Proactive Prevention Revisited: ‘Cloud Atlas’ and ‘Inception Framework’ Campaigns

In this post we will discuss two recently disclosed cyber espionage campaigns. By strange coincidence, both were independently named after labyrinthian and complicated movies – ‘Cloud Atlas‘ and ‘Inception‘. With Inception, the campaign’s unique complexity was the actual reason for the naming.

The two campaigns share a few elements. Their initial targets are mainly Russian, and both, to a certain degree utilized CloudMe AB’s cloud service in their command and control communication.

However, what we wish to point out is a different common thread that in terms of security practice is the most significant. Explaining these campaigns will enable us to highlight Palo Alto Networks Traps Advanced Endpoint Protection and realize the advantages of proactive prevention.

Further details of both campaigns can be found in the original reports.

The campaigns

Cloud Atlas, first described by Kaspersky Lab, is a Red October comeback, going mostly for Russian targets, featuring a classic pattern of successful spear phishing, exploitation and data exfiltration.

The Inception Framework campaign, first disclosed by Blue Coat Systems, targets individuals in strategic positions: executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. Its preferred attack vector is spear phishing emails containing weaponized documents.

Successful exploitation triggers a highly sophisticated and multilayered malware framework. The campaign actors have managed to create a complex architecture of obfuscation and indirection, along with various control mechanisms put in place between attacker and target.

This complexity helps malicious activity to go undetected. It also vividly illustrates and elucidates – again — why proactive prevention, rather than reactive detection, is the only effective way to address the current advanced cyber threat landscape.

The proactive prevention difference

At the opening of this post we referred to a significant common thread between the two campaigns. By that we meant the following: the high complexity begins only after the malicious payload has been successfully executed. The direct implication, in terms of security practice, is that the strategic default choice should be to suppress the possibility of such execution – which is what proactive prevention is all about.

The initial attack vector in both campaigns is vulnerability exploitation: CVE-2012-0158 in Cloud Atlas, joined by CVE-2010-3333 and CVE-2014-1761 in Inception.

Blocking the exploitation of these vulnerabilities would have trimmed these attacks way before any component of the extra sophisticated malicious infrastructure could come to life. The sophistication reflects the attackers attempt to minimize possibility of being detected. Thus, by focusing on prevention of the exploit rather than detection of the payload, the table is turned on the attackers’ efforts and the malicious activity is tackled at a point where no resistance is anticipated.

Palo Alto Networks Traps is built and designed with this concept in mind, enabling the endpoint to obstruct and nullify attacks this critical phase, by generically blocking all vulnerability exploitation techniques, for known and Zero-days attacks alike – including the ones utilized in Cloud Atlas and Inception.

Attackers are investing tremendous resources in creating and developing malicious capabilities of undetected residence, lateral movement, and data exfiltration. Proactive prevention means that we refuse to play on their terms. Rather, we take back control, blocking malicious activity way before its intended incarnation.

Perhaps the most important decision, when planning to wage war, is choosing a location that is best for you and worst for your enemy. Obstructing advanced attacks at the exploitation phase accomplishes exactly that.

Learn more about Advanced Endpoint Protection and Traps here.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.


© 2018 Palo Alto Networks, Inc. All rights reserved.