September 24, 2013 By Leslie Horacek 9 min read

For over 15 years, IBM X-Force has been tracking trends and emerging threats. Today we released the 2013 mid-year trend and risk report which highlights some of our key findings.

While vulnerability statistics, attack trends, and data breaches are all covered in detail, one of the more interesting points of discussion is a look at the psychology and social engineering around how these attacks are implemented. We explore how attackers have learned to capitalize and take advantage of the human factor in trust relationships.

Attackers are Optimizing Tactics

Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.

For example, attackers are optimizing:

  • The exploitation of trust via social media.
  • Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.
  • Mobile malware with Android devices as the market expands.
  • Take over of central strategic targets to access and exploit a broader base of end users.
  • Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.

Download: IBM X-Force 2013 Mid-Year Trend and Risk Report

Consider the following…

As technology began its meteoric rise alongside humanity, the maturity and understanding of how we react to each other face-to-face was left behind. Suddenly we were getting schooled on how to send proper emails. Companies began to initiate programs to teach human users how to use technology responses so conversations didn’t leave a harsh two-dimensional trail of requests. Users had to begin learning new phrases like spam, phishing and spear-phishing. In one quick decade, the way we create and transact business with each other had changed drastically.

How is this relevant to today’s ever changing technology?

Rise in Exploitation of Trusted Relationships

In this quickening pace of technology, it is imperative for security professionals to understand how attackers are taking advantage of trust in relationships to breach an organization, target groups of users, and create methods of diversion.

Attackers today are operating more like marketing organizations in professional enterprises by leveraging metrics such as return on investment (ROI) and search engine optimization (SEO) to gain higher click through rates with maximum reach, to ultimately optimize their capital gain.

There’s also shattered trust or diminished trust relationships that continue to affect business practice. Some examples:

  • Enterprises who trust the correct security procedures and policies are implemented on their networks but are shown differently by high breach activity that continues.
  • Users who trust that a company is protecting their personal data.
  • Enterprises that “want to trust” the growing wave of infrastructure that is social media and mobile as it expands the fluidity of our lives.
  • Network and security admins who trust that “old attack methods and historic vulnerabilities” are not as important as other more current issues.
  • Software developers and technical, security-savvy people who visit a trusted site not thinking that they have to protect themselves from drive-by-downloads.

Each of these areas of diminished trust is enabling attackers to quickly employ operational sophistication in ways that advance their intentions and efforts.

In the previous IBM X-Force 2012 Trend and Risk Report, we discussed the idea of operational sophistication versus technical sophistication. Throughout the first half of 2013, we observed a continuation of this trend in both the type of breaches that have occurred and the motivations behind them.

Security incidents and data breach activity continues into the year crossing many geographies and industries. In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.

 

Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice. Attackers seem to be capitalizing on this “lack of security basics” by using a model of operational sophistication that allows them to increase their return on exploit. The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals.

Poisoning the Waterhole

An interesting area where trust relationship has taken a turn is the attack technique called a “waterhole.”

Attackers focusing on a central, strategic target like special interest Websites that are heavily frequented by a select group of potential targets is an effective and optimized means of exploitation. These central targets may not always have strong security solution and policies deployed, and even if they do, the cost of figuring out how to get through them is worth the opportunity to compromise the user-base.

These “watering hole” attacks are a great example of how operational sophistication is being used to reach targets not previously susceptible. By compromising the central site and using it to serve malware, attackers are able to reach more technically savvy victims who may not be fooled in phishing attempts, but would not suspect that sites they trust could be malicious.

Distraction and Diversion Techniques

Another very popular technique given new life in the last two years is the distributed denial-of-service (DDoS) attack.

While disruptive and damaging on their own, DDoS attacks can also be used as a distraction, allowing attackers to breach other systems in the enterprise while IT staffs are forced to make difficult risk-based decisions, possibly without visibility of the full scope of what is occurring. Attackers have demonstrated enhanced technical sophistication in the area of DDoS using methods of increasing the amounts of capable bandwidth as a new and powerful way to halt business by interrupting online service as well as new DDoS mitigation evasion techniques.

Disenfranchised Far from Home

Additional operational sophistication was seen in the attack of major global corporations by breaching franchises or local language sites in countries outside of corporate headquarters. These satellite sites are not always secured with the same standard as the home office. By going after a weaker point of entry into larger enterprises, attackers were able to reach and tarnish well-known brands. This can result in a reputation hit as well as legal implications for leaking sensitive customer data. These types of leaks affected the food, consumer electronics, automotive, and entertainment industries in particular.

Social Media – A Tool for Business, Reconnaissance and Attacks

Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections. As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one’s identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.

IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets.

Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place.

Recent Advances in Android Malware

In the past few years, there has been explosive growth in Android devices and malware authors are turning their attention in that area of growth.

As the number of users who own and operate Android devices is rapidly expanding, so too have malware authors increased their effort to take advantage of this larger market. Older mobile devices are even more vulnerable as only 6% of Android devices are running the latest version of the platform which has the security enhancements needed to combat these threats.

For the rest of 2013, X-Force expects to see the number of Android malware apps continuing to rise. We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware. There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem.

Android Chuli malware (left) and Android 4.2 OS security enhancements (right)

Zero-day Attacks in 2013 H1

Another example of how attackers are increasing their return on exploit is in the way they are targeting cross platform services to reach a maximum number of potential targets.

It is worth noting that almost 80 % of the zero-day vulnerabilities covered by IBM X-Force in the first half of 2013, were vulnerable on Microsoft Windows and Apple Mac OSX. Nearly half were also vulnerable on some Linux distributions. This cross-platform reach emphasizes the operational sophistication which has been utilized for widespread exploitation.

Exploit Effort vs. Potential Reward

As cyber-attacks intensify, monitoring the numerous vulnerability disclosures every day becomes daunting. Within IBM X-Force, we track publicly issued vulnerabilities through a triage process to identify which ones are most likely to be used by an attack, and then determine which ones require deeper research.

By performing this review, we recognize that all vulnerabilities are characterized by two factors; the exploit “potential reward” that entices the attacker and the “exploit effort to achieve” that deters the attacker from further development. The exploit-probability matrix is devised by charting the “exploit reward” and “exploit effort to achieve” along the axes. By assigning vulnerabilities to the appropriate quadrant, it becomes clear which are favored by attackers.

As illustrated in the exploit-probability matrix, easy exploitation with high potential reward – aka target impact, is still the sweet spot for the most prevalent attacks.

X-Force Trends by the Numbers

In the first half of 2013, we entered just over 4,100 new publicly reported security vulnerabilities. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8,200 total vulnerabilities, virtually the same number we saw in 2012.

Web Application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. More than half of all web application vulnerabilities are cross-site scripting.

The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was “gain access” at 28 percent of all vulnerabilities reported. In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.

As discussed throughout the report, while attackers continue to optimize their operational sophistication, a return to security basics is still one of the most effective strategies to mitigate both old established, as well as evolving techniques.

Read the latest research and analysis from IBM X-Force

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today