04:45 PM
Connect Directly

5 Exploit Trends Driving Attacks Today

HPE Cyber Risk Report 2016 picks apart infection stats from the past year.

As cybercriminals increasingly monetize their malware efforts, enterprise defenders need to recognize that the application layer has become the biggest battlefield in today's IT risk management model.

So says the HPE Cyber Risk Report 2016, released today by Hewlett Packard Enterprise (HPE) today, which highlights a number of key statistics in last year's attack patterns.

"We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth," says Sue Barsamian, senior vice president and general manager of HPE security products.

Among the findings in the report, a number of malware trends and exploit tendancies exhibited by attackers in 2015 bubbled to the surface. Here are some of the likely trends to continue plaguing defenders in the coming year:

1. Banking Trojans Take Advantage of Office

The report showed that more than 100,000 examples of banking Trojans were found in 2015. Among the most prevalent, Zbot/Zeus and Dridex continue to reign supreme. These banking malware applications are feeding off of Microsoft Office vulnerabilities and the resurgence of the Office Macro, says the report.

"While many users
 have learned not to run programs from unknown sources, they are still likely to open documents," the report warned, explaining that macros make exploitation much easier on this front. "Finding and exploiting zero-day vulnerabilities in Office applications is not as trivial a task as compared to obfuscating a bit of VBA."

2. iOS Malware Becomes More Than A Blip

With 2015 marked as the first year that apps within the walled garden of the Apple App Store were compromised, signs are starting to show that iOS is likely to be increasingly targeted as time goes on.

"Although the total number of iOS malicious apps is very low compared to all other popular malware platforms, the growth rate (235%) makes it one to watch in 2016," the report says, comparing that to Android's growth rate of 153%.

Nevertheless, Android will still dominate mobile malware for a long time. According to the report, 10,000 new Android threats are discovered every day.

3. PHP Exploit Growth Dwarfs All Others

PHP is fast becoming a favorite exploit vehicle for cybercriminals. Its growth outstripped that of nearly every other type platform by at four times the rate of second-fastest growing type, iOS. HPE pointed to figures from ReversingLabs that showed PHP malware samples increased by 752% in 2015. Compare that to Windows-targeted malware, with an 88% growth rate and it is clear that PHP neads some scrutiny. According to HPE, a lot of this can be attributed to remote shell tools exposed through Web-based user interfaces.

4. Flash Keeps Criminals Flush With Victims         

Adobe Flash is like a cybercriminal ATM machine at this point, as crooks have learned that they can exploit it to their heart's content. Among the Top 20 vulnerabilities most commonly targeted by malware last year, half of them were Adobe Flash vulnerabilities.  

"The most commonly encountered Flash samples include two discovered after the Hacking Team breach (CVE-2015-5119 and CVE- 2015-5122 ), and a third (CVE-2015-0311) found in the Angler exploit toolkit," the report noted.

5. Old Vulns Are The Best Vulns

Tried and true, old vulnerabilities keep coming up as a reliable means of exploiting the masses. Among the top 10 exploited vulnerabilities, all of them are more than a year old. And nearly half of them are five or more years old. In fact, in 2015, 29% of all successful exploits use a 2010 infection vector that has two different patches available for fixes.


Interop 2016 Las VegasFind out more about the latest attacks at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Guru
2/18/2016 | 3:10:42 PM
Malicious links
Don't forget that most apps have a WebView to display web content - it doesn't come with the same security as browsers so there's no checking to see if links are legit or malicious. In most cases you can't even see the URL.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.