Cisco: 10 Attack Trends Eroding Internet Trust

Stolen Account Credentials Top Attack Motives

Cybercriminals are using a variety of tactics to steal passwords and other account credentials to gain almost unfettered access to corporate systems, according to Cisco Systems. The firm's 2014 Threat Report, issued this week, outlines why attacks are having a serious impact on the public's trust and stability of the Internet.

Customer confidence in the integrity of technologies and systems that support and protect websites and other web-based services is eroding as attackers find ways to bypass security restrictions or exploit software vulnerabilities, Cisco said. The firm believes that authentication and authorization architectures that serve as the gatekeeper to network and application assurance are impacted most by cybercriminal attack campaigns. CRN pulled together 10 key findings from the Cisco Systems report that supports the company's assertion that malicious actors are exploiting public trust to effect harmful consequences.

Attacks Against Infrastructure, Hosting Providers

Cybercriminals using automated attack toolkits are frequently targeting web hosting servers, name servers and data centers. Once a configuration error or software vulnerability is found, an exploit is triggered, enabling attackers to gain access to the servers. A successful attack can be extremely lucrative to cybercriminal gangs. One compromised server can infect thousands of websites and site owners around the world, Cisco said.

Among the biggest vulnerability targeted in the attacks are buffer errors, Cisco said, pointing to the DarkLeech attack campaign as an example of the ongoing problem. The automated attack toolkit successfully infected tens of thousands of websites in 2013, targeting Apache server implementations to turn them into a broader botnet. Websites hosted on compromised servers act as both a redirector (the intermediary in the infection chain) and a malware repository, Cisco said.

Content Management Systems Under Attack

Gaining access to underlying website infrastructures is as easy as targeting vulnerabilities and configuration errors in popular content management systems, such as WordPress and Joomla, Cisco said. Attackers also have been observed using automated tools to conduct brute-force attacks to force their way into the administrative console behind the platforms.

Drupal, an open-source CMS, which is growing in popularity, was targeted by attackers last year. Users of Drupal.org were forced to reset their account credentials following a breach of the support website. Successful attacks also target vulnerabilities in third-party plugins supported by the platforms. Cisco researchers said "successful attacks in 2013 can be traced back to plugins written in the PHP web-scripting language that were designed poorly and without security in mind."

Pervasive Malicious Traffic

Targeted attacks appear to be part of nation-state cyberespionage activity, Cisco said. According to a Cisco examination of threat intelligence trends, malicious traffic is visible on 100 percent of corporate networks. The company said its review of Domain Name Service lookups originating from inside corporate networks showed signs of misuse or system compromise. Ninety-six percent of the networks reviewed showed traffic to hijacked servers, the firm said.

"Cisco also detected traffic going to military or government websites within enterprises that do not normally do business with either, as well as to websites for high-risk geographic areas, such as countries embargoed from doing business with the United States," the firm said.

While the traffic might not signal a definitive sign of compromise, it could mean that government or military websites and networks are the intended target.

Java Used Consistently In Attacks

Java was the favorite of most attackers, the firm said, adding that over three-quarters of companies that run Java are using Java 6, an end-of-life, unsupported version. "In most cases, Java is the exploit that criminals choose first, since it delivers the best return on investment," Cisco said.

Malicious Flash or Adobe PDF documents also are frequently used by cybercriminals. The goal is to compromise enterprise desktops as a foothold, then move laterally within an organization until sensitive data is accessed.

Vulnerability Alerts Increase

Threat alerts grew 14 percent year-over-year, Cisco said. Buffer overflows were among the most frequent coding errors exploited by attackers. They were followed by input validation errors, resource management errors and elevation of permissions. Attackers also targeted flaws that provided information leakage, cross-site scripting flaws and code injection errors.

Technology vendors are finding an increasing number of new vulnerabilities, Cisco said. Secure development life-cycle and patching process improvements at independent software vendors could be leading to more software repairs.

More attention to secure software development can help build trust in vendor solutions. A secure development life cycle not only mitigates the risk of vulnerabilities and allows vendors to detect potential defects early in development, but also tells purchasers that they can rely on these solutions.

Malicious Spam Rising

Spam is in decline, but malicious spam campaigns -- those tied to malware or phishing sites -- remain a constant problem, Cisco said. Spam that is immediate after an event is more likely to be believed by recipients, Cisco said. The firm pointed to a wave of attacks following the Boston Marathon bombing last April. Click-returns increase. Victims click malicious links to attack websites and phishing pages.

Phony bank deposit or payment notification messages topped the themes in 2013, according to Cisco's review. Fake online product purchases, malicious photo attachments and phony shipping notices also topped the list of themes.

Multipurpose Trojans Dominate

Multipurpose Trojans were the most frequently encountered malware in web-based attacks, making up 27 percent of total web malware encounters, Cisco said. Malicious scripts and iframes embedded into infected websites was the next most frequently encountered category, Cisco said. Security experts tell CRN that the rise in multipurpose Trojans is not surprising. Malware writers are getting better at designing Trojans that are programmed to do several actions at once, bypassing a security mechanism to upload stolen data to a command-and-control server.

Data-theft Trojans, such as password stealers and back doors, made up 22 percent of total web malware encounters, with downloader and dropper trojans in fourth place at 17 percent of total encounters.

Pharmaceutical, Chemical Firms Under Fire

While the industry vertical targeted by attackers often fluctuates, businesses in the pharmaceutical and chemical industries appeared to get the most attention from cybercriminal groups in 2013. Cisco's analysis found significant growth in agriculture and mining industries, and said cybercriminals may be seizing on decreasing precious-metal resources and weather-related disruptions in the food supply.

Electronics manufacturers, and energy, oil and gas sectors also frequently encountered targeted attacks. Targeted cyberespionage activity often targets those sectors to seek out intellectual property, such as design documents and trade agreements, said security experts.

Watering-Hole Attacks Increase

Watering-hole attacks are rising in popularity, Cisco said. Attackers can target specific industry verticals by infiltrating frequently visited websites of employees of the targeted organization. It is a form of spearphishing, but rather than directed at specific individuals, it is designed to compromise groups of people with common interests, Cisco said.

The NetTraveler cyberespionage campaign, uncovered by researchers at Kaspersky Lab, used watering-hole tactics to target their victims. NetTraveler infected employees in the energy sector, scientific research community, government and defense contractors.

Cybersquatters Gain Sophistication Via Bitsquatting Technique

Cisco threat researchers have detected a new form of cybersquatting that targets bit errors in computer memory to redirect Internet traffic to sites hosting malware or other scams. The technique, called bitsquatting, uses registered domain names that are one binary digit different from a legitimate domain. It attempts to exploit miniscule errors that take place in system memory, which is likely to store frequently resolved domains.

"By changing a single bit, a domain such as "twitter.com" can become the bitsquat domain 'twitte2.com.' An attacker can simply register a bitsquat domain, wait for a memory error to occur, and then intercept Internet traffic," Cisco said.

With the amount of memory per device and the number of devices connected to the Internet both on the rise, bitsquatting can become a useful attack tool in the future, the company predicts.