A little something old, a little something new – according to security firm Websense, those words could very well be the battle cry of today’s attackers.
Even as malware tools have gotten more sophisticated, malware authors continue to blend new techniques with old ones, the firm explained in its 2015 Threat Report. While the source code and the particular exploit being used may be unique, the infrastructure used in many attacks is not new. According to the report, 99.3 percent of malicious files in 2014 used a command and control (C&C) URL that had been previously used by one or more other malware samples. In addition, 98.2 percent of malware authors used C&Cs found in five other types of malware.
“Attacks evolve quickly, and this may include simple changes to the malware such as trying a different exploit, yet not changing the C&C communication portion,” said Bob Hansmann, director of product security at Websense. “So they attackers will often to use a single C&C URL until it proves less effective. The ‘window’ for these types of attacks can be quite large, depending on the victims targeted, due to the long update cycle of some security solutions, and the target victims of the attack. For example: the laptops of mobile workers can be very susceptible for extended periods of time while off network.”
According to Websense, attackers appear to be focusing on quality over quantity, as the total number of observed threats – a whopping 3.96 billion – actually dropped 5.1 percent in 2014 compared to the previous year. However, as the firm notes in the report, there were numerous examples of breaches of high-profile organizations in 2014. That reality stands as a testament to the skill of attackers, the report states.
“Additionally, attacks are becoming less linear in following the Kill Chain,” the report contends. “They have become harder to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile. Combined with more subtle and shorter evolution cycles, cyber threats in 2015 will challenge the savviest IT professional as they come and go before even being detected or identified.”
The non-linear application of the threat kill chain takes many shapes, said Hansmann.
“For example, an attack could find that it has successfully reached a point where a low-level user has been compromised, but that the user’s access is so limited that they cannot progress much further,” he said. “So this fully compromised system may simply be used to send lures – stage two of the kill chain – internally in hopes of spreading laterally within the organization to infect someone with more interesting privileges.”
According to the report, suspicious emails were up 25 percent year-over-year, while dropper files fell 77 percent and call-home activity rose 93 percent.
“Since the capture of Paunch in late 2013, the author behind the then dominant ‘Blackhole’ exploit kit, others continue to struggle for market share in this criminal marketplace and no one has truly become dominant,” said Hansmann. “This is one of the reasons behind the explosion of new kits we witnessed, where they may sense a revenue opportunity.”
“Regarding exploit kit sophistication, our observations is that they are becoming more specialized, or focused,” he continued. “It is a quality over quantity decision. In place of the super kits of the past that attempted to include exploits for a wide range of situations, the architects of modern threats will choose one or more exploit kits that will provide for their needs given their target audience.”
The full report can be read here.