2014 in infosec: Spammers sneak small botnets under the wire, Java is dull
Crims also move to Silverlight, according to Cisco
Cisco's annual report on the state of global cybersecurity claims spammers just won't die and are using new tactics to avoid detection by filters; malware programmers are abandoning exploiting Java; and there's a possible silver cloud in the Sony Pictures hacking storm.
The networking giant saw malware-carrying spam up 250 per cent between January and November of 2014, and much more of the messages are slipping through filters that gauge a sender's reputation.
Cisco is essentially confirming what we already know: rather than spewing tons of messages from one or a few slaved servers, spammers are infecting large numbers of computers – typically a botnet of home PCs – and just sending out a few unsolicited emails from each. One spam campaign observed by Cisco took over three hours to complete, but used enough machines to account for 10 per cent of total spam traffic at its peak at the time.
"We've been expecting these attacks to increase because the methodology of old was starting to fail," John Stewart, chief security and trust officer at Cisco, told The Register. "Now they've got a more successful method and not surprisingly it's starting to be used."
As cops and Feds increase their attention on botnet herders, though, the size of these slave armies has been dropping fast, we're told, with some groups touting multiple small botnets for hire. This, presumably, forces defenders to play a game of whack-a-mole when taking down individual botnets.
On the software side, attackers moved away from exploiting security holes in Java during 2014 – only one Java vulnerability made Cisco's Top 10 most-used attack vectors list. Cisco said this was in part down to better security and automatic patching on modern versions of Java, but also that attackers were trying new things.
(According to java-0day.com, there have been 551 days since the last-known Java zero-day vulnerability at time of writing.)
OpenSSL's Heartbleed and Shellshock bugs predictably led Cisco's exploit list; in the former case, Stewart said his company's data showed depressing news on patching the flaw: 56 per cent of systems surveyed hadn't patched.
He also noted that only 10 per cent of the users surveyed were using the most up-to-date patched versions of Internet Explorer, compared to 62 per cent of Chrome users. Firefox was doing well, he said.
Flash and Internet Explorer were popular targets, too, but there's an increasing focus on the Apache Struts Framework, Cisco warned, and Silverlight attacks were up 200 per cent on the year, the report claimed.
The latter part of the year was dominated by the Sony Pictures network breach; Stewart said the mega-hack is having interesting effect on how companies and their activist shareholders view corporate security and – crucially – how they talk about IT defenses with their rivals.
"The community started growing up about malware prevention and are bringing in other firms and sharing information on threats," he explained. "The Sony case has really been encouraging walls getting broken down."
[Er, broken down and rebuilt stronger, I hope – ed.]
Certain sectors, such as the finance industry and malware research, have always been good about sharing threat data, he said, but the extent of the damage caused by the Sony hackers has made other industries see that there's no competitive advantage to be gained by keeping quiet about attacks. ®