The F-Secure Threat Report offers an exclusive look at the trends and events that defined the digital threat landscape over the last year, chockfull of statistics, timelines, charts and graphs that over an expert’s perspective into the lucrative, scary and ever-evolving world of online crime and combat.
You can download the whole thing here.
In the last Threat Report, the Labs reported that detections of the Angler exploits kit had “skyrocketed.” Threats like Angler and Nuclear, which were prominent again 2015, need out-of-date software to thrive. And one of the favorite applications to exploit was Adobe Flash.
But according to F-Secure Security Advisor Sean Sullivan, exploit kits like Angler might not be able abuse Flash in the future to the same extent they’ve been doing for the past couple of years. Industry developments are allowing publishers to move away from Flash, making the problematic plug-in archaic and unnecessary for many websites.
Case in point – Flash never made its way into the Apple iOS walled garden, and discontinued development for Android devices in 2012.
“Flash has since hung on to its desktop market, but everywhere you look, it’s being depreciated,” F-Secure Security Advisor Sean Sullivan writes in the 2015 Threat Report. “In August 2015, Amazon announced that “Beginning September 1, 2015, Amazon no longer accepts Flash ads.” Google followed Amazon’s lead in February 2016. Its ad-networks, AdWords and DoubleClick will no longer accept Flash-based display ads starting from June 30th, 2016. They’ll disable Flash-based ads on January 2nd, 2017.”
This is a trend Sean expects to continue, thanks in large part to HTML 5’s capability to “do it all.”
He predicts that in early 2017, after Google’s ad networks stop supporting Flash-based ads, their other services will be free to follow. “Google Chrome browser will start aggressively forcing users to whitelist sites that require any sort of Flash. Mozilla’s Firefox and Microsoft Edge will do the same, and by spring of 2017… Flash will be effectively decapitated as far as exploit kits are concerned.”
Could the death of Flash along with modern browser auto-updates spell the end for exploit kits in general?
“Hopefully, they die,” Sean says. “Wouldn’t be the first time that a business model collapsed in the malware scene. Or they may focus on browsers, but then they’ll need to find zero day vulnerabilities.”
And just as one threat dissipates, another emerges.
“Macro malware – documents containing hidden malicious code – were a major threat in the late 1990s to early 2000s,” according to the Report. “But when Microsoft released Office 2003, the default security settings were amended to stop macros from automatically running when a document is opened, greatly stymying attackers looking to spread malware with this method.”
You probably only thought about the word “macro” as a cyber threat if you were curating a Malware Museum — until July of 2015. It began to reappear in several European countries as criminals recognized a new opportunity.
“They are typically spread via malicious documents attached to emails, and utilize social engineering techniques to manipulate users into opening the documents and enabling the macros, allowing the malicious code to run.”
Marco attacks have been implicated in spreading the Dridex banking trojan, and cryptoransomware such as Cryptowall, which has been utilized to hold a hospital in California hostage for weeks.
Both exploit kits and ransomware generally rely old software along with user error — like you clicking on an attachment or an “Okay” on a pop-up box — to invite criminals into their systems. But this is just the beginning of compromise.
To give you a better understanding of how cyber attacks work in the hopes of preventing and minimizing their damage, the 2015 Threat Report introduces a new working model that will transform how we think about online threats.
It’s called the Chain of Compromise and it includes “four ins:”
The phase where a system or device becomes exposed to a potential threat
The phase where an attacker successfully gains access to a system
The phase where an attacker successfully installs a malicious payload in an exposed system
The phase where a malicious payload persists beyond the initial infection, often escalating the
consequences of the attack
“Companies, even small ones,” the report argues, “should have solutions in place that can disrupt an attack at any point in the chain, as well as a plan for limiting how attackers can move along this chain to accomplish their goals.”
And we all need an understanding of how these attacks work. One thing people can do to prevent exposing themselves to attacks – “set up email rules”, according to Sean.
“People usually receive malicious macros through email attachments, so setting up a rule that filters emails with attachments into a separate folder allows them to be sorted out until people have time to look at them more carefully. You can usually whitelist senders you trust, so this is a good preventative measure that won’t create a lot of extra headaches.”
Understanding attacks is also crucial for understanding how global conflict, says our Chief Research Officer Mikko Hypponen in the report’s Foreword.
The Internet itself was born out of the Cold War, which Mikko says “opened up a Pandora’s Box where tangible borders and recognizable enemies ceased to exist.”
In this world, we can be hacked by someone who lives thousands of miles away. She may want our banking credentials or we may find our PC has been conscripted in an act of digital activism or the effort to disrupt a foreign country’s power supply. Understanding how we can be affected is essential in understanding how we can be protected.
“It’s a complex world of online conflict,” Mikko writes. “And the only thing we can really be sure of is that we’ve seen the beginning of the next arms race: the cyber arms race.”