Contents
KUALA LUMPUR, Malaysia, February 23, 2016 – Dell today announced the results of the Dell Security Annual Threat Report detailing the cybercrime trends that shaped 2015 and identifying top emerging security risks for 2016.
The report, based on data collected throughout 2015 from the Dell SonicWALL Global Response Intelligence Defense (GRID) network with daily feeds from more than one million firewalls and tens of millions of connected endpoints, Dell SonicWALL network traffic and other industry sources, equips organizations with practical, evidenced-based advice so they can effectively prepare for and prevent attacks.
This year’s report details four developing trends in cybercrime.
- The evolution of exploit kits to stay one step ahead of security systems.
- A continued surge in SSL/TLS encryption that is giving cybercriminals more opportunities to conceal malware from firewalls.
- The continued rise of Android malware.
- A marked increase in the number of malware attacks.
“Many of the breaches in 2015 were successful because cybercriminals found and exploited a weak link in victims’ security programs due to disconnected or outdated point solutions that could not catch these anomalies in their ecosystem,” said Curtis Hutcheson, general manager, Dell Security. “Each successful attack provides an opportunity for security professionals to learn from others’ oversights, examine their own strategies and shore up the holes in their defense systems. At Dell Security, we believe the best way for customers to protect themselves is to inspect every packet on their network and validate every entitlement for access.”
Threat Findings From 2015
One of the best ways to predict and prepare for emergent threats is to analyze information about recent breaches. Dell’s predictions and security recommendations for 2016 revolve around four key findings from 2015:
1. Exploit kits evolved to stay one step ahead of security systems, with greater speed, heightened stealth and novel shapeshifting abilities.
In 2015, exploit kit behavior continued to be dynamic, creating a rise in the number and types of kits
available. The year’s most active kits proved to be Angler, Nuclear, Magnitude and Rig. The sheer
volume of exploit kits available gave attackers limitless opportunities to target the latest zero-day
vulnerabilities, including those appearing in Adobe Flash, Adobe Reader and Microsoft Silverlight.
Dell SonicWALL noted a few key evolutions in 2015’s exploit kits, including:
- Use of anti-forensic mechanisms to evade security systems – In September 2015, the Dell SonicWALL Threat Research Team discovered a major, unclassified exploit kit, which the team named Spartan. This kit effectively hid from security systems by encrypting its initial code and generating its exploitative code in memory, never writing to disk.
- Upgrades in evasion techniques, such as URL pattern changes – Dell SonicWALL observed the Nuclear exploit kit first using search?q as part of the URL for its landing page redirect campaign in September 2015. In October 2015, this URL segment changed to /url?sa, making it difficult for anti-virus software and firewalls to keep up. It was also common for kits to check for anti-virus software or virtual environments, such as VMware or VirtualBox, and to modify their code accordingly for higher success rates.
- Changes to landing page redirection techniques – Cybercriminals no longer necessarily use standard document.write or iframe redirection. In 2015, some of the larger attacks like Magnitude used steganography, which involves concealing the file, message, image or video within another file, message, image or video.
- Modifications in landing page entrapment techniques – Some attacks directly called JavaScript’s functions to determine the browser and plugins victims were using, rather than leveraging the entire JavaScript PluginDetect library in plain or obfuscated form.
2. Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption continued to surge, leading to under-the-radar hacks affecting at least 900 million users in 2015.
[adrotate banner=”4″]Using SSL/TLS encryption, or HTTPS traffic, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems. These attacks can be extremely effective, simply because most companies do not have the right infrastructure to detect them. Legacy network security solutions typically either don’t have the ability to inspect SSL/TLS-encrypted traffic or their performance is so low that they become unusable when conducting the inspection.Attackers took full advantage of this lack of visibility, coupled with the growth of HTTPS traffic throughout the year. In August 2015, an attack leveraged SSL/TLS encryption to disguise an infected advertisement on Yahoo, exposing as many as 900 million users to malware. This campaign redirected Yahoo visitors to a site that was infected by the Angler exploit kit.i An additional 10 million users were likely affected in the weeks prior by accessing ads placed by a marketing company called E-planning.
Dell SonicWALL noted an increase in the number of HTTPS connections, as well as geographical
differences in its use:
- In the fourth quarter of 2015, HTTPS connections (SSL/TLS) made up an average of 64.6 percent of web connections, outpacing the growth of HTTP throughout most of the year.
