To avoid detection when reusing components in subsequent attacks, criminals are increasingly taking an approach that involves modification and modulation of the source code of existing attack tools. Often, this means choosing to take advantage of a specific strength of a particular piece of malware to target new industries.
“Cybercriminals continue to evolve their attack planning and execution to stay ahead of most existing security measures,” said Charles Renert, vice president of security research for Websense, in a statement. “While the determined, persistent attackers continue to have success in advanced, strategic attacks using zero-day exploits and advanced malware, there has also been a boom in cybercriminal activity on a massive scale. Even these more ‘common’ forms of attack are easily slipping past organizations without real-time defenses.”
Websense noted in its report that although data theft was a common goal of many attacks, attacker motivation varied greatly.
“Financial gain remained a highly motivating factor, yet some attackers attempted to compromise data for reasons other than making money — to destroy a company’s data and impair its competitive advantage, for example, or to disrupt civic infrastructure or steal state secrets,” it said.
In the report, Websense details the “kill chain” — that set of activities executed by threat actors to penetrate organizations, which can be segmented into seven discernible stages: recon, lure, redirect, exploit kit, dropper file, call home and, finally, data theft.
At the beginning of the chain, the report found that attack techniques range far and wide. Some, such as the “royal baby” attacks leveraging the interest in the birth of Prince George, went after wide swaths of users. In fact, 3.3% of all spam contained malicious links and other malicious content. Others revealed a continuing trend toward highly targeted campaigns, such as the Tibetan website watering hole attacks that focused solely on financial institutions in the Middle East and sent as few as 10 emails from a vendor’s compromised email server.
In terms of the redirect stage, where an initial attack vector succeeds in getting a victim to click on a malicious link, it turns out that 85% of the bad links used in web or email attacks were located on compromised legitimate websites.
Websense said that it logged 1.8 billion malicious redirect events in 2013, with the top targets falling into the business and economy, information technology, shopping and travel categories. The average number of website redirects used per attack in 2013 was four, though in one documented attack it went up to 20.
The next step is to use an exploit kit to find a vulnerability on the visiting machine to drop a payload. Websense also reported approximately 67 million exploit kit events in 2013; the Magnitude and Neutrino Exploit Kits experienced the largest surge in adoption following the arrest of Blackhole’s creator.
64 million dropper file events were detected as a result; and 30% of malicious executable files sampled included custom encryption of command and control communication or data exfiltration.
In addition, Websense security researchers observed the Zeus malware, which was originally designed as a financial threat and keylogging trojan, dramatically increased in use as it was repurposed for other vertical markets. In the last year the government and the communications industry joined financial firms among the top five verticals targeted with Zeus malware. The top two industries hit hardest with Zeus attacks were the services and manufacturing sectors.
“In 2013, new threats emerged every month, using more advanced techniques than before or introducing altogether new methods,” Websense said in the report. “The overall success of last year’s threats is proof that ‘advanced attacks’ and ‘targeted attacks’ are now the norm, not the exception. Of the more than 4.1 billion live attacks that Websense technology prevented in 2013, nearly all exhibited techniques to bypass traditional defenses, compromise systems and persist throughout infected networks in pursuit of confidential data.”