Advanced Persistent Threats: Not-So-Advanced Methods After All
Cybercriminals behind heavily funded hacking operations are not necessarily using highly sophisticated malware to gain access to sensitive data or to spy on employees, according to a study released this week by IBM.
Attackers behind many of the so-called advanced persistent threats are known for targeting specific organizations, infiltrating them and remaining stealthy for lengthy periods of time. But cybercriminals, even those backed by powerful nation-states, often use fairly common hacking techniques and less sophisticated methods to gain initial access to systems and steal data.
"More often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware," wrote Leslie Horacek, who authored the IBM X-Force Trend and Risk Report. "Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware."
The ubiquitous use of social networks, blogs and other platforms, however, are making things easy for attackers, as the publicly available data represents a treasure-trove of information. The information, whether posted to Facebook, Twitter or LinkedIn, can be used to carefully craft a spearphishing email attack, luring the victim into downloading a malware-laden document or clicking on a malicious link to an attack website, according to the IBM analysis.
IBM's analysis also found Web application vulnerabilities to be an increasingly common attack vector, rising 14 percent in 2012 and buoyed by two older attack techniques: cross-site scripting (XSS) and SQL injection. Web application flaws accounted for the most dangerous and costly hacker attacks, making up 43 percent of all vulnerabilities documented by IBM in 2012.
Attackers are taking advantage of poorly maintained websites and the failure to keep popular content management systems (CMS), such as WordPress, Joomla and ModX fully patched. The third-party components used to add website functionality caused the most serious problems, IBM said. Nearly 30 percent of core CMS vulnerabilities were not patched and users failed to apply updates to about half of the third-party components, according to IBM, which said it's a serious issue because 77 percent of exploits targeting Web application flaws are released the same day as the disclosure.
While attacks are not truly growing in sophistication, cybercriminals are taking a more systematic approach with their attack techniques, the IBM study found. First, attackers gather information about a targeted network, then probe a system for weaknesses, and then gain an initial foothold into a system. The goal then is to remain stealthy on the system while pivoting to a privileged account holder.
"The relative volume of the various security incident categories gives us a hint that the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet," IBM said in its report. "The efforts to identify potential victims, deploy a range of attacks, and then try to exploit a vulnerability is becoming more organized."
NEXT: DDoS Attacks Resulting In Rising Mitigation, Downtime Costs
IBM said malicious code injection has been steadily increasing, followed by probes and scans for vulnerabilities and weaknesses in organizations. Backdoor, brute force and specialized one-shot attacks are in decline, but IBM said the attacks often fluctuate throughout the year. IBM noted that attempts to gain access via FTP were seen the most frequently, followed by attempts to gain access via Cisco devices and through Unix Password files.
Automated attack toolkits helped fuel an increase in the use of exploits targeting newly discovered Java vulnerabilities. Many of the toolkit authors quickly incorporated them into the kits, within months after code was made available, Horacek wrote. Java, maintained by Oracle, is installed on millions of endpoints and can give attackers a surefire way to infect many systems in the least amount of time.
Exploits focus on bypassing Java's sandboxing restrictions, mitigations meant to isolate Java from sensitive components of the underlying operating system. Attacks were seen broadly in drive-by downloads targeting both PCs and Mac OS X systems, Horacek said.
Distributed denial of service (DDos) attacks have gained significant interest in the media, IBM also noted. Hacktivist groups and other organizations increasingly turned to freely available attack tools to carry out a greater level of attacks in 2012.
IBM said the volume of malicious traffic used in DDoS attacks rose significantly in 2012, "driven by compromised 24x7 higher-bandwidth Web servers instead of PCs." Sustained traffic of 60 to 70 Gbps was widely reported, IBM said.
IBM said the attacks are increasing data center costs and operational disruption, citing a report by the Ponemon Institute which estimated costs between $600,000 and $1 million each year associated with DDoS mitigation and lost productivity.
The second half of 2012 saw DDoS attacks attempting to cripple U.S. banks. The problem appears to be continuing in 2013 with antispam organization Spamhaus registering an attack on its website this week that at one point increased to a sustained 300-Gbps traffic load. The attackers used a more sophisticated DNS amplification attack technique, which relies on open or misconfigured DNS resolver servers to strengthen the traffic flow.
PUBLISHED MARCH 29, 2013