- In January 2015, HTTPS connections were 109 percent higher than in the previous January. Furthermore, each month throughout 2015 saw an average of 53 percent increase over the corresponding month in 2014.
- On virtually opposite ends of the spectrum, HTTPS made up 81.6 percent of web connections in North Korea in 2015, while it made up only 34.4 percent in South Korea. China had by far the lowest HTTPS usage at only 8.63 percent of web connections.
3. Malware for the Android ecosystem continued to rise compared to 2014, putting the lion’s share of the smartphone market at risk.
In 2015, Dell SonicWALL saw a wide range of new offensive and defensive techniques that attempted to increase the strength of attacks against the Android ecosystem.
Stagefright was, in theory, one of the most dangerous vulnerabilities ever discovered for Android. The
vulnerability was embedded deeply in the Android operating system and affected all of the estimated 1
billion devices running Froyo 2.2 to Lollipop 5.1.1. Thankfully, Dell SonicWALL and other security
organizations observed no infections from Stagefright before Google discovered and patched it.
Dell SonicWALL noted a few emerging trends among the attacks against Android devices in 2015:
- Android-specific ransomware began to gain popularity throughout the year. In September 2015, Dell SonicWALL observed a new ransomware variant that added a randomly generated PIN to the typical ransomware lock screen.
- Android malware writers continued to find innovative ways to evade detection and analysis. In 2015, they began shipping malicious code as part of a library file, rather than a classes file, which is more commonly scanned by anti-virus software. Taking this a step further, 2015 saw the rise of a new Android malware called AndroidTitanium that stored its malicious contents on a Unix library file in the lib folder as libTitaniumCore.so. This .so file was loaded as a native library by the classes from the classes.dex file. By simply referring to the content saved somewhere else, the malware kept the classes.dex file itself free of malicious content.
- The financial sector continued to be a prime target for Android malware, with a number of malicious threats targeting banking apps on infected devices. In November 2015, Dell SonicWALL discovered an Android campaign created to steal credit card and banking-related information from infected devices. Many of the malicious Android packages (APKs) in this campaign used the official Google Play Store as a conduit to trick victims into entering their credit card information. Some also monitored a few hardcoded apps, particularly financial apps, in order to steal login information. These malicious apps could also remotely execute commands received via SMS messages and transfer device-related data to the attackers.
4. Malware attacks nearly doubled to 8.19 billion; popular malware families continued to morph from season to season and differed across geographic regions.
In 2015 alone, Dell SonicWALL received 64 million unique malware samples, compared to 37 million in 2014. Moreover, the number of attack attempts almost doubled, from 4.2 billion in 2014 to 8.19 billion in 2015. This pervasive threat is wreaking havoc on the cyber world and causing significant damage to government agencies, organizations, companies and even individuals. Sometimes malware narrowly targets one population by design; sometimes it affects certain groups more heavily for external reasons.
The type of malware in circulation that Dell SonicWALL observed in 2015 varied widely across
timeframes, countries and interest groups:
- Long-lasting malware – The Dyre Wolf corporate banking Trojan was one of the most active malware variants of the year. It came onto the scene in February of 2015 and remained somewhat active through December. By April, companies had already lost between $1.5 and $6.5 million to Dyre Wolf.iv,vDyre Wolf enjoyed such a long lifespan for several reasons including its profitability (attractive to attackers), frequent binary code updates, sophisticated anti-detection techniques and ease of spreading. The combination of Dyre Wolf and Parite topped malware network traffic through 2015. Other long-lasting malware included TongJi, a widely used malicious JavaScript by multiple drive-by campaigns; Virut, a general cybercrime botnet active since at least 2006; and the resurgence of Conficker, a well-known computer worm targeting the Microsoft Windows operating system since 2008.
- Geographically dominant malware – There was a strong geographic correlation to the popularity of individual malware variants throughout 2015. One geographical attack that made its political intentions clear was the Upatre Trojan, which was dominant in Germany in June and July 2015. Upatre presented compromised users with an anti-drone message, urging victims to stand up to the U.S Government against the use of drones in war. In October and November 2015, the Spartan exploit kit discovered by Dell SonicWALL was most highly concentrated in Russia. Meanwhile, the Windows XP malware CVE-2010-2568 was extremely popular in India, where the operating system is still in widespread use.
