Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:57 AM
Dark Reading
Dark Reading
Quick Hits

How Attackers Choose Which Vulnerabilities To Exploit

A look at how the bad guys choose their attack methods -- and what you can do about it

[Excerpted from "How Attackers Choose Which Vulnerabilities To Exploit," a new report posted this week on Dark Reading's Vulnerability Management Tech Center.]

It's an old but true adage: To protect yourself against a criminal, you have to think like a criminal. This certainly applies to IT security professionals working to keep their organizations' systems and data safe: To protect against a cyber attacker, you have to think like a cyber attacker.

According to Verizon's 2012 Data Breach Investigations Report, 81% of data breaches utilized some form of hacking, and 94% of the attacks were not classified as difficult. Even those attacks that were more complex often used simple techniques to gain an initial foothold.

The reason so many attacks are reasonably straightforward is that most attackers use exploit toolkits downloaded from the Internet. They make it easy for anyone to generate and distribute malware that has a high degree of success. They mainly focus on targeting end user applications with well-known vulnerabilities.

Many exploit toolkits have easy point-and-click user interfaces, and although they may incorporate fairly recent vulnerabilities and ingenious payloads, the user doesn't need to understand their complexities to launch an attack.

Blackhole 2.0 is one of the most popular toolkits, even though it targets fewer software security holes than rival kits. Yes, hacking is a business, and hacking toolkits are in competition. Although some are free, there's also a commercial market for tools with the latest and greatest features. An instance of Blackhole on the author's server can be rented by the day or month, and annual licenses can be purchased. Malware infection-as-a-service and botnets can all be rented or leased by the hour, by the day or longer.

Such tools aren't going to include exploits that no longer work, and all the evidence suggests that old vulnerabilities continue to be successfully used by attackers, with profits far exceeding a toolkit's initial purchase or rental cost.

The Verizon RISK Team concluded that most victims were not preselected but were chosen because the attacker found an easily exploitable weakness. The opportunist attacker can find potential victims by simply scanning the Internet for sites running code that's known to be vulnerable, such as a particular version of an e-commerce software package.

Tools such as Nmap can be used, or searches on Google (Google hacking) can find security holes in the configuration and code of networks and websites accessible via the Internet. This research can be anonymized by running it through services such as I2P, which will prevent the attacker's IP address from appearing in the target's logs.

Certain types of businesses have developed a reputation as being easy targets. Franchises are one such type of business. It makes sense, because a franchise lets attackers get the absolute most bang for their buck: When attackers find a vulnerability they can exploit against a particular franchisee, the exploit often works at hundreds of other franchisees as well. Small and midsize businesses are often preferred over larger enterprises because they are profitable targets yet frequently have far fewer security resources protecting their assets.

The Elderwood gang -- the attackers behind the Aurora attacks that targeted Google, Adobe and other big U.S. companies -- are primarily interested in gathering and stealing intellectual property and trade secrets, infrastructure details and information useful for future attacks. However, the appearance of "watering hole" attacks -- in which attackers manipulate a website to serve up malware to site visitors -- means that even basic brochureware sites can be potential targets.

A terrorist group, meanwhile, is more likely to seek higher-impact targets, such as critical infrastructure -- anything destructive or disruptive enough to intimidate or coerce a government or its people. These groups see computers as weapons or targets.

To get details on how attackers identify and select the specific vulnerabilities they will exploit -- and some tips on how to discourage them -- download the free report on vulnerability research and management.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/4/2013 | 7:24:37 PM
re: How Attackers Choose Which Vulnerabilities To Exploit
Perhaps because I've been looking into this for the last couple of years, the overview of this report seems superficial - or at least exactly what one should expect. I was hoping for some more insight into hacker motivations given the title, not just they attack what's easiest.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.