ENISA (the European Network and Information Security Agency) has issued a ‘Threat Landscape mid-year report’.
Cyber-criminals increasingly use advanced methods to implement attack vectors that are non-traceable and difficult to take down. An important role in this play: anonymization technologies and the use of distributed technologies for more “resilient” infrastructures, such as P2P.
– It is clear that mobile technology is, and will increasingly become, exploited by cyber-criminals. Threats of all kinds that were encountered in the more traditional arena of IT will prevail on mobile devices and the services available on these platforms. The proliferation of mobile devices will lead to an amplification of abuse based on knowledge/attack vectors targeting to social media.
– The consumerization of malware, cyber-hacking tools and services, together with the availability of digital currencies and anonymous payment services, will open up new avenues for cyber-fraud and criminal activity.
– There is a real possibility of large impact events when attacks combining the above threats are successfully launched. A characteristic impact from such attacks is described in the risk of digital wildfires that was assessed in the beginning of 2013.
– As reported by ENISA37, cyber-attacks are the sixth most important cause of outages in telecommunication infrastructures, with an impact on considerable numbers of users in this sector. Taking into account incidents of the first half of this year, and also developments in the denial of service threat, we see an increase of infrastructure threats in 2013. When additional sectors and assets are being considered, the impact of cyber-attacks will be better analysed and understood.
ENISA has identified the following developments regarding the threats identified in 2012:
Drive-by-exploits: There is a shift from Botnets to malicious URLs as the preferred means to distribute malware. An advantage of URLs as a distribution mechanism lies in the fact that URLs are not such an easy target for law enforcement takedowns. It has been reported that there is an increase in the rate of suspicious URLs compared with 20123. Concluding, one can say that browser-based attacks still remain the most repored threats, whereas Java remains the most exploited software for the materialization of this threat.
Code Injection: A notable issue with regard to this threat is attacks against popular Content Management Systems (CMSs). Due to their wide use, popular CMSs make up a considerable attack surface that has drawn the attention of cyber-criminals, Although no important changes have been reported in 2013 regarding this threat, it is worth noting that cloud service provider networks are used increasingly to host tools for automated attacks, thus implementing an important step in code injection attack vectors.
Botnets: Although there is a shift to URLs for malware infection (see Drive-by-exploits above), there are further interesting developments with regard to this threat. Although not new, an interesting aspect of botnet activity reported, is the use of botnet infrastructure to mine Bitcoins. Another important development is the increased use of P2P botnets. Such botnets are difficult (yet not impossible) to locate and take down. Moreover, in Internet Census 2012 it has been demonstrated how easy is to create botnet infrastructures by misusing weaknesses in security of massively deployed devices. The Browser-Based botnets is yet another example on how easy is to create a very large botnet infrastructure. Finally it is interesting to observe a rise in TOR-based botnets while more “traditional” botnet operations seem to be in decline, reportedly due the low interest in “traditional” botnet “business cases”.
Denial of Service: After the Spamhaus attack, DNS reflection attacks have gained in popularity. Attackers seem to have adopted the DNS reflection technique to launch amplification attacks, an old technique that has made a come-back. Moreover, attack bandwidths achieved have reached impressive levels: the rate of 2-10Gbps attacks has doubled and the level of 300Gbps attack was reached in 2013.
Rogueware/Scareware: In 2013 there was an increase in rogueware/scareware reported. Despite recent law enforcement advances, the reports analysed provide strong evidence that there is an increase in ransomware threat. One reason for the growth is the expansion of ransomware and fake Antivirus distribution to mobile platforms, such as Android. In all cases, the availability of anonymous payment services to channel illegal profits obtained from this threat is a key enabler for this kind of fraud.
Targeted Attacks: In first half of 2013, targeted attacks demonstrated their effectivenes in achieving their objectives. In particular, cyber espionage attacks reached a dimension that went far beyond expectations. Again, the proliferation of mobile devices delivers a wide exploitation surface for this kind of threats. It is worth mentioning that mobile spyware applications might become strong tools for APTs targeting Bring Your Own Device environments.
Identity Theft: This threat led to some of the most successful attacks by abusing SMS-forwarders to achieve significant financial fraud. These attacks were based on known financial trojans (e.g. Zeus, SpyEye, Citadel) that have been implemented on mobile platforms and attack two-factor authentication. A significant source for applying this threat remains social media. It is worth mentioning that an increase in malicious browser extensions has been registered, aimed at taking over social network accounts.
Search Engine Poisoning: In the first half of this year not many references to this threat have been found. One reference about better defence levels against this threat stated that the relevant defences of Google seemed to reduce this threat. As with many other threats, Search Engine Poisoning has also gone mobile.
Jag Bains, CTO of DOSarrest has commented: “Industry report after report detail the ongoing growth and evolution of cyber threats and this particular report highlights the return of the DDoS attack. The latest ENISA report highlights some emerging new trends, such as browser based botnets and we agree, as DOSarrest has seen a sudden rise in attacks using this technique. The report also noted the re-emergence of DNS reflection attacks which is a long standing technique which diminished in use for a few years, only to return on a huge scale as observed in the attack on Spamhaus, which caused severe distress at major Internet Exchange points and multiple outages. These ongoing developments serve to highlight the need to leverage a best of breed cloud based security provider, strictly focused and engineered to deal with cyber threats only. Reliance upon a hosting provider or security hardware vendor will only yield partial success as they only offer limited capacity and a reactive strategy to deal with ongoing developments.”
