Advanced Persistent Threats: Not-So-Advanced Methods After All


Cybercriminals behind heavily funded hacking operations are not necessarily using highly sophisticated malware to gain access to sensitive data or to spy on employees, according to a study released this week by IBM.

Attackers behind many of the so-called advanced persistent threats are known for targeting specific organizations, infiltrating them and remaining stealthy for lengthy periods of time. But cybercriminals, even those backed by powerful nation-states, often use fairly common hacking techniques and less sophisticated methods to gain initial access to systems and steal data.

"More often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware," wrote Leslie Horacek, who authored the IBM X-Force Trend and Risk Report. "Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware."

 

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

The ubiquitous use of social networks, blogs and other platforms, however, are making things easy for attackers, as the publicly available data represents a treasure-trove of information. The information, whether posted to Facebook, Twitter or LinkedIn, can be used to carefully craft a spearphishing email attack, luring the victim into downloading a malware-laden document or clicking on a malicious link to an attack website, according to the IBM analysis.

IBM's analysis also found Web application vulnerabilities to be an increasingly common attack vector, rising 14 percent in 2012 and buoyed by two older attack techniques: cross-site scripting (XSS) and SQL injection. Web application flaws accounted for the most dangerous and costly hacker attacks, making up 43 percent of all vulnerabilities documented by IBM in 2012.

Attackers are taking advantage of poorly maintained websites and the failure to keep popular content management systems (CMS), such as WordPress, Joomla and ModX fully patched. The third-party components used to add website functionality caused the most serious problems, IBM said. Nearly 30 percent of core CMS vulnerabilities were not patched and users failed to apply updates to about half of the third-party components, according to IBM, which said it's a serious issue because 77 percent of exploits targeting Web application flaws are released the same day as the disclosure.

While attacks are not truly growing in sophistication, cybercriminals are taking a more systematic approach with their attack techniques, the IBM study found. First, attackers gather information about a targeted network, then probe a system for weaknesses, and then gain an initial foothold into a system. The goal then is to remain stealthy on the system while pivoting to a privileged account holder.

"The relative volume of the various security incident categories gives us a hint that the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet," IBM said in its report. "The efforts to identify potential victims, deploy a range of attacks, and then try to exploit a vulnerability is becoming more organized."

NEXT: DDoS Attacks Resulting In Rising Mitigation, Downtime Costs