The evolution of exploit kits remains a step ahead of security systems, with cybercriminals using aggressive, shape-shifting threat tactics, according to the Dell Security Annual Threat Report.
The report is based on data collected throughout 2015 from the Dell SonicWALL Global Response Intelligence Defense (GRID) network with daily feeds from more than one million firewalls and tens of millions of connected endpoints.
The report also reveals a continued surge in SSL/TLS encryption that is giving cybercriminals more opportunities to conceal malware from firewalls. Other developing trends include a continued rise of Android malware and a marked increase in the number of malware attacks.
“Many of the breaches in 2015 were successful because cybercriminals found and exploited a weak link in victims’ security programs due to disconnected or outdated point solutions that could not catch these anomalies in their ecosystem,” said Curtis Hutcheson, general manager, Dell Security. “Each successful attack provides an opportunity for security professionals to learn from others’ oversights, examine their own strategies and shore up the holes in their defense systems. At Dell Security, we believe the best way for customers to protect themselves is to inspect every packet on their network and validate every entitlement for access.”
Exploit kits
In 2015, Dell SonicWALL noted a rise in the use of exploit kits. While the year’s most active kits were Angler, Nuclear, Magnitude and Rig, the overwhelming number of exploit kit options gave attackers a steady stream of opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight.
The Dell Security Annual Threat Report shows that cybercriminals employed a number of new tactics to better conceal exploit kits from security systems, including the use of anti-forensic mechanisms; URL pattern changes; steganography which is concealing the file, message, image, or video within another file, message, image, or video; and modifications in landing page entrapment techniques.
“Exploit kit behavior continued to be dynamic throughout the year,” explains Patrick Sweeney, vice president of Product Management and Marketing, Dell Security. “For example, Spartan, which was discovered by the Dell SonicWALL threat team, effectively hid from security systems by encrypting its initial code and generating its exploitative code in memory rather than writing to disk. Exploit kits only have power when companies do not update their software and systems, so the best way to defeat them is to follow security best practices, including keeping up with updates and patches; employing up-to-date, host-based security solutions including NGFWs and Intrusion Prevention Services (IPS); and always be cautious while browsing both known and unknown sites.”
Surge in SSL/TLS encryption
The growth of SSL/TLS Internet encryption is a mixed bag – a positive trend in many ways, but also a tempting new threat vector for hackers. Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems. This tactic was used in a crafty malvertising campaign in August 2015 to expose as many as 900 million Yahoo users to malware by redirecting them to a site that was infected by the Angler exploit kit.
The Dell SonicWALL team noted a sharp rise in the use of HTTPS throughout 2015:
- In Q4 of calendar year 2015, HTTPS connections (SSL/TLS) made up an average of 64.6 percent of web connections, outpacing the growth of HTTP throughout most of the year.
- In January 2015, HTTPS connections were 109 percent higher than the previous January.
- Each month throughout 2015 saw an average increase of 53 percent over the corresponding month in 2014.
“The good news is that there are ways to enjoy the security benefits of SSL/TLS encryption without providing a tunnel for attackers,” said Sweeney. “In addition to general security best practices like updating your software, you can upgrade to a capable, extensible next-generation firewall with integrated SSL-DPI inspection.”
Malware for Android continued to rise
In 2015, Dell SonicWALL saw a range of new offensive and defensive techniques that attempted to increase the strength of attacks against the Android ecosystem, which accounts for a majority of all smartphones globally.
Dell SonicWALL noted a few emerging trends among the attacks against Android devices in 2015.
- Android-specific ransomware popularity accelerated throughout the year.
- The rise of a new Android malware that stored its malicious contents on a Unix library file, rather than the classes.dex file that security systems typically scan.
- The financial sector continued to be a prime target for Android malware, with a number of malicious threats targeting banking apps on infected devices.
“Even though the release of Android 6.0 Marshmallow operating system in October 2015 included a slew of new security features, we can expect cybercriminals to continue finding ways to circumvent these defenses,” said Sweeney. “Android users should exercise caution by only installing applications from trusted app stores like Google Play, keeping their eye on the permissions being requested by apps, and avoid rooting their phones.”
Malware attacks nearly doubled to reach up to 8.19 billion
Malware attempts continued a strong upsurge throughout 2015, causing unthinkable damage to government agencies, organizations, companies and even individuals.
Dell SonicWALL noticed a sharp rise in both the number and type of malware attacks targeting the SonicWALL installed base.
The team received 64 million unique malware samples, compared with 37 million in 2014, representing an increase of 73 percent, indicating attackers are putting more effort each year into infiltrating organizational systems with malicious code. Year 2015 also saw an almost 2x increase in attack attempts from 4.2 billion to 8.19 billion.
The combination of Dyre Wolf and Parite topped network traffic through 2015. Other long-lasting malware included TongJi, a widely used JavaScript by multiple drive-by campaigns (malware that downloads silently and automatically when a user visits an infected website); Virut, a general cybercrime botnet active since at least 2006; and the resurgence of Conficker, a well-known computer worm targeting Microsoft Windows operating system since 2008.
In October and November 2015, the Spartan exploit kit was more highly concentrated in Russia than anywhere else.
“The threat vectors for malware distribution are almost unlimited, ranging from classic tactics like email spam to newer technologies including wearable cameras, electric cars, and Internet of Things (IoT) devices,” said Sweeney. “In today’s connected world, it’s vital to maintain 360 degrees of vigilance, from your own software and systems, to your employees’ training and access, to everyone who comes in contact with your network and data.”
Flash zero-day virus decrease, Android Pay attacks, and Android Auto hacks
The Dell Security Annual Threat Report also identified several trends and predictions which are discussed in further detail in the full report.
- The battle between HTTPS encryption and threat scanning will continue to rage, as companies fear performance trade-offs.
- The number of zero-day Adobe Flash viruses will drop gradually because major browser vendors no longer support Adobe Flash.
- Malicious threats will target Android Pay through the vulnerabilities of Near Field Communication (NFC). Such attacks may leverage malicious Android apps and point-of-sale (POS) terminals, tools that are easy to acquire and manipulate for hackers.
- We can expect malicious entities to target cars equipped with Android Auto, possibly via ransomware where victims must pay to exit the vehicle or even more dangerous tactics.