A rapid growth of 236% in viruses and worms between the third and fourth quarter of 2015 has a direct correlation to the free-fall in reconnaissance activity by the bad guys between Q2 and Q4 of 2015. This indicates that their targets have already been scoped out and that the perpetrators moved into wholesale attack mode.
According to Solutionary’s Security Engineering Research Team (SERT) Quarterly Threat Report for Q4 2015, a 77% drop in reconnaissance activity from the third to fourth quarter means that overall, it has plummeted nearly 88% from levels seen in Q2.
During the same time frame, Solutionary observed an increase in the volume of some attacks, including web application attacks and application specific attacks. For instance, attempts to exploit a recently uncovered Joomla! vulnerability were the single highest volume web application attack over the final two weeks of the quarter.
While a significant number of these attacks were web defacements, a number of them also included attempts to remotely execute PHP code.
Also, even though it’s a widely known vulnerability, attempts to exploit the Shellshock flaw continued at a high rate into Q4 ’15, making up more than 77% of all application-specific attacks during the quarter. As an ancillary trend, Solutionary detected a significant volume of BASHLITE attacks, as it was used as a component of Shellshock exploitation.
“The reduction in reconnaissance and increase in some attack types suggest that attackers were following through on their previously defined targets,” the company said in the report. “Over the quarter in which Solutionary observed a small increase in overall malware, activity from viruses and worms jumped by 236 percent, which usually indicates lateral spread from an otherwise compromised target.”
It should be noted that while the total volume of detected malware rose only slightly from the third quarter, malware from the top five sources (the US, China, France, Italy and the UK) combined to produce 25% more malware than they had in the previous quarter, and accounted for almost 95% of malware detected during Q4.
India entered the top 10 sources of malware, with a 221% increase in detection. Malware from India included a wide variety of types of malware and targets, including a jump in detections of the MyDoom malware focusing on South Korea and the US.
Solutionary also observed an increase in threats against Android during Q4 ’15. It dovetails with criminals starting to focus on taking the best advantage of potential weaknesses in the Android infrastructure. The width of attacks included things like distributing compromised toolkits, populating unofficial app stores with malware, pushing malware to official stores as well as potentially trusted third-party sites.
Specifically, during 2015, the 130 Android vulnerabilities recorded were more than the previous six years combined. This is cause for concern as more than 76% of Android devices are running outdated versions of Android, and nearly 37% of all Android devices are running a version of the Android operating system which is more than 26 months old.
“Threat intelligence is a term that is used loosely today, but one thing the security industry can do to be more effective as a whole, is to better understand and leverage the information that is already at our fingertips,” said Rob Kraus, director of research, Security Engineering Research Team, Solutionary. “Shellshock was one of the most pervasive vulnerabilities of the digital era, and to this day we continue to find payloads such as BASHLITE actively exploiting these vulnerabilities—more than a year after the vulnerability was exposed. Until organizations begin to address the complete security lifecycle, breaches will continue to come and go and consumers’ loss of faith in businesses will continue to negatively affect brand reputation.”
Photo © Khapaev Vladimir