Vulnerabilities / Threats // Advanced Threats
4/1/2014
04:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cyber Criminals Operate On A Budget, Too

New report shines light on how attacks have gotten more advanced but still basically use some of the same old, same old, tools

Most cyber attacks today are waged by cost-conscious criminals who mostly repurpose malware and other techniques to get the most bang for their buck, a new study finds.

Attackers don't need to write the next Stuxnet or other advanced piece of malware to hit their mark -- about 99 percent of attacks are based on incremental tweaks to existing malware and methods in their attacks, according to Websense, which published its new 2014 Threat Report today. The report analyzed more than 4.1 billion live attacks detected by Websense last year.

Advanced attacks, in Websense's parlance, are any attacks that try to get past existing traditional defenses. "The mastermind criminals of the APTs and the Stuxnet world require huge amounts of investment to come out with advanced attacks. But we [say] the bar is so much lower [for most attacks], with 99 percent of attacks doing all damage simply by making incremental changes" in malware, says Charles Renert, vice president of Websense Security Labs.

Most attackers are using exploit kits today rather than crafting their own malware:  The volume of attacks employing these kits is about 1,000 to 1, Renert says. "There's a mass market out there" for tools, he says, and attackers are looking for relatively inexpensive ways to exploit their targets.

Websense detected some 67 million attack attempts via exploit kits last year. Blackhole was the most popular kit in use for much of 2013, but after its alleged creator "Paunch" was arrested in October, Magnitude and Redkit have been battling it out for the No. 1 slot, according to Websense data. Redkit, as of January of this year, had nudged out Blackhole for the top slot.

The Websense report says:

Within a week of Paunch's arrest, Websense researchers noted a dramatic increase in the variety of techniques used by the cybercriminal community. Malicious email links that previously redirected to Blackhole exploit kits, for example, began pointing to the Magnitude exploit kit. Further, for a short time direct email attachments were the predominant attack mechanism. Cybercriminals thus have proven that the loss of Blackhole will not deter them from their goals.

But the most elite of the attackers don't bother with exploit kits. "If you're really sophisticated, you don't use exploit kits because they leave markers, such as the apparatus being deployed, the techniques being used," says Renert.

So the bulk of attacks are really just repurposed versions of the same old, same old. "Our contention is there's not a lot of new stuff being invented," Renert says. "They use the stuff that's cheapest to create for the highest value, and that is slight incremental improvements [in their attacks]. They are having a tremendous deal of success."

 

Take Zeus, for example, which originally was all about targeting financial information and credentials. Today, new iterations of the malware kit are going after the services market mostly, followed by manufacturing and then finance, Websense says. Zeus variants also were spotted going after government, education, retail, healthcare, and utilities.

Not surprisingly, Java is still a huge target for the bad guys, mainly because its current versions are riddled with security holes, and users are not consistently updating the application. According to Websense, one month after a new version of Java had been released last year, just 7 percent of users had applied it, and 31 percent of systems run versions of Java that are out of date by a year or more.

Websites, meanwhile, are a major threat landscape. Some 85 percent of malicious links on sites or in email-borne attacks, were located on legitimate websites that had been compromised, according to the report. Renert says redirection is a common method used by attackers today.

Meanwhile, 30 percent of malware samples found by Websense last year used custom encryption to steal data.

According to Websense, cybercriminals are zeroing in on specific populations, geographies, user communities, and individuals. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jaingverda
50%
50%
jaingverda,
User Rank: Apprentice
4/8/2014 | 12:51:29 PM
ReUse not Redo
The low hanging fruit analogy is somewhat disingenious considering today's antivirus scanners. It's long been known a small tweaks to the code base willl evade the scanner's signiture detection. So why would a criminal just like a business spend hours and hours writing new code when all you have to do is tweak a couple methods and maybe swap some variable names around to make the virus work again for a couple days to a couple months. That is the best ROI that the crimanial can have espically with limited resources. It's analgous to throwing the baby out with the bathwater.

The time has come to try and find a new way of writting antivirus though. The hackers and criminals are making to many new virus for the signiture detection to work effectively anymore. Really the best spot to trap this stuff would be at the network level using something similar to deep packet inspection and network analysis on the fly. Ideally the best protection is to maintian a white list which we all know.
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
4/8/2014 | 10:46:00 AM
Re: Same old, same old
Same Old?

No way. 

