Story image

Déjà vu: What’s old is new again in cyberattacks

09 Apr 15

Some of 2014’s most highly evasive attacks came not from new technologies, but from a combination of new technologies with old, according to a new report from security company Websense.

Websense Security Labs 2015 Threat Report, which analyses evolving attack trends, tactics and defence vulnerabilities, shows threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques.

“Tactics from the 1990s, such as malicious macros in unwanted emails, will continue to be ‘recycled’ into new threats and launched through email and web channels,” the report says.

It says threat actors are blending these old tactics with new evasion techniques, new exploits and more to create threats that challenge even the most robust defensive posture.

The report notes that recycling social engineering messages is nothing new, but says Websense saw growth in 2014 in recycling of other tactics, blended with new methods and techniques for improved evasiveness.

“One aspect of this renaissance of threat tactics was measured by Websense Security Labs, which identified over three million macro-embedded email attachments in just the last 30 days of 2014.”

The report says a good example of the effectiveness of the approach came mid-year, when a ‘very modern, targeted and otherwise advanced attack on the financial sector used Microsoft Word macros that were extremely adept at evading detection’.

And, despite the now dominant role of the web in cyberattacks, the report says the email remains a ‘very potent vehicle for threat delivery’.

“In 2014, 81% of all email scanned by Websense was identified as unwanted. This number is up 25% from the previous year.

“What’s more interesting, beyond the volume of malicious emails, is the fact that Websense detected 28% of malicious email messages before an antivirus signature became available, presenting antivirus users with an average windo of exposure of 17.5 hours.”

Websense says those figures underscore the importance of using real-time scanning and protection against the sizeable quantity of rapidly iterating malicious material.

The report says defensive postures need to be re-evaluated to ensure coverage across the kill chain in order to maximize the opportunities to stop attacks, and security solutions should be configured to analyse tactics both old and new.

Cybercrime just got easier

The report also highlights how exploit kits are making it easier than ever to create advanced threats, with malware-as-a-service meaning more people than ever have the tools and techniques at hand to breach a company’s defences.

“In this age of MaaS, even entry level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS and other opportunities to buy or subcontract portions of a complex multi-stage attack.”

“In addition, to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques.”

Even while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element the report notes.

The report found that 99.3% of malicious files used a command and control URL that has been used previously by one or more other malware samples.

Other trends highlighted in the report include ‘Digital Darwinism’ with cybercriminals focusing on the quality of attack, rather than quantity. Security threats were down 5.1% to 3.96 billion in 2014, but the numerous breaches of high profile organisations with huge security investments attest to the effectiveness of last year’s threats.

Increasing difficulty in tracing attacks was also highlighted, with cybercriminals using spoofing and circumventing logging and tracking to remain anonymous.

The report also cautioned that the internet of things will magnify exploitation opportunities.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.