Security exploits hit a new high last year as reported by security vendor Bromium. Their Endpoint Exploitation Trends 2015 report makes sobering reading for IT security teams who must, by now, wonder if they are ever going to stem the tide of attacks.
The press release highlights five key findings:
- Vulnerabilities and Exploits Spiked in 2015: All browsers, Flash, Java and Microsoft office were hit hard with a 60% increase in vulnerabilities. This led to a 40% increase in exploits.
- Malvertising is Ubiquitous: 270 sites out of the Alexa 1,000 were hit by malvertising. Exacerbating the problem is the number of advertising aggregators who often buy and sell adverts with no security or content checking. This means that people signing up to host adverts in order to gain some revenue stream are wide open to being used to distribute malvertising.
- Macro Malware Makes a Resurgence: Clothing goes in and out of fashion and so do malware attacks. Macro malware embedded inside legitimate Microsoft Office documents are once again circulating in big numbers. Combined with some degree of spear phishing such as using subject lines like “Invoice Details” when sent to accounts leads to easy infections.
- Angler Exploit Kit Most Popular: The bar continues to get lower when it comes to creating exploits. The surge in exploit kits has continued with Angler EK the most common. Creators of the kits are also more diligent in updating them with some even offered as Exploits as a Service.
- Ransomware Doubled in 2015: It’s lucrative, included in some exploit kits and payment through crypto currencies makes it hard to track. Worryingly large companies are quick to pay up without reporting incidents to law enforcement. This has emboldened attackers and highlights the failure of backup solutions that could help people recover from such an attack. As with the evolution of the exploit market we are seeing the Cryptolocker Service leasing its malware as a service.
Malware not just the province of hackers and governments
Until the data from the breach at security company Hacking Team took place, the general view was that malware was the province of hackers, intelligence agencies and government cyber warfare teams. As we now know that is not the case. Bromium highlights the fact that security companies are actively seeking exploits and vulnerabilities not to report to vendors or clients but to sell to their customer base.
This raises some serious questions over the morality of companies and the role of hacking for industrial espionage. It’s clear that Hacking Team was dealing with very large companies who are all cleaning their environments to prevent themselves being caught up in any lawsuits as the Hacking Team data continues to be picked over.
There are a lot of companies who have ‘surveillance software’ that can be installed on devices used by employees, partners, competitors and children. All of those systems are also sold to governments and law enforcement agencies for legal if sometimes morally questionable use. What this brings into question is not the ethics of exploit research but how that market is regulated. Anything sold to ‘approved’ customers can also be sold or traded to other organisations.
Another issue here is the role of security researchers. There are many out there who play by a reasonable set of rules, inform vendors, given them time to fix and collect bounties. If the vendors are tardy some will publish the details of the exploit to force their hand which is not always an unreasonable approach.
However, we are beginning to see that monies available from the Dark Net for the exploits is many multiples that which software vendors will pay. This means that researchers are being asked to consider their own moral compass rather than their earning potential when they discover an exploit. Unsurprisingly, just as in other industries, there are a number who are happy to take the money and run.
The software industry must up its game
What this means is that going forward we are going to continue to see a rise in the number of exploits that are going undetected by software vendors until they are successfully used by hackers and cyber criminals. Bromium reports that the number of discovered vulnerabilities is up 60% since 2014. The key here is that they have been discovered and reported rather than still going undetected.
Quite rightly Bromium calls out better testing, shorter release cycles which mean patches can be issued quickly and new ways of doing code analysis. It also highlighted changes in architecture by companies such as Microsoft for Internet Explorer which it credits with reducing exploits.
There is a more serious issue here. Software companies have always claimed that they cannot be liable for the flaws in their product. At some point, regulators are going to have to decide what constitutes negligence and liability. We already see that in the industrial arena and as autonomous vehicle research continues it is likely that we will see changes to the law around liability for accidents.
Making exploits easier to use
The increased use of exploit kits that are often rented and come with gold level support continues to grow. There are few companies in any market that can point to a level of support for their products that matches that of exploit kit owners. Regular updates, free help with use of the kit and access to a wide community of experts able and willing to help makes the development of a good exploit kit a licence to print money.
The result of all of this is that almost anyone can get into the market with their own malware. There is no real technical barrier apart from finding your way to the Dark Net and locating the right forums to buy an exploit kit. There are some hurdles such as ensuring that the buyer does not become a mark but this doesn’t seem to happen too often. Honour among thieves? Once access to the exploit kit, Angler being 2015’s most popular exploit kit, has been achieved, creating a new piece of malware is simple.
A key change to the way exploits and their payloads work is the use of encryption. Bromium reports that they are seeing malware creating secure channels between the code that breaches the end user device and the server where the payload is stored. That encrypted and secure channel enables them to move malware that becomes invisible to the standard security software being used by companies. Although 2015 was the first year this was seen it is likely that we will see a surge of this in 2016.
This use of encryption is actually playing into the hands of governments who want to either outlaw encryption or have back door access built into products. The hacker community finds this amusing as anything governments can access, they can access too. There is a general belief in parts of the community that governments are making life easier for the cybercriminals.
Crypto-ransomware writers continue to cash in
Since 2013 the growth of different members of the crypto-ransomware family has gone from 2 (2013) to 7 (2014) to 13 (2015). This rate of growth is likely to continue and with it now being offered as a service so that malware writers can include it in their code is a serious concern.
Equally worrying is the fact that companies are getting infected and realising that it is easier to pay up rather than restore data. This not only speak volumes about poor process inside IT departments but the fact that companies see the impact as more of a nuisance to be paid to go away than to be solved.
There are several problems with this approach. The first is that there is no guarantee that the exploit writer will hand over the right key. We’ve already seen exploits where the software is corrupted or so badly written that the unlock keys cannot be applied. There are also cases where the infection reoccurs a while later. What is not clear is if this is planned, unplanned or a new infection.
Corporate governance teams need to think carefully about the legal situation in paying a ransom and sit down with IT to understand why they cannot just restore the data. The more that is paid the more infections we will see as the attack becomes more lucrative.
This is a useful report and one that provides some pointers for IT departments. Among these are to ensure that any corporate websites that are serving up advertising need to have a process to ensure that malvertising does not get served up to visitors. Another key takeaway is that paying crypto-ransomware to unlock systems is not a solution it is an invitation to repeat bad behaviour.
Security has become weaker as Bring Your Own Device meant the user could buy and use what they wanted. Too many companies lack proper process and tooling to help protect corporate data on end-user devices. This means that any chance of reducing the threat requires a serious rethink in how security is applied and what has to be protected.
2015 might have been a new high watermark for attacks but there is no evidence that 2016 will see the threats recede. In fact, judging by the sales of mobile devices at Christmas, we can look forward to more and more records being broken and not in a good sense.