News and entertainment sites are responsible for more than 50 percent of malvertisements on the web according to security experts Bromium.
The report titled Endpoint Exploitation Trends H1 2015 can be downloaded free with no registration from the Bromium website. There is also a blog by Clinton Karr which gives an interesting perspective on the threats and state of the market.
There were four big trends identified by the report:
- News and Entertainment Websites Hotbed for Malvertising
- Attackers Targeting Flash
- Continuous Growth of Ransomware
- Malware Evasion Avoids Detection
According to Rahul Kashyap, SVP and chief security architect, Bromium: “For the last couple years, Internet Explorer was the source of the most exploits, but before that it was Java, and now it is Flash; what we are witnessing is that security risk is a constant, but it is only the name that changes. Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware — recently ransomware — preying on the most popular websites and commonly used software.”
Malvertisements being delivered by some of the very large websites
The bigger the website the more attractive it is to hackers. As a statement, it should be self evident to anyone who spends time on the Internet but apparently not to those running some of those websites. Bromium has identified a number of major websites such as cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com who are all serving up malvertisements to visitors.
The problem for these sites is that they often don’t control where the ads they serve up come from. Instead they use agencies that aggregate advertising space and adverts from around the Internet and then push them out to websites. Few of these agencies have the tools, knowledge and apparently interest to actually ensure that the links inside the ads are safe. Despite this, it does raise questions over compliance and user security for these sites who really should be doing better.
News and entertainment sites account for 31.7% and 25.4% of the sites Bromium detected serving malvertisements. The next largest group were search sites (12.7%) and learning sites (7.9%). Interestingly shopping and social sites were in 7th and 9th place respectively when it came to this sort of behaviour.
Flash regains its place as the most exploited application
Adobe Flash Player has returned to the top of the exploited software table with no fewer than eight exploits in the first six months of 2015. Helping this was the release of data from Italian ethical hacking (no pun intended) company Hacking Team. The data dump which was posted online contained details of a zero day exploit along with the code required to weaponise it and hackers duly obliged.
It is also believed that the source code for Adobe Flash Player was among the code stolen from Adobe when the company suffered a serious cyber breach in 2013. While the company has always refused to comment on exactly what was stolen, the number of exploits taking advantage of coding errors deep inside the product points to hackers having access to the source code. The problem for Adobe is that rewriting the product from scratch is not viable as its use declines which leaves it having to continue to react to a seemingly never ending series of exploits.
Malware writers getting smarter making their code harder to spot
In the arms race between malware writers and the security industry malware writers are still winning the war. Bromium reports that the majority of the malware that they examined contained an increasing number of evasion techniques. The use of these techniques means that malware is able to bypass the detection capabilities of software from vendors such as Kaspersky, Trend Micro and others.
It is not only is the malware evading detection but more worryingly the payloads. Too many people and SME’s rely on just a limited set of anti-virus and anti-malware software for security. This report implies that they may well be wasting their money and that more is needed from the major security vendors.
Even enterprise companies are likely to find that a number of their existing security protections are now being regularly bypassed as malware evolution continues.
New families of ransomware continue to appear
Bromium reports that in the first six months of 2015 it saw the emergence of nine new ransomware families. It has named them as CoinVault, TeslaCrypt, Cryptofortress, PClock, AlphaCrypt, El-Polocker, CoinVault 2.0, Locker and TOX. This is substantially more than in 2014 and as the number of new variants and families emerge, the risk to individuals and businesses continues to increase.
There are also new business models appearing in the way that the software is sold and traded. TOX is available free to all malware writers to use as long as they agree to a 20% royalty on the ransom paid by the victims. This means that the writers of TOX are able to distance themselves from the delivery process and reduce their risk of being discovered.
As before, all payments for release of data have to be made using cryptocurrency of which BitCoin is still the most favoured.
This is a stark look at what is happening in the market. While other security companies are busy highlighting the reduction in spam Bromium is highlighting that threats have not gone away. Instead they have increased and become far more sophisticated.