04:45 PM
Connect Directly

5 Exploit Trends Driving Attacks Today

HPE Cyber Risk Report 2016 picks apart infection stats from the past year.

As cybercriminals increasingly monetize their malware efforts, enterprise defenders need to recognize that the application layer has become the biggest battlefield in today's IT risk management model.

So says the HPE Cyber Risk Report 2016, released today by Hewlett Packard Enterprise (HPE) today, which highlights a number of key statistics in last year's attack patterns.

"We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth," says Sue Barsamian, senior vice president and general manager of HPE security products.

Among the findings in the report, a number of malware trends and exploit tendancies exhibited by attackers in 2015 bubbled to the surface. Here are some of the likely trends to continue plaguing defenders in the coming year:

1. Banking Trojans Take Advantage of Office

The report showed that more than 100,000 examples of banking Trojans were found in 2015. Among the most prevalent, Zbot/Zeus and Dridex continue to reign supreme. These banking malware applications are feeding off of Microsoft Office vulnerabilities and the resurgence of the Office Macro, says the report.

"While many users
 have learned not to run programs from unknown sources, they are still likely to open documents," the report warned, explaining that macros make exploitation much easier on this front. "Finding and exploiting zero-day vulnerabilities in Office applications is not as trivial a task as compared to obfuscating a bit of VBA."

2. iOS Malware Becomes More Than A Blip

With 2015 marked as the first year that apps within the walled garden of the Apple App Store were compromised, signs are starting to show that iOS is likely to be increasingly targeted as time goes on.

"Although the total number of iOS malicious apps is very low compared to all other popular malware platforms, the growth rate (235%) makes it one to watch in 2016," the report says, comparing that to Android's growth rate of 153%.

Nevertheless, Android will still dominate mobile malware for a long time. According to the report, 10,000 new Android threats are discovered every day.

3. PHP Exploit Growth Dwarfs All Others

PHP is fast becoming a favorite exploit vehicle for cybercriminals. Its growth outstripped that of nearly every other type platform by at four times the rate of second-fastest growing type, iOS. HPE pointed to figures from ReversingLabs that showed PHP malware samples increased by 752% in 2015. Compare that to Windows-targeted malware, with an 88% growth rate and it is clear that PHP neads some scrutiny. According to HPE, a lot of this can be attributed to remote shell tools exposed through Web-based user interfaces.

4. Flash Keeps Criminals Flush With Victims         

Adobe Flash is like a cybercriminal ATM machine at this point, as crooks have learned that they can exploit it to their heart's content. Among the Top 20 vulnerabilities most commonly targeted by malware last year, half of them were Adobe Flash vulnerabilities.  

"The most commonly encountered Flash samples include two discovered after the Hacking Team breach (CVE-2015-5119 and CVE- 2015-5122 ), and a third (CVE-2015-0311) found in the Angler exploit toolkit," the report noted.

5. Old Vulns Are The Best Vulns

Tried and true, old vulnerabilities keep coming up as a reliable means of exploiting the masses. Among the top 10 exploited vulnerabilities, all of them are more than a year old. And nearly half of them are five or more years old. In fact, in 2015, 29% of all successful exploits use a 2010 infection vector that has two different patches available for fixes.


Interop 2016 Las VegasFind out more about the latest attacks at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/18/2016 | 3:10:42 PM
Malicious links
Don't forget that most apps have a WebView to display web content - it doesn't come with the same security as browsers so there's no checking to see if links are legit or malicious. In most cases you can't even see the URL.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.