By PENNY SWIFT
The world is at war not only on the ground, with ISIS and other terrorist groups causing chaos worldwide, but also in cyber space. And in some ways this is even more terrifying because none of us can see what’s happening.
Flash exploits tripled and ransomeware doubled… and more than a quarter of Alexa 1000 web sites served malicious ads.
Today the US Bromium Labs released a new Threat Report, Endpoint Exploitation Trends 2015 that states 2015 was one of the busiest years ever for cyber security. With IT security teams doing everything possible to defend against what seemed like inevitable attacks, there was an explosive surge in malvertising and ransomware attacks.
Bromium Labs is a pioneer of threat isolation to prevent data breaches, and prides itself on new wave technology designed to protect business and government agencies from advanced malware by design.
According to Rahul Kashyap, chief security architect, “Attackers focus on high value targets with the path of least resistance.” This means that attack vectors might shift as previously vulnerable software implements new security to mitigate attacks.
As a result, he says, Microsoft has taken major steps to improve the security of both Windows and Internet Explorer, which has forced attackers to focus on Flash exploits as well as macro malware and malvertising delivered through phishing emails.
Key Trends Identified
The new Bromium report identifies six key trends for 2015:
- Active underground “zero-day exploitation ‘for hire'” was exposed and thrown into the public eye along with Hacking Team data exfiltration.
- Adobe Flash was virtually toppled as it was identified as one of the most “exploited user-initiated applications”.
- Exploit kits thrived because they were seen as the best way to deploy malware.
- Macro-based malware found to be embedded in Word documents and circulated via phishing emails increased substantially.
- Lucrative underground crypto-ransomware business became significantly more sophisticated and continued to grow.
- Malicious ads became increasingly difficult to block and proved to give attackers a great return on investment (ROI).
So how does this affect you?
First of all, the continuing rise in exploits and vulnerabilities showed an enormous spike in popular software most of us use being targeted. These included leading web browsers like Google Chrome, Mozilla Firefox and Microsoft Internet Explorer, as well as Microsoft Office, Oracle Java, and Adobe Flash that has been targeted for a long time now.
Bromium threat sensors also identified malvertising attacks on some of the most popular websites we all use, including attacks on 27 percent of the Alexa 1000 (the world’s top 1000 websites).
Even more troubling, they identified a resurgence of macro malware that masquerades as legitimate MS Office documents that, coupled with social engineering techniques has a way of literally laying waste to gateway-based anti-malware defences. That’s really scary, because there were more and more cleverly crafted examples that had been designed to fly under the radar of perimeter defense-and-trick users so that files could be opened, and the attack would be successful.
There was also a robust market for ransomeware where attackers would exploit a business model where users’ data was held for ransom by malware, often leveraging encryption algorithms. In fact Bromium identified an alarming 600 percent increase in the number of ransomware families that demonstrates an ongoing trend of innovation in the distribution of ransomware as a whole.
Exploits for Sale
The new Bromium threat report confirms that for a very long time the Internet underground market has been suspected of the clandestine selling of both zero-days and mass surveillance Trojans for launching attacks. When Hacking Team – a company that specialises in selling exploits – was hacked and all its exploits made public, this suspicion was confirmed.
This leak, the report states, proves that Internet hacking is available to anyone who is willing to pay the price, including corporations and government organizations. As a result of the leak, malware authors quickly launched malware campaigns that leveraged a treasure trove of exploits that were publicly available.
Malvertising Has Not Abated
Widespread attacks were launched during 2015 specifically to abuse the massive ad networks that have become what the report describes as “the sweet spot for attackers.” They identified a broad spectrum of malicious ads targeting popular categories of websites, all of which came via popular websites and were difficult to block. This means that malware ads provide a very good ROI for attackers.
Last year’s Bromium threat report stated that both news and entertainment sites were lucrative targets for attackers, and this is a trend that grew unabated throughout 2015. At least 27 percent of Alexa 1000 websites were found to be delivering malware via malicious ads.
Until the advertising industry takes more proactive steps to curb these attacks, expect this trend to continue. Bromium Threat Report 2016
Exploitation and Vulnerabilities Trends
It’s a bit like being on the dangerous highways in targeted cities… drive-by-download attacks were favoured by attackers.
Typical high-value targets included:
- Web browsers – Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
- Browser plug-ins – Adobe Flash, Microsoft Silverlight, Oracle Java RE
- Office productivity software – Microsoft Office and Adobe Reader
Bromium Lab’s bar chart shows the vulnerabilities discovered over a four year period. Adobe Flash contributed significantly to the 2015 vulnerability spike because this increased by 333 percent. Only Oracle Java’s vulnerabilities declined.
Exploit Kit Trends
Drive-by-download attacks are an extremely serious issue for anyone who uses the Internet. Even though they have decreased because of improved exploitation mitigation techniques, they haven’t disappeared by any means. This is confirmed by the fact that the volume of web-based infections triggered by malicious advertising has increased. Further, during the past two years, exploit kits have included up-to-date and almost entirely new exploits.
There was an outburst of Flash vulnerabilities in 2015 making the year particularly profitable for the malware underground. According to the report, new exploits mean better infection rates and more sales on the black market.
Only three products feature in the estimated distribution of the most attacked products in exploit kits:
- Flash – 73 percent
- Internet Explorer – 20 percent
- Silverlight – 7 percent
Traditional banking Trojans and backdoors like Dridex and Fareit are still the most popular malware payload delivered by exploit kits, even though there has been a huge spread of crypto-ransomware (see below).
During the year browsers did start blocking Flash, because of its problems, and as a result, Angler was the most active exploit kit used in most incidents. It was also the fastest to adapt to changes in the vulnerability landscape,
Macro-Malware via email Spam
Socially engineers pushing emails that contain malicious MS Word documents and Excel spreadsheets are a huge problem for companies. These files contain malicious macros that download and execute malware from the attacker’s server. Even though MS Office doesn’t allow running macros by default, attackers do seem to have ways to convince users to enable them. For instance they give them believable names (like invoice_details, resume, or order quotations) that seem to be legit.
Crypto-ransomeware was also on the increase in 2015, with a high diversity of malware families being developed by different malware groups.
There were about 10 different ransomware families active during 2015, with Crytowall and TeslaCrypt developing as market leaders. The figure below shows just how ransomware families have grown in the past three years. It seems that in 2015, most of this crypto-ransomeware was distributed either by micro malware in spam emails, or by drive-by-download attacks.
Ultimately, the huge number of cyber attacks experienced during 2015 demonstrate attacker’s ability to bypass detection-based technologies, and Bromium believes that this trend will continue through 2016.