Malicious Spam, Targeted Attacks Among Top Threats of 2014: Cisco

by Nathan Eddy

The most pervasive concern among chief information security officers (CISOs) may be the need to protect data that resides throughout an increasingly porous network, while spending precious resources on compliance. The report notes compliance alone is not equal to being secure—it is simply a minimum baseline focusing on the needs of a special regulated environment. Security, meanwhile, is an all-encompassing approach that covers all business activities.

Technology vendors and researchers are finding an increasing number of new vulnerabilities; the discoveries result from the greater emphasis on highly secure development lifecycle use, as well as improvements in the security of their own products. The higher number of new vulnerabilities may also be a sign that vendors are examining their product code and fixing vulnerabilities before products are released and their vulnerabilities exploited, the report said.

Spammers use speed as a tool to abuse email users’ trust by delivering massive amounts of spam when news events or trends lower recipients’ resistance to scams. For instance, Cisco found in the aftermath of the Boston Marathon bombing on April 15, 2013, two large-scale spam campaigns commenced—one on April 16 and another on April 17—designed to attract email users hungry for news of the event’s impact.

Data from Sourcefire, now part of Cisco, shows that Java exploits make up 91 percent of indicators of compromise (IoCs) that are monitored by Sourcefire’s FireAMP solution for advanced malware analysis and protection. Java exploits far outstrip those detected in Adobe Flash or PDF documents, which are also popular vectors for criminal activity.

Cisco security experts note that the more smartphones, tablets and other devices perform like traditional desktop and laptop computers, the easier it is to design malware for them. Apps are another area of concern; many users download mobile apps regularly without any thought of security, and mobility offers new ways for users and data to be compromised.

Criminals go to great lengths to make sure targeted attacks go undetected, using methods that result in nearly imperceptible IoCs. Their methodical approach to gain entry into networks and carry out their mission involves an “attack chain”—the chain of events that leads up to and through the phases of an attack. Once these targeted attacks find a place in the network to hide, they efficiently carry out their tasks and usually conduct them without being noticed.

Cisco security experts report that malware targeting these two industry verticals typically is designed to help actors gain access to intellectual property, which they, in turn, use for competitive advantage or sell to the highest bidder. Protecting users against these attacks involves keeping machines and Web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit.

The newest twist in malicious exploits is to gain access to Web hosting servers, name servers and data centers—with the goal of taking advantage of the tremendous processing power and bandwidth they provide. Through this approach, exploits can reach many more unsuspecting computer users and have a far greater impact on the organizations targeted, whether the goal is to make a political statement, undermine an adversary or generate revenue. The report warns that one compromised hosting server can infect thousands of Websites and site owners around the world.

In a recent project reviewing Domain Name System (DNS) lookups originating from inside corporate networks, Cisco threat intelligence experts found that in every case, organizations showed evidence that their networks had been misused or compromised. For example, 100 percent of the business networks analyzed by Cisco had traffic going to Websites that host malware, while 92 percent show traffic to Web pages without content that typically host malicious activity. In addition, 96 percent of the networks reviewed showed traffic to hijacked servers.

“DDoS attacks should be a top security concern for organizations in the public and private sector in 2014,” John Stewart, senior vice president and chief security officer at Cisco, wrote in the report. “Expect future campaigns to be even more extensive and to last for extended periods. Organizations, particularly those that operate or have interests in industries that are already prime targets, such as financial services and energy, need to ask themselves, ‘Can we be resilient against a DDoS attack?'”