2016 Watch: Advanced EKs, Malware and Encrypted Hacks

According to the Dell Security Annual Threat Report detailing the cybercrime trends that shaped 2015, there are four key developing trends in cybercrime. These are: The evolution of exploit kits to stay one step ahead of security systems; a continued surge in SSL/TLS encryption that is giving cyber-criminals more opportunities to conceal malware from firewalls; the continued rise of Android malware; and a marked increase in the overall number of malware attacks.

Exploit kits have evolved with alarming speed, heightened stealth and novel shape-shifting abilities, the report contests. While the year’s most active kits were Angler, Nuclear, Magnitude and Rig, the overwhelming number of exploit kit options gave attackers a steady stream of opportunities to target the latest zero-day vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight.

The report shows that cyber-criminals employed a number of new tactics to better conceal exploit kits from security systems, including the use of anti-forensic mechanisms; URL pattern changes; steganography which is concealing the file, message, image, or video within another file, message, image or video; and modifications in landing page entrapment techniques.

“Exploit kit behavior continued to be dynamic throughout the year,” said Patrick Sweeney, vice president of Product Management and Marketing, Dell Security, in the report. “For example, Spartan, which was discovered by the Dell SonicWALL threat team, effectively hid from security systems by encrypting its initial code and generating its exploitative code in memory rather than writing to disk. Exploit kits only have power when companies do not update their software and systems, so the best way to defeat them is to follow security best practices, including keeping up with updates and patches; employing up-to-date, host-based security solutions including NGFWs and Intrusion Prevention Services (IPS); and always being cautious while browsing both known and unknown sites.”

Meanwhile, SSL/TLS encryption passed the tipping point, encrypting 64.6 percent of web hits and leading to under-the-radar hacks affecting at least 900 million users in 2015. Going forward, new decryption/inspection strategies are a clear necessity.

The growth of SSL/TLS Internet encryption is a mixed bag—a positive trend in many ways, but also a tempting new threat vector for hackers. Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems. This tactic was used in a crafty malvertising campaign in August 2015 to expose as many as 900 million Yahoo users to malware by redirecting them to a site that was infected by the Angler exploit kit.

“The good news is that there are ways to enjoy the security benefits of SSL/TLS encryption without providing a tunnel for attackers,” said Sweeney. “In addition to general security best practices like updating your software, you can upgrade to a capable, extensible next-generation firewall with integrated SSL-DPI inspection.”

And, malware attacks nearly doubled to 8.19 billion with Android ecosystem being prime target, putting a large percent of smartphones at risk globally. Malware for Android continued to rise, putting a majority of the smartphone market at risk.

Dell SonicWALL noticed a sharp rise in both the number and type of malware attacks targeting the SonicWALL installed base. The team received 64 million unique malware samples, compared with 37 million in 2014, representing an increase of 73 percent, indicating attackers are putting more effort each year into infiltrating organizational systems with malicious code.

The combination of Dyre Wolf and Parite topped network traffic through 2015. Other long-lasting malware included TongJi, a widely used JavaScript by multiple drive-by campaigns (malware that downloads silently and automatically when a user visits an infected website); Virut, a general cybercrime botnet active since at least 2006; and the resurgence of Conficker, a well-known computer worm targeting Microsoft Windows operating system since 2008.

Android-specific ransomware popularity accelerated throughout the year, as did a new Android malware that stores its malicious contents on a Unix library file, rather than the classes.dex file that security systems typically scan. The financial sector continued to be a prime target for Android malware, with a number of malicious threats targeting banking apps on infected devices.

“Even though the release of Android 6.0 Marshmallow operating system in October 2015 included a slew of new security features, we can expect cyber-criminals to continue finding ways to circumvent these defenses,” said Sweeney. “Android users should exercise caution by only installing applications from trusted app stores like Google Play, keeping their eye on the permissions being requested by apps, and avoid rooting their phones.”

The report also found that the threat vectors for malware distribution are almost unlimited, ranging from classic tactics like email spam to newer technologies including wearable cameras, electric cars and internet of things (IoT) devices.

“In today’s connected world, it’s vital to maintain 360 degrees of vigilance, from your own software and systems, to your employees’ training and access, to everyone who comes in contact with your network and data,” said Sweeney.

Photo © Andrea Danti

What’s Hot on Infosecurity Magazine?