How exploits have become the hot ticket in town
Exploiting software flaws has become extremely popular, with targeted attacks rocketing in the last 12 months…
While the news that online attacks in general have rocketed will come as little surprise, a new report has dug into the data a little, and uncovered a concerning acceleration towards specifically targeting vulnerabilities.
In fact, the report found that attacks via flaws in software have multiplied enormously, up to 24.54 per cent, to a total 702,026,084 attempts to launch an exploit in 2016.
The number of corporate users who encountered an exploit at least once increased 28.35 per cent to reach 690,557, or 15.76 per cent of the total amount of users attacked with exploits. The applications targeted most frequently were browsers, the Windows and Android operating systems and Microsoft Office, with 69.8 percent of users encountering an exploit for one of these applications at least once in 2016. Adobe also got a look-in too, as the chart below shows:
Overall, a total of 4,347,966 users were attacked with exploits in 2016, with more than 297,000 users worldwide being attacked by unknown exploits.
Alongside the groups that create the exploit kits so many attackers rely on, targeted threat actors are among the most enthusiastic users of vulnerabilities and generally have both the funds and the skills to exploit them, said the report. Of these, Sofacy, also known as APT28 and Fancy Bear made use of a staggering 25 vulnerabilities, including at least six, if not more, zero-days.
The NSA-linked Equation Group is not far behind, with approximately 17 vulnerabilities in its arsenal, of which at least eight were zero-days, according to public data and Kaspersky Lab’s own intelligence. Part of the Equation Group’s toolkit was recently leaked by a hacker collective dubbed the ‘ShadowBrokers’, about which Ilia Kolochenko, CEO of High-Tech Bridge commented: “I’d not say that anybody is shocked or even surprised in the industry. Black and grey markets for 0day exploits have existed for years, and have quite a lot of important buyers and sellers. Demand creates supply, and it would be irrational to imagine that such a powerful organization as the NSA, or its subsidiaries, doesn’t have zero-days to achieve their objectives.
“From a business perspective, enterprises should not bother much because of this particular leak. Last year, Gartner said that 99 per cent of vulnerabilities exploited will continue to be ones known by security professionals for at least one year. In the vast majority of cases, cybercriminals or intelligence services can easily break in without any zero-days. Therefore, I’d rather suggest concentrating efforts on efficient and effective risk management and cybersecurity strategy.”
This last point was borne out by Kaspersky’s figures, that found although targeted attacks actors had utilised more than 80 vulnerabilities over the last six years, not all of them were zero-days by any means. Many were in fact years old, and roughly two-thirds were used and re-used by more than one threat actor. It’s an interesting question as to whether this re-use has increased further since the recent vulnerability price rise, although of course it is inevitable for a variety of reasons.
The overall results of this exploitation are clear, however. A recent report from the British Chambers of Commerce (BCC) found that one in five British businesses in the past year have suffered an attack in the last year, with 42 per cent of big businesses (more than 100 staff) falling victim to cybercrime, compared with 18 per cent of smaller companies. Without serious attention to identifying vulnerabilities within your organisation, it is certain to be a matter of when you are successfully attacked, rather than if...