Microsoft has released security intelligence report giving analysis of the threat and attack vectors globally. “The Microsoft Security Bulletins and Microsoft Security Advisories that are issued each month give IT professionals the latest information about vulnerabilities, the products they affect, and any security updates or actions they can implement to mitigate related risks.” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation).The reports are of three types;
- Security Intelligence Report (SIR) Volume 16 (which is the main report)
- SIR Key Findings
- SIR Worldwide Threat Assessment
The Microsoft Security Intelligence Report – Volume 16 is a 152 paged document, I tried to summarise in 17 points;
- Decline of Java exploits;
- Decline of attacks in Microsoft Windows during quarter 2 2013 but the attacks picking up in quarter 4 2013 (was it because of windows 8?). Android attacks remain constant.
- Document exploits for MS office remained minimal and for adobe declining sharply but picking up on quarter 4 2013 the attacks targeted adobe flash Player exploits;
- Enhanced Mitigation Experience Toolkit (EMET) effectiveness to deter attacks proved;
- Malware prevalence worldwide, Africa and Kenya not in the league;
- Threat categories by location, Africa and Kenya not in the league;
- Win32/Winwebsec, the most commonly encountered rogue security software family in 2H13, has been distributed under a variety of names, with the user interface and other details changing to reflect each variant’s individual branding; currently prevalent names include Antiviral Factory 2013, Attentive Antivirus, System Doctor 2014, Win 8 Security System, and several others;
- Win32/Reveton was the most commonly encountered ransom ware family worldwide in 2H13. Reveton displays behavior that is typical of many ransom ware families: it locks computers, displays a webpage that covers the entire desktop of the infected computer, and demands that the user pay a fine for the supposed possession of illicit material. The webpage that is displayed and the identity of the law enforcement agency that is allegedly responsible for it are often customized, based on the user’s current location;
- Enterprise environments typically implement defense-in-depth measures, such as enterprise firewalls that prevent a certain amount of malware from reaching users’ computers. Consequently, enterprise computers tend to encounter malware at a lower rate than consumer computers;
- Win32/Conficker, the most commonly encountered family on domain-joined computers in 2H13, is a worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. It can also spread via network shares and removable drives, which are commonly used in domain environments;
- dramatic decline in spam observed since 2010 has occurred in the wake of successful takedowns of a botnets, notably Cutwail (August 010) and Rustock (March 2011);
- Phishing sites rose gradually throughout 3Q13, but total impressions peaked in October and declined through the end of the year, while the number of active sites continued to rise slowly;
- Financial institutions have always been popular phishing targets because of their potential for providing direct illicit access to victims’ bank accounts. Sites that targeted financial institutions accounted for the 2nd largest number of active phishing sites each month in 2H13, as well as the 2nd largest number of impressions;
- Global distribution of phishing sites, there were 3- 6 phishing sites detected in Kenya;
- There were 7- 14 Global distribution of malware hosting sites detected in Kenya;
- 0.1 -0.25 per 1000 urls in Kenya were Drive-by download sites.
I did a quick skimming through the reports and came up with a summary report highlighting key areas of interest that you might find useful in protecting your information security assets. Report has highlighted why “Black hat” researchers and exploit developers sell access to vulnerability information and exploit code, and attackers use exploits to deliver malware to victims’ computers for use in illegitimate endeavors such as sending spam, credential theft, and many other profit-making schemes. For this reason, vulnerabilities often go unexploited if they would cost more to successfully exploit than an attacker is likely to make from doing it. For example, some vulnerabilities can only be exploited under very limited and uncommon conditions; others do not provide an attacker with access to enough of the computer’s functionality to be worthwhile” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation).
Also the issue of zero day exploits and explains that “the greatest potential risk comes from zero-day exploits, which are discovered in the wild before the publisher of the affected software is able to release a security update to address the vulnerability. The number of zero-day exploits detected each year has decreased since 2011 in absolute terms; subsequently, zero-day exploits have accounted for a larger share of the total in each of the last three years, and now account for the bulk of all exploited Microsoft remote code execution CVEs” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation). The report continues to say that “exploits that first appear more than 30 days after security update publication have become rare, with only one such instance in 2013. Microsoft has worked with customers to make it easier for them to test and deploy updates quickly after release, even in large organizations. As the share of computers receiving updates with the first month of release continues to increase, exploiting older vulnerabilities becomes less profitable for attackers, which provides an incentive for them to focus their attentions elsewhere” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation).
About vulnerabilities are exploited the report noted that “the increasing number of use- after-free vulnerabilities that have been exploited. This vulnerability class includes issues that arise because of exploits have incorrect management of object lifetimes. One reason for this increase is that client-side vulnerabilities have become prime focus for attackers, and object lifetime issues are a common vulnerability class encountered in applications. Have increased. Exploits that involve unsafe dynamic-link libraries (DLLs) were seen in a small percentage of cases from 2009 to 2012, but not in 2013. The introduction of technologies such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) has also affected the way attackers attempt to exploit vulnerabilities. Figure 4 shows the techniques used in exploits targeting vulnerabilities in Microsoft products that were discovered over the past two years.
