Criminals ramps up server-side attacks

In a report titled Vulnerability and Threat Trends Report by Skybox Security, the firm found that last year, the vast majority of exploits affected server–side applications (76 percent), up 17 points since 2016. 

It said that the increase in server–side exploits corresponds with the continued decline in the use of exploits kits relying on client–side vulnerabilities, which accounted for only a quarter of exploits in the wild that year. It said that this was due in part to the demise of major exploit kit players like Angler, Neutrino and Nuclear, with no comparable frontrunner rising to replace them.

According to Marina Kidron, senior security analyst and group leader of the Skybox Research Lab, this does not mean that exploit kits are gone.

“If there's one thing we know about cyber-criminals, it's that they're constantly changing tactics, and so the next ‘exploit kit giant' is very likely in development as we speak. We also suspect that some kits have ‘gone private,' and are used exclusively by their developers in hopes of prolonging their viability,” she said.

The report also found that instances of newly–published sample exploit code have also increased, with the monthly average jumping 60 percent in 2017. With minimal adjustments — or none at all — attackers can turn these samples into fully functioning exploits for their own use. 

The company said that this scenario was the case with the NSA EternalBlue exploit leaked by The Shadow Brokers and used in the WannaCry and NotPetya attacks, among others. Such leaks are putting advanced attack tools in the hands of lower–skilled cyber-criminals, enhancing the capabilities of an already well–outfitted threat landscape.

“Organisations need to stay up to speed with not only active exploits in the wild,” said Kidron, “but also factor in vulnerabilities with available exploit code to their prioritisation processes. While the latter set doesn't represent an imminent threat, they can make the jump to active exploitation very quickly — security teams need actionable intelligence at–the–ready when they do.”

The report also shows that in 2017 there was a 120 percent increase in new vulnerabilities specific to operational technology (OT) compared to the previous year (OT includes monitoring and control devices common in critical infrastructure organisations such as energy producers, utilities and manufacturers, among others). This spike is particularly concerning as many organisations have poor or non–existent visibility of the OT network, especially when it comes to vulnerabilities as active scanning is generally prohibited.

“OT is too often in the dark, and that means security management isn't getting the full picture of cyber risk in their organisation,” said Kidron. “Even when patchable vulnerabilities are identified, OT engineers are understandably hesitant to install the update, as it could disrupt services, cause equipment damage or even risk life and limb. Organisations with OT networks need to have strategies in place not just for OT vulnerability assessment and patching prioritisation, but also to unify such processes with those in the IT network to truly understand and manage risk.”

Ken Gilmour, CTO of Invinsec, told SC Media that the problem with Server-side orchestration systems” is that people perceive that they need to be accessible so that they can perform emergency maintenance as quickly as possible, but they also have full control of the rest of the network. As far as reward goes for an attacker, this is a gold mine and allows them to move across your network with extreme ease, using your own tools against you.”

“With the advent of automation and orchestration, setting up servers is literally just a click of a button. You could never deploy a new server with such ease before. Unfortunately, the easier something is to deploy, the more likely it is to be exploited. Easy Infrastructure has meant that less experienced people can setup new servers with very little knowledge. This leads to lack of hardening and knowledge of how to secure the host at the expense of the convenience and relative cheapness of setting it up quickly,” he said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.