The third quarter of 2015 (July – September) was a time where we saw some significant threat activity in the areas of Point of Sale (PoS) malware, vulnerabilities and sophisticated Pawn Storm attacks. In our third quarter security roundup, Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks, we address all these activities.
In the area of PoS malware, we saw attacks increase. However, attackers have shifted their focus to the small and medium sized businesses (SMB). In this quarter, overall attacks nearly doubled compared with those in the second quarter (April – June) of 2015. In this quarter, SMBs accounted for 45 percent of the overall PoS malware detections worldwide, with consumers coming in at No. 2 with 27 percent. Enterprises accounted for just 19 percent. This trend reflects a common one in financial-focused attacks: SMBs represent the “sweet spot” for attackers with more money to steal than consumers but generally lacking the resources for more advanced security countermeasures that enterprises have available. In the United States, the run-up to the October 11, 2015 deadline for implementing EMV also likely plays a role, as larger organizations have the resources to pay for the necessary upgrades to support EMV.
The third quarter was also an important one in terms of vulnerabilities. We saw multiple zero day situations during this quarter due mainly to the successful attack against the Hacking Team in July and the dumping of nearly 400GB of their stolen data. Within that trove of data was information on multiple vulnerabilities that the Hacking Team had discovered (and was likely using in their tools). With the dumping of that data, vulnerability researchers, including those from Trend Micro, quickly set to work to find what vulnerabilities they could so that vendors could fix them quickly. All total, five new unpatched vulnerabilities were found in the Hacking Team trove, three of them found by Trend Micro researchers. These vulnerabilities mainly affected Adobe Flash but also Microsoft Windows. Unfortunately, attackers were also looking at this trove and were able to incorporate some vulnerabilities into Exploit Kits quickly, most notably the Angler Exploit Kit which incorporated one of the Adobe Flash vulnerabilities within days of the data dump.
Vulnerabilities affecting Android were also notable in this quarter, as researchers, including Trend Micro vulnerability researchers, turned to media processing in Android to find numerous, serious vulnerabilities. The best known of these is the “Stagefright” vulnerability that affected 95 percent of all Android devices. All total, five different vulnerabilities were found in media processing in Android in the third quarter and continue to be found. Our researchers found three new vulnerabilities affecting Android media processing that were fixed in the most recent Android security update.
The Pawn Storm attackers continued to be active in the third quarter as well and added to the zero day situation in the quarter. Trend Micro vulnerability researchers working with our Forward-Looking Threat Research Team (FTR) uncovered the first Java zero day attack in nearly two years being used by Pawn Storm attackers. We were able to work with Oracle to get this fixed quickly, but this also underscored how Flash and Java together remain prime targets for attackers. The Pawn Storm attackers let us and the world know they know we’re following them: in the third quarter they redirected some of their Command and Control (C&C) traffic back to an IP address on our network to send a message.
The heightened activity around vulnerabilities helped fuel increased activity around exploit kits. In particular, the Angler Exploit kit showed itself to be the most aggressive exploit kit this quarter. It incorporated the most attacks against new vulnerabilities of all the exploit kits (totaling 13 so far for 2015) and being the fastest to do so (as seen with the Hacking Team vulnerabilities). It also showed significant growth in the quarter, increasing its attacks by 34% compared with the second quarter of 2015 to be hosted by 2.4 million URLs.
This is just a taste of the trends we outline in this quarter’s threat report. The full report contains more details on these and other attack trends for the quarter.
If there’s a lesson from this quarter’s report, it’s that vulnerabilities are again an area of significant focus for attackers. Whether it’s more traditional vulnerabilities affecting Microsoft Windows users via Oracle Java and Abobe Flash or mobile users on the Android platform, attackers are turning to vulnerabilities and attacks against them once again for both broad attacks (via exploit kits) and targeted attacks (like in Pawn Storm). Looking ahead, good defensive planning should include countermeasures with tools like Trend Micro™ Deep Security and Trend Micro™ OfficeScan (with Vulnerability Protection), which can protect against traditional attacks against PC-platform vulnerabilities, Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Worry-Free Business Security whose Browser Exploit Prevention feature can protect against web-based attacks, Trend Micro Mobile Security, which can help protect against attacks on the Android platform, and Trend Micro™ Deep Discovery whose existing Sandbox with Script Analyzer engine can help prevent many of these attacks out-of-the-box.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.