Cisco has released its giant Annual Security Report, giving a wide ranging look at the state of the security industry, the threats it is trying to fight, and how firms protect themselves.
The "Threat Intelligence" section of the extensive document has industry collaboration as a key theme running throughout it, with the industry having to come together to fight major threats from around the world. It cites working together with Level 3 to tackle the "unique threat" of SSHPsychos DDoS network as an example of this.
Here are some other key trends:
1. AnglerEK is not going away
The Angler exploit kit still remains "one of the largest and most effective exploit kits on the market", the report found.
It says that with an average ransom of $300, one campaign in which 147 redirection servers each targeted 90,000 a day, could bring in a gross yearly income of $34m. It says 9515 users are paying ransoms a month.
It says that Angler has been linked to a variety of high profile malvertising attacks, whereby malicious code is delivered through seemingly legitimate adverts on a website, as well as ransomware campaigns in which a victim’s data is locked up.
Cisco credits Angler with being a "major factor in the overall explosion of ransomware activity" that is has documented in recent years.
2. Mixing legitimate and malicious resources
Linked to the continuing presence of Angler is another trend that Cisco found – that cyber criminals are making use of legitimate resources alongside more malicious ones to carry out their campaigns.
They noted that "some operators of the exploit kit were using an inordinate amount of worldwide proxy servers for Angler that were servers operated by Limestone Networks."
Elsewhere in the report, Cisco notes increased use of WordPress servers as "relay agents" in ransomware attacks as "communications that relay encryption keys through compromised WordPress servers may appear normal, thus increasing the chances that file encryption will be completed."
3. Browser infections not given high enough priority
Cisco says that security teams should make monitoring browser add-ons a higher threat. The firms says that the general pattern of decline could be deceptive due to encryption.
The firm says that "malicious browser extensions can steal information, and they can be a major source of data leakage."
Of the 45 firms that Cisco looked at, 85% were affected by malicious browser extensions in every month that the firm was observing. These issues could go unresolved for days, allowing greater opportunities for the firms to be attacked.
4. Gamure threat remains and Cryptowall spikes
Gamure is a well known botnet, a "modular multipurpose information stealer" as the report describes it. Cisco found that it was the most common command and control threat that it monitored.
There was a "significant spike" in attacks using the Cryptowall 3.0 ransomware in July 2015 too, and Cisco attributes this to issues covered elsewhere – the Angler Exploit kit and patching gaps with Adobe Flash.
5. DNS is a security blind spot
Cisco found that 91.3% of "known bad" malware used DNS to gain command and control, to exfiltrate data, or to redirect traffic, but that this has not been matched by monitoring by firms. The report says that 68% of organisations do not monitor recursive DNS.
Cisco says that a lot the reason this is a security "blind spot" is because "security teams and DNS experts typically work in different groups within in a company and don’t interact frequently." This is not the only problem though. Cisco says both the right expertise and the right technology must be combined for correlation analysis to better monitor DNS.
…But Adobe Flash is finally on its way out as attack vector
Adobe Flash has long been a thorn in the side of security professionals, and remains a regular presence on the list of high urgency alerts. However, Cisco believes that the threat is being recognised by vendors whose products have been exploited via these weaknesses, for example web browsers.
"Cisco researchers believe that the protections now built into some commonly used web browsers and operating systems will lessen criminals’ reliance on Flash," the report says. Like legitimate organisations hackers focus on getting the best results and making the most money, and so will not invest in attacks they may not get a good return on.
Ironically, Cisco actually had more CVEs, a number to identify vulnerabilities, than the makers of Flash, Adobe. Apple had the most, followed by Oracle, and Microsoft. However, Adobe did have the highest number of public exploits available of any vendor.