Canadian Underwriter

Deceptive new tactics by cyber attackers emerge in 2014, attackers succeed with speed and precision: Symantec

April 16, 2015   by Canadian Underwriter

Print this page Share

Symantec reports that a tactical shift in cyber crime unfolded in 2014, with attackers moving to infiltrate networks and evade detection by hijacking the infrastructure of major corporations and using it against them.

Some attackers are tricking companies into infecting themselves

“We’re seeing attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them, giving attackers unfettered access to the corporate network,” Kevin Haley, director of Symantec Security Response, says in a statement from the company, which provides security, back-up and availability solutions for where vital information is stored, accessed and shared.

Savvy attackers are using increased levels of deception and, in some cases, hijacking companies’ own infrastructure and turning it against them, notes Volume 20 of Symantec’s Internet Security Threat Report, released this week. The report, which provides an overview and analysis of the year in global threat activity – including commentary on emerging trends in attacks, malicious code activity, phishing and spam – is based on data from Symantec’s Global Intelligence Network.

Last year, among others, Symantec observed advanced attackers deploying legitimate software onto compromised computers to continue their attacks without risking discovery by anti-malware tools; building custom attack software inside the victim’s network, on the victim’s own servers; and using stolen email accounts from one corporate victim to spear-phish the next corporate victim.

Overall, the report shows the United States ranked number one with the greatest percentage of global detections, at 20.69%, in 2014. The U.S. was followed by China (10.65%), India (3.95%), The Netherlands (3.64%), Germany (3.26%), Taiwan (2.60%), United Kingdom (2.56%), Russia (2.54%), Vietnam (2.44%) and Brazil (2.32%). [click image below to enlarge]

Malicious codes accounted for the largest threat

Looking at Canada specifically, the top threats by source as follows:

• malicious code – accounting for 2.14% in 2014 compared with 1.69% in 2013;

• spam – accounting for 0.40% in 2014 compared with 0.51% in 2013;

• phishing hosts – accounting for 2.52% in 2014 compared with 2.77% in 2013;

• bots – accounting for 2.98% in 2014 compared with 3.51% in 2013;

• network attacking countries – accounting for 1.70% in 2014 compared with 1.74 % in 2013; and

• web attacking countries – accounting for 0.41% in 2014 compared with 0.69% in 2013.

The report also breaks down email attacks by destination in Canada: malware accounts for 1 in 391.5; phishing for 1 in 765.6 and spam for 54.2%. By industry, top malware targets are public administration, agriculture, forestry & fishing, construction, wholesale, and services – professional; for phishing, top targets are public administration, services – professional, wholesale, construction, and agriculture, forestry & fishing; and for spam, top targets are mining (61.4%), public administration (56.4%), construction (56.1%), transportation, communications, electric, gas & sanitary services (54.7%), and services – professional (54.4%).

Canada also makes the top 5 globally for social media scams (by destination). The U.S. ranks first, at 30.22% of all global scams, then India at 6.23%, the U.K. at 6.10%, Canada at 5.79% and France at 3.92%.

Noting that change is constant, the report states that 2014 was characterized by far-reaching vulnerabilities, faster attacks, files held for ransom and far more malicious code than in previous years. “Data breaches are still a significant issue, since the number of breaches increased 23% and attackers were responsible for the majority of these breaches. However, attention shifted during the year from what was being exfiltrated to the way attackers could gain access.”

Symantec research reveals that it took software companies an average of 59 days to create and roll out patches. This opened the door for attackers to exploit security gaps in the interim, the company notes, adding that there were 24 total zero-day vulnerabilities discovered in 2014.

“In 2014, it took 204 days, 22 days and 53 days for vendors to provide a patch for the top three most exploited zero-day vulnerabilities. By comparison, the average time for a patch to be issued in 2013 was only four days,” Symantec reports.

The company notes there was also an increase with regard to advanced attackers who employed spear-phishing attacks, which increased 8% in 2014. Five out of every six large companies (with 2,500 employees or more) were targeted with spear-phishing attacks last year, amounting to a 40% increase over 2013. There was also an uptick with small and medium-sized firms, with attacks increasing 26% and 30%, respectively.

Overall, the precision of spear-phishing attacks was telling, with attackers deploying 14% fewer emails towards 20% fewer targets. “Attackers also perfected watering hole attacks, making each attack more selective by infecting legitimate websites, monitoring site visitors and targeting only the companies they wanted to attack,” states the report.

In 2014, 28% of all malware was “virtual machine aware”, the report notes. “This should serve as a wake-up call to security researchers are who dependent on virtual sandboxing to observe and detect malware, as virtual environments do not provide any level of protection.”

As well, the report notes that ransomware attacks grew 113% in 2014, driven by more than a 4,000% increase in crypto-ransomeware (which holds a victim’s files, photos and other digital media hostage without masking the attacker’s intention) attacks. “In 2013, crypto-ransomeware accounted for a negligible percentage of all randomware attacks (0.2%, or 1 in 500 instances). However, in 2014, crypto-ransomware was seen 45 times more frequently.”

More than half of all targeted attacks struck small and medium-sized organizations

Email continues to be a significant attack vector for cyber criminals, Symantec points out, but adds that they are also employing new attack methods across mobile devices and social networks to reach more people, with less effort. “Cyber criminals are inherently lazy; they prefer automated tools and the help of unwitting consumers to do their dirty work,” Haley says. “Last year, 70% of social media scams were shared manually, as attackers took advantage of people’s willingness to trust content shared by their friends.”

In 2014, “Symantec found that 17% of all Android apps (nearly 1 million total) were actually malware in disguise. Additionally, grayware apps, which aren’t malic
ious by design, but do annoying and inadvertently harmful things like track user behaviour, accounted for 36% of all mobile apps,” the report notes.

Symantec reports that in 2014, 60% of all targeted attacks struck small and medium-sized organizations. “These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This put not only the businesses, but also their business partners, at higher risk,” cautions the report.

Symantec advices that, as attackers persist and evolve, all businesses and consumers should take steps to protect themselves. For businesses, best practices include the following:

• Do not get caught flat-footed: Use advanced threat intelligence solutions to help find indicators of compromise and respond more quickly to incidents.

• Employ a strong security posture: Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies.

• Prepare for the worst: Incident management ensures the security framework is optimized, measureable and repeatable, and that lessons learned improve the security posture.

• Provide ongoing education and training: Establish guidelines and company policies and procedures for protecting sensitive data on personal and corporate devices, as well as regularly assess internal investigation teams – and run practice drills – to ensure the necessary skills exist to effectively combat cyber threats.