In the fall of last year Dell’s security team revealed an exploit kit it dubbed Spartan with a twist: It hid from security systems by encrypting its initial code and running in memory rather than writing to disk. It also included three encrypted Flash flash files which flowed from each other to hide the ultimate Flash exploit.
It was an example of many exploits discovered last year that hid their true weapons in a number of complex ways, the company said Monday, pointing to a trend of obfuscation that malware writers are increasingly using to outwit defences.
That was one of the 2015 trends Dell outlined in its annual Security Threat Report released this morning.
“Evasion is the name of the game,” Dmitriy Ayrapteov, the company’s director of network security product management, said in an interview as he outlined the report’s conclusions.
Data came from its SonicWall threat research team.
The most active kits last year were dubbed Angler, Nuclear, Magnitude and Rig.
What’s a CISO to do? Defence in depth, said Ayrapteov — not necessarily buying more products but staying on top, especially patching. “I know it doesn’t sound sexy, but it’s probably the number one thing people can do to reduce their exposure.
“Every time somebody says ‘No, update later,’ or ‘I’m not going to update my entire enterprise, we have a yearly update schedule,’ that’s one year you’re exposed to the latest vulnerabilities”
Other top trends last year were
–Attackers increasingly used SSL/TLS encrypted traffic to hide communications with command and control servers and evade intrusion prevention and anti-malware inspection systems.
What’s a CISOs to do? Looking for solutions that allow admins greater visibility into encrypted traffic, said Ayrapteov.
–New offensive and defensive techniques that attempted to increase the strength of attacks against the Android ecosystem. For example, Stagefright was, in theory, one of the most dangerous vulnerabilities ever discovered for Android up to version 5.5.1. There were no infections reported before Google patched the bug.
By August Google and a number of handset makers agreed to issue Android patches faster.
In 2015, malware writers began shipping malicious code as part of a library file, rather than a classes file, which is more commonly scanned by anti-virus software. Taking this a step further, 2015 saw the rise of a new Android malware called AndroidTitanium that stored its malicious contents on a Unix library file in the lib folder as libTitaniumCore.so. This .so file was loaded as a native library by the classes from the classes.dex file. By simply referring to the content saved somewhere else, Dell notes, the malware kept the classes.dex file itself free of malicious content.
What’s a CISO to do? Find mobile device management solutions that allow devices to be scanned to ensure they run the latest OS, aren’t running blacklisted apps and haven’t been rooted, said Ayrapteov.
–Malware continued to expand almost exponentially. The Dyre Wolf corporate banking Trojan was one of the most active of the year. It came onto the scene in February and by April, companies had already lost between US $1.5 and $6.5 million.
Dell also sees these trends for 2016:
–The battle between HTTPS encryption and threat scanning will continue to rage, as companies fear performance trade-offs;
–The number of zero-day Flash exploits will drop gradually because major browser vendors, such as Google and Mozilla, have stopped supporting Adobe Flash plugins;
–Malicious threats will target Android Pay through the vulnerabilities of Near Field Communication (NFC). These attacks may leverage malicious Android apps and point-of-sale (POS) terminals, tools that are easy to acquire and manipulate for hackers;
–There are few cars currently equipped with Android Auto, but with time the number is expected to grow. We can expect malicious entities to invade this new frontier soon, possibly via ransomware (where the victim must pay to exit the vehicle) or even more dangerous intent.