cyber threat landscape. Advanced malware continues to grow and in the first half of 2012 is up nearly 400% vs. the first half of 2011. On average, an organization is experiencing 643 advanced malware infections per week. Keep in mind that this is advanced malware, which are unknown threats that have not been seen before, and that bypass traditional signature-based security defenses such as next-generation firewalls, IPS, gateways, and AV. The report highlights five key findings, a few of which are included here. 

Advanced threats come into organizations via several threat vectors—the Web, email, and files. While web-based threats are significant, the dangers of email-based threats are growing more severe. Links and attachments delivered via email have been the source of some of the high-profile advanced persistent threat (APT) attacks such as the RSA breach, GhostNet, and NightDragon. These targeted spear-phishing emails are up, because they work. But spear phishing emails are evolving with the use of malicious links becoming more prevalent than the use of malicious attachments. 

Advanced threats are posing challenges to enterprises and government agencies across the board. Industries with intellectual property, customer information, or critical infrastructure to protect are particularly vulnerable to advanced threats. Notable increases in advanced threats have been seen in the healthcare, financial services, and energy/utility industries while the technology industry continues to experience a high level of advanced threats. No industry or government agency is immune. 

We hope you find the report informative and useful. And, more importantly, we hope organizations and government agencies take action to protect themselves from advanced threats. Read more in the FireEye Advanced Threat Report by filling out the form below.

A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

UPDATE: In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates. 

We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.

Like the team at Kaspersky and the many others who actively participate in security research, the FireEye Lab is committed to improving the understanding of the most prevalent and dangerous cyber threats today. As we all know, it is not an easy job. We appreciate the feedback we receive from the security community, and our experience today is just one lesson on the need for even greater intelligence sharing and collaboration among the many talented groups and individuals in our field.

At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation. From looking at the data in the FireEye Malware Protection Cloud (MPC), we can see that the malware is currently targeting the following industries:

• Defense
• Chemicals
• Technology
• Aerospace

A few weeks ago we conducted a survey to assess the general knowledge of advanced attacks among enterprise security professionals. Though we originally ran the survey to gather data for our own understanding, we found the results so interesting (and frankly, surprising) that we wanted to share them.

As we’ve discussed in the past, there continues to be many myths and misunderstandings regarding advanced persistent threats ("APTs"). What is clear, however, is that there is a significant disconnect in the understanding of what constitutes an advanced targeted attack and which technologies protect against them.