That’s the word from IBM’s X-Force 2012 Year-End Trend and Risk Report, which found that the exploitation of web application vulnerabilities rose 14% in 2012 to reach more than 3,500 known issues, or 43% of all reported vulnerabilities.
“One of the differentiators that we observed across various attacker efforts was that by targeting vulnerabilities in cross-platform frameworks, and building on a solid foundation of tried-and-true attack techniques, attackers are achieving a greater return on exploit development in 2012,” said IBM Mobile Security Solutions lead Vijay Dheap, writing in the Smarter Planet blog.
“2012 marked notable advances in operational sophistication – more than technical sophistication – across all attacker groups and many attack methods,” said Dheap. “While media headlines are dominated by the achievements of advanced tactics used to breach high-profile organizations, more often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware. Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware.”
For instance, in 2012, DDoS attacks increased year-to-year from 2011 and the report found that attackers are modifying their tactics to increase sophistication. 2012 saw an enormous increase in DDoS traffic volumes using up to 60–70gbps of data, driven by compromised round-the-clock, higher bandwidth web servers instead of PCs. Hacktivists have selected DDoS as their weapon of choice, and the ready availability of exploit toolkits such as “itsnoproblembro” provide upgraded technology to even the rank-and-file antagonists.
Web application exploits were led by primarily by cross-site scripting (XSS) and SQL injection. The level of XSS vulnerabilities was the highest X-Force has ever seen, at 53%, driven by third-party add-ons or plug-ins for content management systems. “Attackers know that CMS vendors more readily address and patch their exposures compared to smaller organizations and individuals producing the add-ons and plug-ins, and went after the softer targets,” said Dheap.
Also, IBM found that web browser exploit kit authors were favoring the use of exploits targeting newly discovered Java vulnerabilities, and successfully incorporating them within a span of two to three months after the code was made available or detailed information published.
“The reason for this is simply: Java is a means to successfully infect the highest number of systems possible,” Dheap noted.
Also in 2012, social media repositories were leveraged for enhanced spear-phishing techniques, persuading users into clicking on malicious links seemingly originating from friends and co-workers. The ability to focus on individuals allowed attackers to see enterprises as a collection of personalities helping them take advantage of the employees’ personal activities, and more easily bypass enterprise email security countermeasures or perimeter security defenses.
IBM X-Force also witnessed operational sophistication in the way spam botnets improved their resiliency against take downs. While spam levels have fallen from one year ago, “today’s spam is better targeted and continues to include effective methods to inject malicious code – such as images and zip files – or instead pointing users to malicious links,” noted Dheap. “IBM X-Force also witnessed operational sophistication in the way botnet command and control servers improved their resiliency against take downs by compensating with other readily available networks.”
But the news wasn’t all bad. The report also found that the mobile computing environment should be more secure than traditional user computing devices by 2014.
“While this prediction may seem far-fetched on the surface, it is based on existing security control trends and needs that already exist driven by the popularity of mobile computing and BYOD,” said Dheap. “The challenges have resulted in new control technologies that will allow for more finite controls over previous approaches for traditional computing devices. It is also logical that we've already seen some of these improvements trickle down into mainstream desktop operating systems and should expect this trend to continue.”
He also said that developing applications for mobile environments is fundamentally a different process from the desktop world. “Application sandboxing limits the exposure of system level interfaces, digital signing prevents the installation of rogue code, the ability to remotely wipe the whole device – or selected applications and associated data – is another built-in safeguard, and biocontextual authentication involving physical location, network identification, voice recognition, and eye and facial recognition are all being pioneered on mobile platforms,” added Dheap.