Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

5 Exploit Trends Driving Attacks Today

HPE Cyber Risk Report 2016 picks apart infection stats from the past year.

As cybercriminals increasingly monetize their malware efforts, enterprise defenders need to recognize that the application layer has become the biggest battlefield in today's IT risk management model.

So says the HPE Cyber Risk Report 2016, released today by Hewlett Packard Enterprise (HPE) today, which highlights a number of key statistics in last year's attack patterns.

"We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth," says Sue Barsamian, senior vice president and general manager of HPE security products.

Among the findings in the report, a number of malware trends and exploit tendancies exhibited by attackers in 2015 bubbled to the surface. Here are some of the likely trends to continue plaguing defenders in the coming year:

1. Banking Trojans Take Advantage of Office

The report showed that more than 100,000 examples of banking Trojans were found in 2015. Among the most prevalent, Zbot/Zeus and Dridex continue to reign supreme. These banking malware applications are feeding off of Microsoft Office vulnerabilities and the resurgence of the Office Macro, says the report.

"While many users
 have learned not to run programs from unknown sources, they are still likely to open documents," the report warned, explaining that macros make exploitation much easier on this front. "Finding and exploiting zero-day vulnerabilities in Office applications is not as trivial a task as compared to obfuscating a bit of VBA."

2. iOS Malware Becomes More Than A Blip

With 2015 marked as the first year that apps within the walled garden of the Apple App Store were compromised, signs are starting to show that iOS is likely to be increasingly targeted as time goes on.

"Although the total number of iOS malicious apps is very low compared to all other popular malware platforms, the growth rate (235%) makes it one to watch in 2016," the report says, comparing that to Android's growth rate of 153%.

Nevertheless, Android will still dominate mobile malware for a long time. According to the report, 10,000 new Android threats are discovered every day.

3. PHP Exploit Growth Dwarfs All Others

PHP is fast becoming a favorite exploit vehicle for cybercriminals. Its growth outstripped that of nearly every other type platform by at four times the rate of second-fastest growing type, iOS. HPE pointed to figures from ReversingLabs that showed PHP malware samples increased by 752% in 2015. Compare that to Windows-targeted malware, with an 88% growth rate and it is clear that PHP neads some scrutiny. According to HPE, a lot of this can be attributed to remote shell tools exposed through Web-based user interfaces.

4. Flash Keeps Criminals Flush With Victims         

Adobe Flash is like a cybercriminal ATM machine at this point, as crooks have learned that they can exploit it to their heart's content. Among the Top 20 vulnerabilities most commonly targeted by malware last year, half of them were Adobe Flash vulnerabilities.  

"The most commonly encountered Flash samples include two discovered after the Hacking Team breach (CVE-2015-5119 and CVE- 2015-5122 ), and a third (CVE-2015-0311) found in the Angler exploit toolkit," the report noted.

5. Old Vulns Are The Best Vulns

Tried and true, old vulnerabilities keep coming up as a reliable means of exploiting the masses. Among the top 10 exploited vulnerabilities, all of them are more than a year old. And nearly half of them are five or more years old. In fact, in 2015, 29% of all successful exploits use a 2010 infection vector that has two different patches available for fixes.


Interop 2016 Las VegasFind out more about the latest attacks at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Guru
2/18/2016 | 3:10:42 PM
Malicious links
Don't forget that most apps have a WebView to display web content - it doesn't come with the same security as browsers so there's no checking to see if links are legit or malicious. In most cases you can't even see the URL.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.