Cisco’s Midyear Security Report Warns of Lower-Profile Threats

Cisco released its 2014 midyear cyber security report at Black Hat U.S. The report examines “weak links” in organizations that contribute to the threat landscape, such as outdated software, bad code, abandoned digital properties or user errors. These weak links enable exploits through methods such as DNS queries, exploit kits, amplification attacks and ransomware, among other examples.

The report examines threat intelligence and cybersecurity trends for the first half of 2014, looking at 16 large multinational organizations with more than $4 trillion in assets and revenues in excess of $300 billion. The big takeaway is that companies should not focus on high-profile vulnerabilities only, neglecting to tie loose ends throughout the IT stack.

Focusing in boldface vulnerabilities like the much-publicized Heartbleed allows malicious actors to escape detection in attacks against low-profile legacy applications and infrastructure with known weaknesses.

Java remains the programming language most exploited by malicious actors. Java exploits rose to 93 percent of all Indicators of Compromise (IOCs) as of May 2014, up from 91 percent in November 2013.

The report says there is an unusual uptick in malware within vertical markets. For the first half of 2014, media and publishing led the industry verticals, followed by pharmaceutical and chemical industry and aviation. The top most affected verticals by region were media and publishing in the Americas, food and beverage in EMEA and insurance in Asia-Pacific, China, Japan and India.

The report names three main security insights tying enterprises to malicious traffic:

• Man In The Browser attacks: Nearly 94 percent of customer networks observed in 2014 have traffic going to websites hosting malware. Issuing DNS requests for hostnames where the IP address to which the hostname resolves is reported to be associated with the distribution of Palevo, SpyEye and Zeus malware families that incorporate man-in-the-browser (MiTB) functionality.
•  Botnet hide and seek: Nearly 70 percent of networks-issued DNS queries for Dynamic DNS domans. This shows evidence of networks misused or compromised with botnets using DDNS to alter IP address to avoid detection and blacklisting. Few legitimate outbound connection attempts from enterprises would seek dynamic DNS domains outside of malicious intent.
• Encrypting stolen data: Nearly 44 percent of observed customer networks in 2014 were identified as issuing DNS requests for sites and domains with devices that provide encrypted channel services, used by malicious actors to cover their tracks by exfiltrating data using encrypted channels to avoid detection like VPN, SSH, SFTP, FTP and FTPS.

On a positive note, the number of exploit kits has dropped by 87 percent since the alleged creator of the widely popular Blackhole exploit kit was arrested last year. No clear leader has yet to emerge among several observed exploit kits.

The full report is available through supplying contact information here.