Cisco released today its 2014 Midyear Security Report, and it contains some trends that are the same as those the company detailed in its 2014 Annual Security report at the beginning of the year. The state of security is dynamic, however, and, as such, there are also new trends debuting in the midyear report, which is based on an analysis of 16 large multinational organizations.
One of the trends highlighted in the report is the increasing malevolence of dynamic DNS. With a dynamic DNS service, users are able to redirect a hostname to an IP address of their choosing. Dynamic DNS is useful for virtual private network (VPN) applications where a home user might not have a static IP address. According to Levi Gundert, technical lead for Cisco Threat Research, Analysis, and Communications (TRAC), dynamic DNS also poses a potential risk to enterprises.
Seventy percent of DNS queries were being made to dynamic DNS services across the 16 companies, the midyear report found, according to Gundert. While dynamic DNS queries can be legitimate, Cisco found that there is a correlation between the use of dynamic DNS services and attack traffic. Attackers tend to prefer certain dynamic DNS services over others, which can be a potential indicator of compromise for an enterprise, he said. Specifically, more than 99 percent of queries made to the 3322.org dynamic DNS service are malicious in nature, Gundert added.
Cisco isn’t the only vendor that has seen malicious traffic coming in via dynamic DNS services. On June 30, Microsoft along with law enforcement took down the Bladabindi and Jenxcus botnets, which were leveraging the No-IP dynamic DNS service.
One of the key trends that Cisco identified at the beginning of the year is the fact that Java is an indicator of compromise in 91 percent of all attacks. Now in the new midyear report, Cisco is reporting that Java is responsible for 93 percent of attacks.
As was the case in January, the Java attacks are all exploiting known vulnerabilities that have already been patched by Oracle, according to Gundert.
“There are just so many Java vulnerabilities that regardless of what exploit kit we’re looking at, there are always multiple Java exploits,” he said.” The fact that so many business use and run Java makes the attack surface very large.”
Over the course of 2014, Cisco has seen a shift in the landscape for exploit kits. Exploit kits are packaged-up hacker toolkits loaded with vulnerabilities to exploit users. In 2013, the Black Hole exploit kit was the most popular until October, when its creator was arrested in Russia.
Since that arrest, Gundert said, Cisco has seen a proliferation of new exploit kits that are all trying to fill the void left by Black Hole. Black Hole was relatively easy to track, but now that that the market for exploit kits has fragmented, tracking the various kits requires more time and effort, he added.
Spam Spikes and Java Exploits Continue to Grow
There are a number of techniques that Cisco uses to track the new exploit kits. At the most basic level, figuring out the identity of an exploit kit is about matching exploit and URL patterns, Gundert said.
“The problem is that exploit kit authors are changing their URL patterns so frequently now that it’s becoming increasingly challenging,” he said.
One of the things not in the report is the link between malvertising and exploit kits, though it’s an area that Cisco tracks. Malvertising is malicious Web advertisements that redirect users to pages where they can be potentially exploited.
“Of the millions of URL requests that Cisco has blocked for customers in the last six months, we believe that 5 to 10 percent are directly related to malvertising,” Gundert said.
The risk of malvertising is nontrivial because it can impact users visiting large Web properties. During the recent FIFA World Cup, a popular Brazilian sports site was a victim of malvertising. Infecting ad networks of major online news organizations is also a tactic the Syrian Electronic Army (SEA) has leveraged in multiple attacks, including one against Reuters in June.
Another key trend observed by Cisco in its midyear report is a spike in spam volume. According to Cisco, from June 2013 to January 2014, monthly spam volumes averaged between 50 billion to 100 billion messages a month. In March 2014, spam volume was peaking at just over 200 billion messages per month.
“Bad guys have been forced to be more clever to come up with new methods for spam,” Gundert said.
One of those newer approaches is something known as snowshoe spam. With snowshow spam, the spammers use many different IP addresses, each used in low volume, to send the junk messages.
“It’s a cat and mouse game; they’ll adapt and we’ll adapt again,” Gundert said. “Spam is continuously profitable, and there is plenty to monetize it.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.