Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/21/2017
10:52 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Exploits Targeting Corporate Users Surged Nearly 30% In 2016

At same time, number of attacks targeting software vulnerabilities in systems used by consumers declined over 20%, Kaspersky Lab says in new report.

A new report from Kaspersky Lab this week holds some mixed news for individuals and organizations on a couple of fronts.

The report is based on an analysis of the threats detected and blocked worldwide by Kaspersky Lab’s antimalware products in 2016.

It showed that attacks against individual users decreased nearly 21% last year, from around 5.5 million users in 2015 to just over 4.3 million users in 2016.  

During the same period though, attacks against systems used by corporate users jumped sharply from around 540,000 in 2015 to 690,000 last year, representing a 28.4% increase in 12 months. For purposes of classification, Kaspersky Lab counted users of all systems protected by the company’s enterprise antimalware suite as corporate users.

Kaspersky Lab’s data revealed a similar dichotomy in exploit activity data. During 2016, several widely used exploit kits including Neutrino and Angler exited the underground scene and in the process significantly impacted the capabilities of many cybercrime groups to spread malware.

At the same time, and somewhat counter-intuitively, there were over 702 million attacks with exploits in 2016, a substantial 25% increase over 2015. What that meant was that though the number of individuals who encountered exploits decreased overall in 2016, the likelihood of their encountering an attack was actually higher.

“In other words, the number of websites infected with exploits and the number of spam messages with malicious attachments keeps growing,” the Kaspersky Lab report noted.

Alexander Liskin, a security expert at Kaspersky Lab says there are a couple of plausible reasons why corporate users ended up getting targeted more than consumers in 2016.

The slowdown in exploit kit activity, the proliferation of bug bounty programs and redoubled efforts by software vendors to address security bugs last year significantly increased the cost to cybercriminals of developing new exploits, Liskin says. So instead of targeting consumers, there appears to have been heightened interest in going after higher value corporate users.  

“Apparently, criminals consider these users valuable targets and are willing to invest into attacking them with exploits. This could be the reason for an increased amount of attacked corporate users,” Liskin says.

The trend is worrisome. The underground economy is driven by nearly the same principles as a legit one, he says. “Cybercriminals put efforts only into potentially profitable areas. If the number of corporate users attacked with exploits is growing, it means that it makes sense for bad guys to invest into exploits for such attacks.”

 

Stuxnet Flaw Still A Mark

Kaspersky Lab’s review of exploit activity in 2016 uncovered other important trends as well.

Exploits targeting Windows and browser vulnerabilities for instance dropped sharply by 21.56% and 33.4% respectively in 2016. But the number of users attacked with exploits targeting security flaws in Microsoft’s Office software surged by nearly 103%.

Similarly, attacks seeking to exploit vulnerabilities in Adobe Flash and Android jumped in 2016, but by relatively much smaller percentage. Adobe Flash exploits increased about 12% while Android exploits increased 23%.

Interestingly enough though, the vulnerability that was most targeted in 2016 was the Stuxnet LNK flaw that was exploited in the cyber attack on Iran’s nuclear enrichment facility in Natanz seven years ago. Though Microsoft first patched the issue back in 2010 and issued a more comprehensive patch for it in 2015, attackers have kept going at the flaw and have made it the most attacked vulnerability for the past several years in a row.

It’s hard to say exactly why that is happening, Liskin says. It is possible that many users are still using legacy systems with unpatched or pirated Windows versions. The fact that the LNK vulnerability gives malware authors a relatively easy way to make self-spreading malware could be another issue, he said.

“There are a lot of networks around the world that are unprotected and infected with LNK equipped malware endpoints,” Liskin said. “These endpoints pose a constant threat to other parts of the network and also generate lots of detections.”

The Stuxnet LNK flaw is not the only vulnerability that is being exploited in this manner. Another example is CVE-2012-0158 in Microsoft Office’s Active X control. That 2012 flaw, like Stuxnet LNK, continues to be widely exploited by ordinary cybercriminals and targeted attack actors because a lot of individuals and organizations are still running vulnerable versions of the software, Liskin said.

The key takeaway from the research is an old one. “Patch the software you have on your PC or corporate endpoints in time,” he says.” Even this single measure would significantly decrease the risk exploits pose to your private or corporate data.” 

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).