The ranks of cyber threat actors around the globe grew to staggering proportions in 2014. In parallel, the financial consequence of a data breach also increased, with Ponemon Institute research revealing the average to be $3.5m, up 15% on 2013. Many of these increasing trends can be attributed to the new age of MaaS (malware-as-a-service).
MaaS has been a maturing business over recent years and is counteracting the misconception that launching cyber-attacks is challenging, expensive, and the exclusive domain of seasoned professional cyber-criminals. MaaS allows non-professional hackers to buy or subcontract portions of complex and highly evasive multi-stage attacks needed to build and distribute malware.
Threat actors that would have once lacked the skill to carry out cyber-attacks now have the ability to launch sophisticated attacks with build-it-yourself malware kits. This is creating an increasing amount of data-stealing threats targeted at consumers and business alike. Earlier this year, one of the most expensive and capable pieces of Android malware ever seen, the iBanking malware aimed at stealing credit card data, went on sale at $5000 on underground markets, complete with software-as-a-service support.
"Advanced is the new baseline. Adopting a security posture that protects your data across the kill chain is essential"
‘Outsourcing’ parts of an attack with cutting-edge MaaS exploit kits, like iBanking, is lowering the barriers to entry. Competition amongst the underground community is also seeing exploit kits becoming increasing inexpensive for cyber-criminals, with the likes of Nuclear and Angler exploit kits now common. The average price for exploit kits is usually only between $800-$1500 a month, depending on the features and add-ons.
As a consequence, MaaS is experiencing a considerable rise in popularity. Recent Raytheon | Websense research shows that an overwhelming 99.3% of malicious files in 2014 used a command-and-control URL that had previously been used by one or more other malware authors. Only marginally fewer (98.2%) malware authors used command-and-control hubs found in five other types of malware.
It’s not just command-and-control hubs threat actors are seeking. Cutting-edge hacking tools also offer the following advanced capabilities:
- Rapid integration of current and former zero-day payloads to increase the likelihood of success
- File sandbox evasion and anti-debug tactics such as virtual machine identification and execution delay facilities
- The ability to introduce multi-layer obfuscation technologies
- Communication obfuscation techniques to hide illicit communications in the noise of legitimate traffic, thus nullifying traffic analysis tools
- Large scale vulnerability identification tools to seek out vulnerable hosts or weaknesses in targeted hosts
- Leaked or stolen code from popular malware tools that can be customized to suit. Recent examples include the code of the RIG exploit kit and Tinba banking Trojan. Let’s not also forget the Zeus source code leak in 2011, which has led to many derivatives of that particular banking Trojan
- Customized encryption routines to hide command-and-control data exchange or data exfiltration
- Tools to induce polymorphism into malicious binaries to evade signature based detection technologies
A successful threat actor need only focus on one or two evasion techniques to produce a threat capable of breaching many organizations’ defenses. As prices continue to fall in the MaaS market and the number of malware services increases, the risk is growing progressively more severe and having real implications for the defenders of organizations. Businesses relying upon defenses that were appropriate for last year’s threat landscape face leaving their network vulnerable to data theft.
IT managers need to constantly enhance a company’s security posture to counter the continuously growing and evolving world of threat actors. Advanced is the new baseline. Adopting a security posture that protects your data across the kill chain is essential. If not, threat evasion tactics at any given stage can result in a successful attack.
Companies require a sophisticated, in-house IT team with high level skill sets, and which will invest in upskilling existing employees to counter the threats surfaced in detection tools. With even entry-level threat actors now successfully creating and launching data-theft attacks, businesses need to move with the times and effectively protect the assets that keep them running and reputable.