F-Secure's Threat Report H1 2013

Exploits are leading the attack pack, and Java is the most exploited. Six out of the company's top ten detections were exploits, and Java accounted for 50% of these. Exploits, of course, are the means, not the end to an attack. They are just one phase in the attack cycle, with targets being driven to an exploit kit (by email phishing), or diverted to the EK through watering hole attacks.

Here F-Secure is scathing about 'several internet giants'. "The most notable information security occurrence of early 2013 is undoubtedly the hacking and breach of several Internet giants (Twitter, Facebook, Apple, Microsoft) and of numerous other Silicon valley companies via a watering hole at iPhone Dev SDK." The problem, however, is that these victims "kept and have continued to keep important details tightly under wraps."

As a result, the general public perception is that a number of individual sites were briefly hacked. But, says the F-Secure report, the key takeaway should have been this: "a dedicated group of criminals had managed to hack numerous Internet companies via a watering hole. The attack was targeted and required human labor – it wasn't automated crimeware." The implication is that where major hacks are concerned, serious criminal gangs are willing to spend more time and resources to achieve their ends.

F-Secure notes a similar 'same but worse' scenario in mobile malware. Mobile malware continues to increase, and Android remains the most targeted platform. The company found 358 new families and variants of Android malware in the first half of the year – almost doubling the total number. But confirming the warning delivered by ENISA last week, mobile malware is growing up. It is no longer, for example, just distributed via app stores, but is now also spread by malvertising and drive-by downloads.

It is also increasing in sophistication, and Stels is given special mention. "Stels", says the report, "is an Android trojan that serves multiple purposes—it can turn an infected device into a bot that becomes a part of a larger botnet, and it can act as a banking trojan that steals mobile Transaction Authentication Numbers (mTANs)."

But F-Secure also mentions two new developments. The first is that Stels now uses social media as part of its C&C process. The problem with a centralized C&C structure is that if the server is discovered and taken down, the criminals' access to the botnet is lost. "The Stels author(s) attempt to combat this issue by setting up a few Twitter accounts for the bots check with to obtain a new C&C server address if the old one is no longer available." 

This has already happened with one Stels version that used the Russian Juick rather than Twitter. In May 2013 the botnet owner lost control of one of his C&C servers at droidad.net. Stels then queried Juick and received a new encrypted URL to use as an alternative C&C server.

The second new development for mobile malware is that Stels has been delivered via IRS-themed spam sent by the Cutwail botnet. "A user who clicked on the link on an Android device was directed to a web page asking him to update the Flash Player application. The ‘update’ which the user ended up with is actually the Stels trojan."

If there is one single message from F-Secure's Threat Report for the first half of 2013 it is this: the threats remain broadly similar to those of 2012; but the actors are getting more sophisticated and more professional, and the threats are getting more dangerous.

What’s hot on Infosecurity Magazine?