Business is struggling to keep up with rapid changes in techniques by cyber criminals as they switch to increasingly malicious campaigns, the latest threat report from security firm Proofpoint reveals.
In addition to the usual parade of new patched vulnerabilities and zero-day exploits, the first half of 2015 saw rapid changes in the exploit kit landscape, according to the Threat Report for June 2015.
The Angler exploit kit and others added zero-day exploits, demonstrating the increasing sophistication and value-add of exploit kits as part of a cyber crime infrastructure.
As predicted, Proofpoint said there had been increased targeting of personally identifiable information (PII) and a rise in use of malvertising and ransomware in the first half of 2015.
Social media threats and legislation have yet to make the same impact in 2015, but the report said trends in social media activity show that threat actors and legislators alike are discovering this vector and will focus more on it in the second half of 2015.
According to the report, there were four main trends in the first half of the year:
Shift to attachment-based campaigns.
Change in phishing techniques to target business users.
Social media increasing as a source of brand and compliance risk.
Continued decrease in the overall volume of unsolicited messages.
Shift to attachment-based campaigns
According to the report, the most striking development of the first six months of 2015 was a massive shift of threat activity from the URL-based campaigns that had dominated 2014 to campaigns that rely on malicious document attachments to deliver malware payloads.
Malicious attachments have dominated the 2015 campaigns to date, driven by the huge volumes of attachments and messages delivered by the Dridex campaigners as well as other botnets.
First emerging in late October 2014, this trend was in full force by the beginning of 2015, representing a major change in the threat landscape and demonstrating cyber criminals’ ability to switch rapidly to new tactics and techniques to stay ahead of evolving defences.
The attachments were mainly Microsoft Word documents bearing malicious macros that required user interaction in order to execute.
By combining a variety of obfuscation techniques with document templates that entice the end-user to enable the malicious macro, these campaigns applied social engineering to high-volume threats that were very successful at avoiding detection by antivirus systems.
According to Proofpoint researchers, cyber criminals have resurrected a masking technique that largely vanished from the threat landscape in 2006 because malicious macros deliver the most ‘bang for your buck’ because they combine lower up-front and maintenance costs with higher effectiveness to create a ‘killer app’ for cyber criminals.
Malicious macros are also highly successful at evading traditional signature- and reputation-based defences as well as newer behavioural analysis sandboxes. They are easy to update frequently and at low cost, they are cross-platform and “unpatchable” because they are not limited by vulnerabilities on a specific operating system or application version. They rely on socially engineered end-user interaction to bypass automated defences, and low up-front and maintenance costs increase return on investment.
For these reasons, Proofpoint researchers said it is no surprise that malicious macro attachment campaigns have grown so rapidly in size and frequency. “We can expect that they will only begin to subside when this equation changes and either their cost increases or effectiveness decreases to the point that they can no longer deliver the same returns,” the report said.
Proofpoint found that the extensive cyber crime infrastructure set to support the URL-based campaigns in 2013 and 2014 still exists and is arguably more extensive and effective, but the report said it relies much less on high-volume unsolicited email campaigns to draw in users.
Instead, Proofpoint and other researchers have observed Angler, RIG, Magnitude and other exploit kits behind compromised web servers and infected ad networks (malvertising) using known and zero-day vulnerabilities to deliver primarily CryptoWall and other varieties of ransomware.
In late June, Proofpoint researchers detected Sundown, a relatively new exploit, dropping an unusual remote access Trojan (RAT), demonstrating that the market for these capabilities remains strong enough to draw new exploit kits into the market despite increased pressure from law enforcement and the dominance of a small number of higher-profile exploit kits.
“As new exploit kits attempt to establish a foothold, expect attackers to look for novel ways to leverage the flexibility and power of this piece of the cyber criminal’s toolkit,” the report said.
Change in phishing techniques to target business users
The shift by cyber criminals to targeting business users began in the second half of 2014, and in the first six months of 2015 was visible in every aspect of the unsolicited email campaigns launched by attackers, the report said.
In line with this trend, attackers switched from social media invitation lures to corporate and personal financial communication lures.
Social media increasing as a source of brand and compliance risk
During the first six months of 2015, Proofpoint Nexgate social media security researchers found that the efficiencies gained in distributing malicious content via social media continued to make it an attractive channel for hackers and scammers.
A single phishing lure, malware link or spam message posted to a high-profile corporate social media destination may be viewed by 10,000 or more potential victims. To reach the largest possible audiences, attackers often target branded social media destinations linked to high-profile current events.
The report said social media is an international phenomenon, with a comparison of corporate social media threats in the UK and the US showing that top UK brands were 20% more active in social, exhibited twice as many unauthorised accounts, and suffered 60% more spam than top US brands.
Success in social media means larger audiences, which translates to a range of powerful benefits for the business, but the report said success can also mean greater risk because attackers are attracted to larger audiences and when a successful social media property is attacked, a vital link with customers risks being damaged.
Brands committed to social media need to manage risk, the report said, noting that best practice controls are emerging to prevent hacks, filter malicious content, and ensure compliance.
“With the right tools, organisations will be well positioned to identify and respond to social media threats, especially as they follow a path that brings them closer to an intersection point with the tools and techniques of phishing and other traditional cyber security threats,” the report said.
Continued decrease in overall volume of unsolicited messages
Although the overall the volume of unsolicited messages has decreased since 2014, the report said attackers are making greater use of smaller, more malicious campaigns.
“This is represented not only by the increasing use of ransomware and other cyber extortion techniques, but also by the fact that an ever-greater portion of malware delivered by unsolicited email is able to evade detection by antivirus solutions,” the report said.
According to Proofpoint, the research shows that attackers change their techniques more rapidly than organisations – and particularly end-user training – can adapt.
“Defending against today’s attacks requires integrated advanced threat solutions that include threat intelligence and incident response capabilities,” the security company said.
The report recommends that organisations adopt advanced threat detection systems that use dynamic malware analysis and predictive analysis and can detect and stop the new generations of sophisticated threats that are able to easily evade traditional signature- and reputation-based defences.
The report also recommends that organisations:
Automate their threat response to reduce the time from detection to containment.
Incorporate robust, comprehensive threat intelligence into their digital forensics and incident response tools and processes.
Integrate security and content enforcement, such as encryption and archiving for email and social media, to protect the two most valuable communication channels in any organisation.
“Email and social media are the most used and most effective attack vector for cyber criminals and state-sponsored actors,” the report said.