Weak links in organisations are the primary contributors to the increasingly dynamic threat landscape, stated a Cisco Midyear Security report released today. These weak links, which could be outdated software, bad code, abandoned digital properties, or user errors, contribute to the adversary’s ability to exploit vulnerabilities with methods such as DNS queries, exploit kits, amplification attacks, point-of-sale (POS) system compromise, malvertising, ransomware, infiltration of encryption protocols, social engineering and “life event” spam.
The report also shows that focus on only high-profile vulnerabilities rather than on high-impact, common and stealthy threats puts these organisations at greater risk. By proliferating attacks against low-profile legacy applications and infrastructure with known weaknesses, malicious actors are able to escape detection as security teams focus instead on boldface vulnerabilities, such as Heartbleed.
Researchers closely examined 16 large multinational organisations, who, as of 2013, collectively controlled over $4 trillion in assets with revenues in excess of $300 billion. This analysis yielded three compelling security insights tying enterprises to malicious traffic, “Nearly 94% of customer networks observed in 2014 have been identified as having traffic going to websites that host malware. Specifically, issuing DNS requests for hostnames where the IP address to which the hostname resolves is reported to be associated with the distribution of Palevo, SpyEye, and Zeus malware families that incorporate man-in-the-browser (MiTB) functionality.”
Secondly, about 70% of networks were identified as issuing DNS queries for Dynamic DNS Domains. This shows evidence of networks misused or compromised with botnets using DDNS to alter their IP address to avoid detection/blacklist. Few legitimate outbound connection attempts from enterprises would seek dynamic DNS domains apart from outbound C&C callbacks looking to disguise the location of their botnet.
Lastly, about 44% of customer networks observed in 2014 have been identified as issuing DNS requests for sites and domains with devices that provide encrypted channel services, used by malicious actors to cover their tracks by exfiltrating data using encrypted channels to avoid detection like VPN, SSH, SFTP, FTP, and FTPS.
According to Cisco, the number of exploit kits has dropped by 87% since the alleged creator of the widely popular Blackhole exploit kit was arrested last year.
Java continues its dubious distinction as the programming language most exploited by malicious actors. Cisco security researchers found that Java exploits rose to 93% of all indicators of compromise (IOCs) as of May 2014, following a high point of 91% of IOCs in November 2013 as reported in the Cisco 2014 Annual Security Report.
The report further explained that for the first half of 2014, the pharmaceutical and chemical industry, a high-profit vertical, has once again been placed in the top three high-risk verticals for web malware encounters. Media and publishing led the industry verticals posting nearly four times the median web malware encounters, and aviation slid into third place with over twice the median web malware encounters globally. The top most affected verticals by region were media and publishing in the Americas; food and beverage in EMEAR (Africa, Europe and the Middle East) and insurance in APJC (Asia-Pacific, China, Japan and India).