View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 20, 2016updated 31 Aug 2016 9:54am

Cisco security report: Angler threat remains, but Adobe Flash threat declining

List: 5 issues identified in the annual Cisco security report, and one that might just be going away.

By Charlotte Henry

Cisco has released its giant Annual Security Report, giving a wide ranging look at the state of the security industry, the threats it is trying to fight, and how firms protect themselves.

The "Threat Intelligence" section of the extensive document has industry collaboration as a key theme running throughout it, with the industry having to come together to fight major threats from around the world. It cites working together with Level 3 to tackle the "unique threat" of SSHPsychos DDoS network as an example of this.

Here are some other key trends:

1. AnglerEK is not going away

The Angler exploit kit still remains "one of the largest and most effective exploit kits on the market", the report found.

It says that with an average ransom of $300, one campaign in which 147 redirection servers each targeted 90,000 a day, could bring in a gross yearly income of $34m. It says 9515 users are paying ransoms a month.

It says that Angler has been linked to a variety of high profile malvertising attacks, whereby malicious code is delivered through seemingly legitimate adverts on a website, as well as ransomware campaigns in which a victim’s data is locked up.

Cisco credits Angler with being a "major factor in the overall explosion of ransomware activity" that is has documented in recent years.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

2. Mixing legitimate and malicious resources

Linked to the continuing presence of Angler is another trend that Cisco found – that cyber criminals are making use of legitimate resources alongside more malicious ones to carry out their campaigns.

They noted that "some operators of the exploit kit were using an inordinate amount of worldwide proxy servers for Angler that were servers operated by Limestone Networks."

Elsewhere in the report, Cisco notes increased use of WordPress servers as "relay agents" in ransomware attacks as "communications that relay encryption keys through compromised WordPress servers may appear normal, thus increasing the chances that file encryption will be completed."

3. Browser infections not given high enough priority

Cisco says that security teams should make monitoring browser add-ons a higher threat. The firms says that the general pattern of decline could be deceptive due to encryption.

The firm says that "malicious browser extensions can steal information, and they can be a major source of data leakage."

Of the 45 firms that Cisco looked at, 85% were affected by malicious browser extensions in every month that the firm was observing. These issues could go unresolved for days, allowing greater opportunities for the firms to be attacked.

4. Gamure threat remains and Cryptowall spikes

Gamure is a well known botnet, a "modular multipurpose information stealer" as the report describes it. Cisco found that it was the most common command and control threat that it monitored.

There was a "significant spike" in attacks using the Cryptowall 3.0 ransomware in July 2015 too, and Cisco attributes this to issues covered elsewhere – the Angler Exploit kit and patching gaps with Adobe Flash.

5. DNS is a security blind spot

Cisco found that 91.3% of "known bad" malware used DNS to gain command and control, to exfiltrate data, or to redirect traffic, but that this has not been matched by monitoring by firms. The report says that 68% of organisations do not monitor recursive DNS.

Cisco says that a lot the reason this is a security "blind spot" is because "security teams and DNS experts typically work in different groups within in a company and don’t interact frequently." This is not the only problem though. Cisco says both the right expertise and the right technology must be combined for correlation analysis to better monitor DNS.

…But Adobe Flash is finally on its way out as attack vector

Adobe Flash has long been a thorn in the side of security professionals, and remains a regular presence on the list of high urgency alerts. However, Cisco believes that the threat is being recognised by vendors whose products have been exploited via these weaknesses, for example web browsers.

"Cisco researchers believe that the protections now built into some commonly used web browsers and operating systems will lessen criminals’ reliance on Flash," the report says. Like legitimate organisations hackers focus on getting the best results and making the most money, and so will not invest in attacks they may not get a good return on.

Ironically, Cisco actually had more CVEs, a number to identify vulnerabilities, than the makers of Flash, Adobe. Apple had the most, followed by Oracle, and Microsoft. However, Adobe did have the highest number of public exploits available of any vendor.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.