Top 5 Zero-Day Threats Of 20134:00 PM EST Thu. Sep. 26, 2013
Organizations shouldn’t downplay the significance of zero-day threats, but they should put them in perspective by considering the known weaknesses within the organization. Basic errors lead to costly breaches. Configuration errors introduce holes that make it unnecessary for an attacker to use an expensive zero-day exploit to penetrate your system, according to Marc Maiffret, chief technology officer at BeyondTrust.
Often, firms have antivirus software that isn't updated regularly with the latest signatures, endpoint software that isn't patched, and flaws in browser components that make it easy for a hacker to get a foothold into the corporate network, say experts. By conducting a regular assessment, IT teams can find components in server-based systems that are relatively unused and can be turned off. They can identify and prioritize the real risks that need immediate attention, said Chris Eng, vice president of research at software security vendor Veracode.
A spear-phishing campaign using a malicious file attachment or link is the most common method for delivering a zero-day attack. Cybercriminals carrying out an advanced persistent threat campaign often use common hacking techniques to gain an initial foothold.
Reports by IBM and F-Secure both identify the rise of watering hole attacks to deliver custom malware. The attackers compromise a trusted website that is commonly visited by targeted employees and set it up as an attack platform. Once visited, the custom malware targets the open flaw on the victim's machine, enabling attackers to gain an initial foothold into the organization. In the first half of 2013, security researchers tracked nearly a dozen zero-day exploits used in targeted attack campaigns. CRN put together a list of the top zero-day threats of 2013.
In January, an Internet Explorer zero-day exploit surfaced, enabling attackers to bypass the browser's built-in restrictions. Security experts from malware detection appliance maker FireEye first detected attacks targeting the Internet Explorer zero-day flaw being delivered from the Council on Foreign Relations website. Days after the zero-day surfaced, proof-of-concept code also was released for the Metasploit Framework, making the attack technique more widely available.
In May, a second Internet Explorer zero-day was detected being delivered on the Department of Labor website. Security experts said the target appears to be Department of Energy employees who frequented the Department of Labor's Site Exposure Matrices page. Microsoft rushed out a temporary Internet Explorer patch in September to address another zero-day flaw.
Oracle took a beating in 2012, and in the first half of 2013, with attackers targeting its ubiquitous Java software. In January, attackers targeted a zero-day flaw in the Java browser plug-in. A second Java zero-day flaw was outed in February. IBM noted that researchers saw the threats increase significantly once the zero-day was made public because cybercriminals quickly integrated the exploit into their automated attack toolkits. Most consumers can disable Java, eliminating the threat, but business applications and corporate systems commonly require Java for extensive functionality. Oracle has taken action, issuing security improvements to Java to mitigate the risk of future attacks.
Security experts say Adobe Flash and Reader are commonly targeted because the software maker has a massive install base. The company has made great strides in implementing security restrictions in its software and adding automated update features to ensure patches are quickly applied to the software and its browser components.
In April, Adobe issued an emergency update to address a Flash Player zero-day flaw. Windows users were the target of the attacks, which used a Word document containing the malicious Flash content. Antimalware firm FireEye detected an Adobe Reader zero-day flaw, which was delivered through malicious PDF files. IBM noted in its analysis that the Reader zero-day malware was the first in-the-wild exploit capable of escaping the Reader sandbox, which was first introduced in 2010.
Microsoft published an advisory in June warning of a targeted zero-day attack against users of Microsoft Office. The software giant patched the zero-day flaw in July. In addition to users of Office 2003 on the PC, the threat targeted users of Office for Mac. According to Trend Micro, two remote access Trojans (RATs) detected in 2013 often disguise themselves as a Microsoft document or component. FakeM has been detected embedded in a Windows document file or Excel spreadsheet. It communicates to a remote server by disguising itself as encrypted Microsoft Messenger traffic. Another RAT called Rarstone spreads via Windows files. It was seen targeting telecommunications, oil and gas, governments, media and others. It hides itself in an Internet Explorer process.