Cisco released today its 2014 Midyear Security Report, and it contains some trends that are the same as those the company detailed in its 2014 Annual Security report at the beginning of the year. The state of security is dynamic, however, and, as such, there are also new trends debuting in the midyear report, which is based on an analysis of 16 large multinational organizations.
One of the trends highlighted in the report is the increasing malevolence of dynamic DNS. With a dynamic DNS service, users are able to redirect a hostname to an IP address of their choosing. Dynamic DNS is useful for virtual private network (VPN) applications where a home user might not have a static IP address. According to Levi Gundert, technical lead for Cisco Threat Research, Analysis, and Communications (TRAC), dynamic DNS also poses a potential risk to enterprises.
Seventy percent of DNS queries were being made to dynamic DNS services across the 16 companies, the midyear report found, according to Gundert. While dynamic DNS queries can be legitimate, Cisco found that there is a correlation between the use of dynamic DNS services and attack traffic. Attackers tend to prefer certain dynamic DNS services over others, which can be a potential indicator of compromise for an enterprise, he said. Specifically, more than 99 percent of queries made to the 3322.org dynamic DNS service are malicious in nature, Gundert added.
Cisco isn't the only vendor that has seen malicious traffic coming in via dynamic DNS services. On June 30, Microsoft along with law enforcement took down the Bladabindi and Jenxcus botnets, which were leveraging the No-IP dynamic DNS service.
One of the key trends that Cisco identified at the beginning of the year is the fact that Java is an indicator of compromise in 91 percent of all attacks. Now in the new midyear report, Cisco is reporting that Java is responsible for 93 percent of attacks.
As was the case in January, the Java attacks are all exploiting known vulnerabilities that have already been patched by Oracle, according to Gundert.
"There are just so many Java vulnerabilities that regardless of what exploit kit we're looking at, there are always multiple Java exploits," he said." The fact that so many business use and run Java makes the attack surface very large."
Over the course of 2014, Cisco has seen a shift in the landscape for exploit kits. Exploit kits are packaged-up hacker toolkits loaded with vulnerabilities to exploit users. In 2013, the Black Hole exploit kit was the most popular until October, when its creator was arrested in Russia.
Since that arrest, Gundert said, Cisco has seen a proliferation of new exploit kits that are all trying to fill the void left by Black Hole. Black Hole was relatively easy to track, but now that that the market for exploit kits has fragmented, tracking the various kits requires more time and effort, he added.