Blend of old and new techniques help attackers dodge detection, report says
The 2015 Websense Threat Report found that threat actors are employing previously used C&C URLs to launch new threats.
A clever mix of new and old techniques were combined to create “highly evasive attacks” in 2014, according to the Websense 2015 Threat Report.
The report, which zeroes in on eight behavioral and technique-based trends regarding cybercrime, found that cybercrime has become easier as threat actors can rent exploit kits, take advantage of malware-as-a-service (MaaS) and even use subcontractors to create and execute attacks aimed at stealing data. In fact, 99.3 percent of malicious files in 2014 used an existing command-and-control URL used by other malware. And the bulk of malware authors—98.2 percent—used C&Cs that were traced to five other malware types.
The propensity to employ the control hubs of previously used malware “is definitely a change from previous years,” Bob Hansmann, director of product security at Websense, told SCMagazine.com in Wednesday email correspondence. One reason for that, he said, is that “the nature of attacks change various aspects of the attack frequently such as the social engineering technique, the vulnerability used, or even the malware itself.”
But threat actors “cannot change everything, every time,” he explained. “This data suggests that the URLs used for CnC communications were not changed as frequently as in the past.”
The amount of reuse demonstrates “how many attacks changed more quickly in hopes of finding the right ‘combination' to breach the victims' defenses before they were detected and cut off,” Hansmann said.
The latest crop of threat actors are using tried and true techniques, like macros, Websense said, in unwanted emails and combining them with new evasion techniques, effectively recycling old threats and adding new tactics that allow execution through web channels and email. Those blended techniques make it more difficult for companies to defend against, the firm said.
The study found that email still holds the top spot in attack vectors, noting that 81 percent of the email Websense scanned was found to be malicious. That's a 25 percent increase over the figure reported in 2015. The company also reported an uptick in macro-embedded email attachments, identifying more than three million, in the last 30 days of last year.
The study further revealed that, while suspicious emails showed a 25 percent increase year over year, use of dropper files decreased 77 percent. Call home activity rose, too—by a whopping 93 percent – but exploit kit use took a dive, dropping 98 percent. Malicious redirects stayed roughly the same.
Overall, Websense saw a 5.1 percent drop in security threats, from 3.96 billion in 2014. That drop, coupled with successful high profile breaches in organizations that have made tremendous investments in security, point to a high level of effectiveness and show that attackers have reduced their threat profiles by restructuring attack methodology—and ultimately making their activities harder to detect.