Connect with us

Hi, what are you looking for?



Hackers Mix the Old and the New in Attacks

A little something old, a little something new – according to security firm Websense, those words could very well be the battle cry of today’s attackers.

A little something old, a little something new – according to security firm Websense, those words could very well be the battle cry of today’s attackers.

Even as malware tools have gotten more sophisticated, malware authors continue to blend new techniques with old ones, the firm explained in its 2015 Threat Report. While the source code and the particular exploit being used may be unique, the infrastructure used in many attacks is not new. According to the report, 99.3 percent of malicious files in 2014 used a command and control (C&C) URL that had been previously used by one or more other malware samples. In addition, 98.2 percent of malware authors used C&Cs found in five other types of malware.

“Attacks evolve quickly, and this may include simple changes to the malware such as trying a different exploit, yet not changing the C&C communication portion,” said Bob Hansmann, director of product security at Websense. “So they attackers will often to use a single C&C URL until it proves less effective. The ‘window’ for these types of attacks can be quite large, depending on the victims targeted, due to the long update cycle of some security solutions, and the target victims of the attack. For example: the laptops of mobile workers can be very susceptible for extended periods of time while off network.”

According to Websense, attackers appear to be focusing on quality over quantity, as the total number of observed threats – a whopping 3.96 billion – actually dropped 5.1 percent in 2014 compared to the previous year. However, as the firm notes in the report, there were numerous examples of breaches of high-profile organizations in 2014. That reality stands as a testament to the skill of attackers, the report states.

“Additionally, attacks are becoming less linear in following the Kill Chain,” the report contends. “They have become harder to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile. Combined with more subtle and shorter evolution cycles, cyber threats in 2015 will challenge the savviest IT professional as they come and go before even being detected or identified.”

The non-linear application of the threat kill chain takes many shapes, said Hansmann.

“For example, an attack could find that it has successfully reached a point where a low-level user has been compromised, but that the user’s access is so limited that they cannot progress much further,” he said. “So this fully compromised system may simply be used to send lures – stage two of the kill chain – internally in hopes of spreading laterally within the organization to infect someone with more interesting privileges.”

Advertisement. Scroll to continue reading.

According to the report, suspicious emails were up 25 percent year-over-year, while dropper files fell 77 percent and call-home activity rose 93 percent.

“Since the capture of Paunch in late 2013, the author behind the then dominant ‘Blackhole’ exploit kit, others continue to struggle for market share in this criminal marketplace and no one has truly become dominant,” said Hansmann. “This is one of the reasons behind the explosion of new kits we witnessed, where they may sense a revenue opportunity.”

“Regarding exploit kit sophistication, our observations is that they are becoming more specialized, or focused,” he continued. “It is a quality over quantity decision. In place of the super kits of the past that attempted to include exploits for a wide range of situations, the architects of modern threats will choose one or more exploit kits that will provide for their needs given their target audience.”

The full report can be read here. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...