Some of 2014’s most highly evasive attacks came not from new technologies, but from a combination of new technologies with old, according to a new report from security company Websense.
Websense Security Labs 2015 Threat Report, which analyses evolving attack trends, tactics and defence vulnerabilities, shows threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques.
“Tactics from the 1990s, such as malicious macros in unwanted emails, will continue to be ‘recycled’ into new threats and launched through email and web channels,” the report says.
It says threat actors are blending these old tactics with new evasion techniques, new exploits and more to create threats that challenge even the most robust defensive posture.
The report notes that recycling social engineering messages is nothing new, but says Websense saw growth in 2014 in recycling of other tactics, blended with new methods and techniques for improved evasiveness.
“One aspect of this renaissance of threat tactics was measured by Websense Security Labs, which identified over three million macro-embedded email attachments in just the last 30 days of 2014.”
The report says a good example of the effectiveness of the approach came mid-year, when a ‘very modern, targeted and otherwise advanced attack on the financial sector used Microsoft Word macros that were extremely adept at evading detection’.
And, despite the now dominant role of the web in cyberattacks, the report says the email remains a ‘very potent vehicle for threat delivery’.
“In 2014, 81% of all email scanned by Websense was identified as unwanted. This number is up 25% from the previous year.
“What’s more interesting, beyond the volume of malicious emails, is the fact that Websense detected 28% of malicious email messages before an antivirus signature became available, presenting antivirus users with an average windo of exposure of 17.5 hours.”
Websense says those figures underscore the importance of using real-time scanning and protection against the sizeable quantity of rapidly iterating malicious material.
The report says defensive postures need to be re-evaluated to ensure coverage across the kill chain in order to maximize the opportunities to stop attacks, and security solutions should be configured to analyse tactics both old and new.
Cybercrime just got easier
The report also highlights how exploit kits are making it easier than ever to create advanced threats, with malware-as-a-service meaning more people than ever have the tools and techniques at hand to breach a company’s defences.
“In this age of MaaS, even entry level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS and other opportunities to buy or subcontract portions of a complex multi-stage attack.”
“In addition, to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques.”
Even while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element the report notes.
The report found that 99.3% of malicious files used a command and control URL that has been used previously by one or more other malware samples.
Other trends highlighted in the report include ‘Digital Darwinism’ with cybercriminals focusing on the quality of attack, rather than quantity. Security threats were down 5.1% to 3.96 billion in 2014, but the numerous breaches of high profile organisations with huge security investments attest to the effectiveness of last year’s threats.
Increasing difficulty in tracing attacks was also highlighted, with cybercriminals using spoofing and circumventing logging and tracking to remain anonymous.
The report also cautioned that the internet of things will magnify exploitation opportunities.