Cisco: Malicious Websites, DDoS and PoS, Oh My

The attacker community continues to evolve, innovate, and think up new ways to discover and exploit weak links in the security chain. And, they sometimes simply use tried and true methods to exploit some of the same old vulnerabilities that continue to present themselves. While these cybercriminal realities don’t change very much, the Cisco 2014 Midyear Security Report illustrates that in the age of the Internet of Things, as the attack surface grows, so too grow the number of attacks, the types of attacks and the impacts of these attacks.

Cisco laid out several trends that it sees emerging in 2014. Take, for instance, websites hosting malware. As part of Cisco’s ongoing “Inside Out” project examining Domain Name System (DNS) queries originating from inside the corporate networks of select Cisco customers, researchers found that nearly 94 percent of customer networks observed in 2014 have been identified as having traffic going to websites that host malware.

Nearly 70 percent of networks were identified as issuing DNS queries for Dynamic DNS Domains. And, nearly 44 percent of customer networks observed in 2014 have been identified as issuing DNS requests for sites and domains with devices that provide encrypted channel services, used by malicious actors to cover their tracks by exfiltrating data using encrypted channels to avoid detection like VPN, SSH, SFTP, FTP and FTPS.

“In short, we found no shortage of attackers discovering and exploiting weak links,” said Cisco senior vice president and chief security officer John Stewart, in a blog.

For the first half of 2014, the pharmaceutical and chemical industry, a high-profit vertical, once again places in the top three high-risk verticals for web malware encounters. The media and publishing industry has experienced a significantly higher than normal rate of web malware encounters than previously observed.

2014 also appears to be an active year for Network Time Protocol (NTP) distributed denial of service (DDoS) attacks, Cisco noted. One of the most significant NTP amplification attacks observed in the first six months of 2014 targeted a customer of global DNS provider, CloudFlare. At its peak, the February attack reached nearly 400Gbps of User Datagram Protocol (UDP) traffic.

Meanwhile, the number of exploit kits has dropped by 87 percent since the coder, Paunch, the alleged creator of the widely popular Blackhole exploit kit, was arrested last year, according to Cisco security researchers. Several exploit kits observed in the first half of 2014 were trying to move in on territory once dominated by the Blackhole exploit kit, but a clear leader has yet to emerge.

And, those high-profile point-of-sale (POS) exploits are gaining favor with criminals in 2014 for several reasons: The increasing likelihood that POS systems are connected to the Internet, providing criminals with a point of entry to corporate networks; a lack of understanding that payment card information should be considered critical data, which means it is less protected; and organizations’ growing use of third-party vendors for all or part of their POS solutions, providing more access points for criminals.

All of this phenomena will only increase as more and more devices get connected.

“The ultimate goal of the Internet of Things is to increase operational efficiency, power new business models, and improve quality of life,” the report noted. “By connecting everyday objects and networking them together, we benefit from their ability to combine simple data to produce usable intelligence. But that also means there is greater potential that more personal information and business data will exist in the cloud and be passed back and forth. With that come significant implications for applying proper security to protect data and for establishing privacy policies to address how data is used.

Security risks the Internet of Things is likely to enhance the value of using predictive analytics and machine learning to help identify hard-to-detect threats on the network. This is part of a trend among organizations toward viewing cybersecurity as both a strategic risk and a business process.

Stewart noted the growing awareness of “the need for visibility-driven, threat-focused and platform-based security solutions that cover the entire attack continuum—before, during, and after an attack—to help close security gaps and reduce complexity caused by disparate products.”

What’s Hot on Infosecurity Magazine?