Few months ago I had discussed on the blog about Enhanced Mitigation Experience Toolkit (EMET), this is one tool that system administrators should befriend in securing vulnerabilities. The tool is used to deter exploits that “attempt to bypass ASLR by relying on images that have not opted into ASLR or by taking advantage of a vulnerability to disclose information about the layout of an application’s address space. (Customers can reduce the risk they face from these bypass techniques by deploying the latest version of the Enhanced Mitigation Experience Toolkit (EMET), which can be used to block exploits that use the ROP technique.). Having to bypass DEP and ASLR makes developing exploits more difficult and expensive, which has likely been a major factor in the declining trend of new exploits discovered over the past several years. Increased adoption of recent versions of Internet Explorer and EMET should help contribute to this trend, as developing effective exploits becomes even more difficult” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation).
The threat landscape affecting the windows environment is changing angling to exploit kits.” Prospective attackers buy or rent exploit kits on malicious hacker forums and through other illegitimate outlets. A typical kit contains a collection of web pages that contain exploits for several vulnerabilities in popular web browsers and browser add-ons. When the attacker installs the kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through drive-by download attacks” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation). Example of such kits are Blackhole exploit kit, which was designed for novice attackers with limited technical skills. Exploit kit manufactures are continually updating discovered exploits vectors and discarding old exploits that are no longer effective or are considered too likely to be detected by antivirus.
The report advices users to implement the following strategies to mitigate the exploits;
- Apply security updates;
- Ensure that you are running apps and software’s on latest patches;
- Use the Enhanced Mitigation Experience Toolkit (EMET);
The most critical part of the report is the detected and blocked by Microsoft real-time antimalware products Microsoft environment. I infer that if you are using this exploit families you need to be proactive since they enhance changes of threats targeting your Microsoft work environment. This are;
- “CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE), was the most commonly targeted vulnerability in 2H13, although it declined significantly from its peak in 1Q13. Exploits that target CVE-2012-1723 can use the vulnerability to download and run programs of the attacker’s choice on the computer. CVE-2012-1723 is often exploited through drive-by downloads.
- CVE-2010-2568, the second most commonly targeted vulnerability in 2H13, is a vulnerability in Windows Shell. Detections are often identified as variants in the Win32/CplLnk family, although several other malware families attempt to exploit the vulnerability as well. An attacker exploits CVE-2010-2568 by creating a malformed shortcut file that forces a vulnerable computer to load a malicious file when the shortcut icon is is played in Windows Explorer. The vulnerability was first discovered being used by the malware family Win32/Stuxnet in mid-2010, and it has since been exploited by a number of other families, many of which predated the disclosure of the vulnerability and were subsequently adapted to attempt to exploit it.
- HTML/IframeRef is a generic detection for specially formed HTML inline frame (IFrame) tags that redirect to remote websites that contain malicious content. More properly considered exploit downloaders than true exploits, these malicious pages use a variety of techniques to exploit vulnerabilities in browsers and plug-ins; the only commonality is that the attacker uses an inline frame to deliver the exploits to users. The exact exploit delivered and detected by one of these signatures may be changed frequently. The encounter rate for IframeRef peaked in 2Q13 after detection signatures for the variant Trojan:JS/IframeRef.K were added to Microsoft antimalware products in response to the so-called “Darkleech” attacks, which add malicious inline frames to webpages hosted on compromised Apache web servers.
- Blacole is the Microsoft detection name for components of the so-called “Blackhole” exploit kit, which delivers malicious software through infected webpages. Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker loads the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack. Blacole was encountered by 0.88 percent of all reporting computers in 1Q13 but declined steeply after that, with encounter rates of just 0.17 percent in both 3Q13 and 4Q13. The Blacole kit’s author, called “Paunch,” was known for frequently updating the kit with new exploits and techniques, but development of the kit halted abruptly in October 2013 following the arrest by Russian authorities of a man alleged to be Paunch.9
Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation available at http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&cad=rja&uact=8&ved=0CEAQFjAD&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F7%2F2%2FB%2F72B5DE91-04F4-42F4-A587-9D08C55E0734%2FMicrosoft_Security_Intelligence_Report_Volume_16_English.pdf&ei=bO19U4PrFdKy7Ab-moCYDA&usg=AFQjCNHqgx62S-t5ihnVbFkYDVhywFMlqQ&sig2=cDhQCbtNqYUOd4V6meUw9w&bvm=bv.67229260,d.ZGU accessed on 22nd May 2014 at 1054hrs (Kenya/Nairobi time)