Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:57 AM
Dark Reading
Dark Reading
Quick Hits

How Attackers Choose Which Vulnerabilities To Exploit

A look at how the bad guys choose their attack methods -- and what you can do about it

[Excerpted from "How Attackers Choose Which Vulnerabilities To Exploit," a new report posted this week on Dark Reading's Vulnerability Management Tech Center.]

It's an old but true adage: To protect yourself against a criminal, you have to think like a criminal. This certainly applies to IT security professionals working to keep their organizations' systems and data safe: To protect against a cyber attacker, you have to think like a cyber attacker.

According to Verizon's 2012 Data Breach Investigations Report, 81% of data breaches utilized some form of hacking, and 94% of the attacks were not classified as difficult. Even those attacks that were more complex often used simple techniques to gain an initial foothold.

The reason so many attacks are reasonably straightforward is that most attackers use exploit toolkits downloaded from the Internet. They make it easy for anyone to generate and distribute malware that has a high degree of success. They mainly focus on targeting end user applications with well-known vulnerabilities.

Many exploit toolkits have easy point-and-click user interfaces, and although they may incorporate fairly recent vulnerabilities and ingenious payloads, the user doesn't need to understand their complexities to launch an attack.

Blackhole 2.0 is one of the most popular toolkits, even though it targets fewer software security holes than rival kits. Yes, hacking is a business, and hacking toolkits are in competition. Although some are free, there's also a commercial market for tools with the latest and greatest features. An instance of Blackhole on the author's server can be rented by the day or month, and annual licenses can be purchased. Malware infection-as-a-service and botnets can all be rented or leased by the hour, by the day or longer.

Such tools aren't going to include exploits that no longer work, and all the evidence suggests that old vulnerabilities continue to be successfully used by attackers, with profits far exceeding a toolkit's initial purchase or rental cost.

The Verizon RISK Team concluded that most victims were not preselected but were chosen because the attacker found an easily exploitable weakness. The opportunist attacker can find potential victims by simply scanning the Internet for sites running code that's known to be vulnerable, such as a particular version of an e-commerce software package.

Tools such as Nmap can be used, or searches on Google (Google hacking) can find security holes in the configuration and code of networks and websites accessible via the Internet. This research can be anonymized by running it through services such as I2P, which will prevent the attacker's IP address from appearing in the target's logs.

Certain types of businesses have developed a reputation as being easy targets. Franchises are one such type of business. It makes sense, because a franchise lets attackers get the absolute most bang for their buck: When attackers find a vulnerability they can exploit against a particular franchisee, the exploit often works at hundreds of other franchisees as well. Small and midsize businesses are often preferred over larger enterprises because they are profitable targets yet frequently have far fewer security resources protecting their assets.

The Elderwood gang -- the attackers behind the Aurora attacks that targeted Google, Adobe and other big U.S. companies -- are primarily interested in gathering and stealing intellectual property and trade secrets, infrastructure details and information useful for future attacks. However, the appearance of "watering hole" attacks -- in which attackers manipulate a website to serve up malware to site visitors -- means that even basic brochureware sites can be potential targets.

A terrorist group, meanwhile, is more likely to seek higher-impact targets, such as critical infrastructure -- anything destructive or disruptive enough to intimidate or coerce a government or its people. These groups see computers as weapons or targets.

To get details on how attackers identify and select the specific vulnerabilities they will exploit -- and some tips on how to discourage them -- download the free report on vulnerability research and management.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/4/2013 | 7:24:37 PM
re: How Attackers Choose Which Vulnerabilities To Exploit
Perhaps because I've been looking into this for the last couple of years, the overview of this report seems superficial - or at least exactly what one should expect. I was hoping for some more insight into hacker motivations given the title, not just they attack what's easiest.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...