While Websense may not immediately offer the advice that you ask about, it is up to us as security professionals to stay abreast of new threats, and mitigations.  Sometimes, we have to create the mitigation for our particular environment.

As long as we share the knowledge, the attackers have a weaker foothold on the rest of their targets.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2014 | 9:37:44 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
Interesting that a CIO would actually perform the test, and publish the names of people who failed it. I would have asked the following: "Did the test cross all levels of the organization, and did anyone in the upper levels fail? If so, were those names published?". Personally, I would have just published statistical results of the test, and delivered counsel each person who failed one-on-one. Very little point in publicly humiliating someone in the organization, and even more so if it turns out  that person did not receive any awarenes training. I'm sure his tactic was effective, but I do question the method.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 9:26:53 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
All very good points! And I totally agree with your statement that security awareness starts at the top. I had a conversation not too long ago with a CIO who said he periodically sent out a phishing email to all his employees to test their security awareness. He published the names of people who opened the link & he said it was a very effective tactic.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/8/2014 | 9:03:21 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
@Marilyn, there are a viriety of reasons why user awareness training is lacking at organizations. From what I have seen, the biggest obstacle is the cost. For example, in an organization with 3000 users, effective user awareness training can be many hours per person during the course of a year. Even if it is limited to two hours, that's 6000 manhours taken away from user productivity. Although one can argue that training is a plus for users and by extension, for the organization, the benefit of awareness training is not easily measurable in terms of the bottom line. To simplify, assume that the 3000 users' average pay is $10/hour (quite low), and 2 hours of training is dfelivered in a year. That's a $60,000 expense (without training preparation, etc.), and how much did it add to production? Zero! So not only did the organization spend the 60K, but it also lost 6000 hours of productivity. Additionally, an effective training program requires a lot of preparation, coordination, and strategy. Does the organization have the internal resources to adequately deliver the training, or do they have to contract an external resource? Add to that the difficulty of measuring the effectiveness of training. Sure you can administer tests that measure information retention, but how do you measure the effectiveness with respect to the overall security of IT assets? If the organization was not breached, was it because users were more aware of security? Hard to tell. If the organization was breached, was the training money ill-spent? Again, hard to tell. The best way to create an effective awareness training program is to drive it downwards in an organization. The best way to create that environment is to have a champion at the C level who sees the need and commits the necessary resources. Overall, it is a very tough call.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 8:08:46 AM
RE: Cyber Criminals Operate On A Budget, Too -- security awarenss
Great point about security awareness @GonzSTL. In your experience, what are the major reasons organizatons don't invest in more user awareness training? Is it simply an finial issue or ROI, or are the problems with the effectiveness of the training programs themselves?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/8/2014 | 8:03:31 AM
Patch Management and Windows XP
You raise an interesting -- and timely -- point about patch management, Pierluigi. With the final patch Tuesday for Windows XP being usued today, the opportunites for hackers will be increasing exponentially!

 

securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/2/2014 | 6:56:13 PM
Re: Same old, same old
I'm not surprised, if we analyze the data related to patch management processes we can observe that in the majority of cases the windows of exposure to cyber threats is very long (more that 18 months). In this period it is quite easy to acquire in the underground any kind of tool that is able to exploit well known vulnerabilities.

These exploits are cheap and very effective against all those system that haven't properly managed.

Patch management is a critical component in the product lifecycle ... cybercrime knows it!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/2/2014 | 4:16:40 PM
RE: Cyber Criminals Operate On A Budget, Too
"same old same old", "low hanging fruit", defense in depth", "best practices" ... all these are cliched phrases, but still remain critical to achieving a high security posture. Undoubtedly, the bad guys are better funded than the good guys, so us good guys cannot outspend the bad guys. We just have to optimize our resources to get the most "bang for our buck" (yes, also a cliche). The unfortunate fact remains that the biggest obstacle to elevating security is security awareness and practices of human beings. Additionally, awareness training costs money - lots of it, relative to the size of an organization. It is a difficult expense to justify because the results are intangible, and metrics that measure effectiveness are difficult to assemble. Now from a bad guy's perspective, why wouldn't he recycle old tools? Why reinvent the wheel when you can modify it at a considerably lesser expense? Why not target the weakest link - a fellow human?
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/2/2014 | 11:59:12 AM
Re: Same old, same old
True. I re-read your post and agree.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.