Most cyber attacks today are waged by cost-conscious criminals who mostly repurpose malware and other techniques to get the most bang for their buck, a new study finds.
Attackers don't need to write the next Stuxnet or other advanced piece of malware to hit their mark -- about 99 percent of attacks are based on incremental tweaks to existing malware and methods in their attacks, according to Websense, which published its new 2014 Threat Report today. The report analyzed more than 4.1 billion live attacks detected by Websense last year.
Advanced attacks, in Websense's parlance, are any attacks that try to get past existing traditional defenses. "The mastermind criminals of the APTs and the Stuxnet world require huge amounts of investment to come out with advanced attacks. But we [say] the bar is so much lower [for most attacks], with 99 percent of attacks doing all damage simply by making incremental changes" in malware, says Charles Renert, vice president of Websense Security Labs.
Most attackers are using exploit kits today rather than crafting their own malware: The volume of attacks employing these kits is about 1,000 to 1, Renert says. "There's a mass market out there" for tools, he says, and attackers are looking for relatively inexpensive ways to exploit their targets.
Websense detected some 67 million attack attempts via exploit kits last year. Blackhole was the most popular kit in use for much of 2013, but after its alleged creator "Paunch" was arrested in October, Magnitude and Redkit have been battling it out for the No. 1 slot, according to Websense data. Redkit, as of January of this year, had nudged out Blackhole for the top slot.
The Websense report says:
Within a week of Paunch's arrest, Websense researchers noted a dramatic increase in the variety of techniques used by the cybercriminal community. Malicious email links that previously redirected to Blackhole exploit kits, for example, began pointing to the Magnitude exploit kit. Further, for a short time direct email attachments were the predominant attack mechanism. Cybercriminals thus have proven that the loss of Blackhole will not deter them from their goals.
But the most elite of the attackers don't bother with exploit kits. "If you're really sophisticated, you don't use exploit kits because they leave markers, such as the apparatus being deployed, the techniques being used," says Renert.
So the bulk of attacks are really just repurposed versions of the same old, same old. "Our contention is there's not a lot of new stuff being invented," Renert says. "They use the stuff that's cheapest to create for the highest value, and that is slight incremental improvements [in their attacks]. They are having a tremendous deal of success."
Take Zeus, for example, which originally was all about targeting financial information and credentials. Today, new iterations of the malware kit are going after the services market mostly, followed by manufacturing and then finance, Websense says. Zeus variants also were spotted going after government, education, retail, healthcare, and utilities.
Not surprisingly, Java is still a huge target for the bad guys, mainly because its current versions are riddled with security holes, and users are not consistently updating the application. According to Websense, one month after a new version of Java had been released last year, just 7 percent of users had applied it, and 31 percent of systems run versions of Java that are out of date by a year or more.
Websites, meanwhile, are a major threat landscape. Some 85 percent of malicious links on sites or in email-borne attacks, were located on legitimate websites that had been compromised, according to the report. Renert says redirection is a common method used by attackers today.
Meanwhile, 30 percent of malware samples found by Websense last year used custom encryption to steal data.
According to Websense, cybercriminals are zeroing in on specific populations, geographies, user communities, and individuals.