Advanced Persistent Threats: Not-So-Advanced Methods After All


IBM said malicious code injection has been steadily increasing, followed by probes and scans for vulnerabilities and weaknesses in organizations. Backdoor, brute force and specialized one-shot attacks are in decline, but IBM said the attacks often fluctuate throughout the year. IBM noted that attempts to gain access via FTP were seen the most frequently, followed by attempts to gain access via Cisco devices and through Unix Password files.

Automated attack toolkits helped fuel an increase in the use of exploits targeting newly discovered Java vulnerabilities. Many of the toolkit authors quickly incorporated them into the kits, within months after code was made available, Horacek wrote. Java, maintained by Oracle, is installed on millions of endpoints and can give attackers a surefire way to infect many systems in the least amount of time.

Exploits focus on bypassing Java's sandboxing restrictions, mitigations meant to isolate Java from sensitive components of the underlying operating system. Attacks were seen broadly in drive-by downloads targeting both PCs and Mac OS X systems, Horacek said.

Distributed denial of service (DDos) attacks have gained significant interest in the media, IBM also noted. Hacktivist groups and other organizations increasingly turned to freely available attack tools to carry out a greater level of attacks in 2012.

IBM said the volume of malicious traffic used in DDoS attacks rose significantly in 2012, "driven by compromised 24x7 higher-bandwidth Web servers instead of PCs." Sustained traffic of 60 to 70 Gbps was widely reported, IBM said.

IBM said the attacks are increasing data center costs and operational disruption, citing a report by the Ponemon Institute which estimated costs between $600,000 and $1 million each year associated with DDoS mitigation and lost productivity.

The second half of 2012 saw DDoS attacks attempting to cripple U.S. banks. The problem appears to be continuing in 2013 with antispam organization Spamhaus registering an attack on its website this week that at one point increased to a sustained 300-Gbps traffic load. The attackers used a more sophisticated DNS amplification attack technique, which relies on open or misconfigured DNS resolver servers to strengthen the traffic flow.

PUBLISHED MARCH 29, 2013