Today, Bromium released “Endpoint Exploitation Trends 1H 2015,” a Bromium Labs threat report that analyzes security trends from the first six months of 2015. One of the primary themes to emerge from the report should come as no surprise: cyber criminals are attacking targets that have the most users. Pragmatically, this means that malvertising campaigns are being conducted primarily through news and entertainments Web sites and that Flash has been exploited more than any other popular software this year. It’s no surprise that exploits targeting the Windows Kernel are getting more popular for launching targeted attacks. The discovery of Duqu 2.0 targeting high-profile groups including a large cybersecurity company clearly proves this. As the industry adopts application sandboxing on popular apps, kernel exploits are expected to gain more attention by malware authors.
Hackers continue to innovate. Malware evasion technology continues to evolve to bypass the latest detection mechanisms deployed by security professionals. Ransomware has exploded in growth, more than doubling in size year-over-year. In 2013, there were just two ransomware families; today there are 16.
If you’re interested in these trends, you should read the full report; however, it is also interesting to note that this report does not address the recent Hacking Team disclosures since it only analyzed the first six months of 2015. Bromium Labs has conducted a thorough analysis of the Hacking Team, which is worth reading, but today I want to talk about the bigger trends and how they relate to this threat report.
In July, the Hacking Team, an Italian surveillance company was compromised, leaking customer lists, source code and internal emails. In the coming days and weeks, a Pandora’s Box of exploits and vulnerabilities was unpacked; Flash, Internet Explorer and even Java were targeted.
These Flash exploits were incorporated into the Angler, Neutrino and Nuclear exploit kits. This development ties back into our research, as discussed in “Endpoint Exploitation Trends 1H 2015:”
In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.
Angler Exploit Kit
All the Web attacks we’ve seen are still operated using exploit kits. We found Angler to be the most prevalent exploit kit for the last six months. Lately we have been seeing CVE-2014-6332 also known as ‘IE Unicorn vulnerability’ and several Flash exploits, such as CVE-2014-0497 and CVE-2015-0311 for propagating malware. Aside from that Nuclear Pack and Fiesta remain relatively popular.
These Flash exploits, coupled with this newest Flash zero-day, prompted Mozilla to temporarily block Flash from Firefox. Facebook’s CSO wants to kill Flash. YouTube has dropped Flash for HTML5 and streaming video site Twitch.tv is making the same commitment. Will it really make any difference?
If these trends show us anything, it is that hackers have read “Who Moved My Cheese?” Internet Explorer was the most exploited software in the first half of 2014, but this year it is Flash; next year it will be whatever is easiest for attackers to compromise. What these trends really demonstrate is that all software is vulnerable.
More than 110 million records have been compromised in the first six months of 2015, which really demonstrates that the security industry is ineffective. I’ve written before about the challenge of patching never-ending zero days and I’ve called out the security industry on the vicious cycle of “assuming compromise.”
Security is almost always an afterthought when developing technology. Perhaps someday in the future, suppose 100 years from now, technology will be secure by design, but in the meantime we are living in a “lawless” era of vulnerabilities and compromise. Detection-based technologies are trying to solve an unsolveable problem.
The only way to prevent compromise is to prevent the initial unauthorized access. Threat isolation enforces the principle of least privilege to achieve this goal; unknown and untrusted content is isolated from access trusted systems. Bromium vSentry is a perfect example of this threat isolation; micro-virtualization isolates each vulnerable user task, preventing it from modifying the operating system or gaining network access.