Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:57 AM
Dark Reading
Dark Reading
Quick Hits

How Attackers Choose Which Vulnerabilities To Exploit

A look at how the bad guys choose their attack methods -- and what you can do about it

[Excerpted from "How Attackers Choose Which Vulnerabilities To Exploit," a new report posted this week on Dark Reading's Vulnerability Management Tech Center.]

It's an old but true adage: To protect yourself against a criminal, you have to think like a criminal. This certainly applies to IT security professionals working to keep their organizations' systems and data safe: To protect against a cyber attacker, you have to think like a cyber attacker.

According to Verizon's 2012 Data Breach Investigations Report, 81% of data breaches utilized some form of hacking, and 94% of the attacks were not classified as difficult. Even those attacks that were more complex often used simple techniques to gain an initial foothold.

The reason so many attacks are reasonably straightforward is that most attackers use exploit toolkits downloaded from the Internet. They make it easy for anyone to generate and distribute malware that has a high degree of success. They mainly focus on targeting end user applications with well-known vulnerabilities.

Many exploit toolkits have easy point-and-click user interfaces, and although they may incorporate fairly recent vulnerabilities and ingenious payloads, the user doesn't need to understand their complexities to launch an attack.

Blackhole 2.0 is one of the most popular toolkits, even though it targets fewer software security holes than rival kits. Yes, hacking is a business, and hacking toolkits are in competition. Although some are free, there's also a commercial market for tools with the latest and greatest features. An instance of Blackhole on the author's server can be rented by the day or month, and annual licenses can be purchased. Malware infection-as-a-service and botnets can all be rented or leased by the hour, by the day or longer.

Such tools aren't going to include exploits that no longer work, and all the evidence suggests that old vulnerabilities continue to be successfully used by attackers, with profits far exceeding a toolkit's initial purchase or rental cost.

The Verizon RISK Team concluded that most victims were not preselected but were chosen because the attacker found an easily exploitable weakness. The opportunist attacker can find potential victims by simply scanning the Internet for sites running code that's known to be vulnerable, such as a particular version of an e-commerce software package.

Tools such as Nmap can be used, or searches on Google (Google hacking) can find security holes in the configuration and code of networks and websites accessible via the Internet. This research can be anonymized by running it through services such as I2P, which will prevent the attacker's IP address from appearing in the target's logs.

Certain types of businesses have developed a reputation as being easy targets. Franchises are one such type of business. It makes sense, because a franchise lets attackers get the absolute most bang for their buck: When attackers find a vulnerability they can exploit against a particular franchisee, the exploit often works at hundreds of other franchisees as well. Small and midsize businesses are often preferred over larger enterprises because they are profitable targets yet frequently have far fewer security resources protecting their assets.

The Elderwood gang -- the attackers behind the Aurora attacks that targeted Google, Adobe and other big U.S. companies -- are primarily interested in gathering and stealing intellectual property and trade secrets, infrastructure details and information useful for future attacks. However, the appearance of "watering hole" attacks -- in which attackers manipulate a website to serve up malware to site visitors -- means that even basic brochureware sites can be potential targets.

A terrorist group, meanwhile, is more likely to seek higher-impact targets, such as critical infrastructure -- anything destructive or disruptive enough to intimidate or coerce a government or its people. These groups see computers as weapons or targets.

To get details on how attackers identify and select the specific vulnerabilities they will exploit -- and some tips on how to discourage them -- download the free report on vulnerability research and management.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/4/2013 | 7:24:37 PM
re: How Attackers Choose Which Vulnerabilities To Exploit
Perhaps because I've been looking into this for the last couple of years, the overview of this report seems superficial - or at least exactly what one should expect. I was hoping for some more insight into hacker motivations given the title, not just they attack what's easiest.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.