IBM's X-Force Team: Attackers Take Path Of Least Resistance


Custom malware and zero-day exploits are dangerous, but attackers are finding that they don't necessarily have to turn to advanced techniques to carry out targeted attack campaigns, according to an analysis conducted by IBM's X-Force research team.

Rather than costly zero-day attacks that use custom malware to target previously unknown vulnerabilities, attackers use more cost-effective hacking techniques to gain access to corporate systems. Common attacks, such as SQL injection and cross-site scripting, continue to be popular techniques used in advanced persistent threats, IBM said. They're having success targeting flaws in commonly used applications, such as Adobe Flash and Java.

In its new 2013 Mid-year Trend and Risk Report, an IBM analysis of threats in the first half of the year found attackers having great success using operational sophistication to breach targets. Basic security hygiene is not upheld in organizations, IBM said. Companies are struggling with a commitment to apply basic security fundamentals.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

"The attraction of operational sophistication is that attackers can use a path of least resistance to gain a maximum return on exploits. ... While technical sophistication exists, it is atypical," IBM said in its report. "With over 46 percent of vulnerabilities left unpatched, third-party plug-ins attract many opportunities for attacks to occur and in fact were known entry points into various breaches in the last year."

A similar message emerged in April from the Verizon Data Breach Investigations Report. The analysis of 621 confirmed data breaches and thousands of security incidents in 2012 found similar tactics carried out by financially motivated cybercriminals and nation-state targeted attackers. Social engineering and carefully designed phishing attacks are a common attack method, the report concluded.

In its report released this week, IBM said unpatched or vulnerable Web forums or other widely used third-party products continue to open weaknesses that can be used to set up an attack platform. Attackers can use the web vulnerabilities to set up the attack, and wait for users of the organization to visit the site.

Web application vulnerabilities such as coding errors commonly found in website content management systems are down significantly in 2013, making up 31 percent of vulnerabilities that were publicly reported. In 2012 levels were at 42 percent. IBM said. The bad news is that attackers are targeting the third-party creators of plug-ins for CMS. Only 54 percent of vulnerabilities had a patch supplied in the first half of 2013, the IBM said.

"Major CMS vendors have embraced security and do a good job of patching their core software when security vulnerabilities are reported to them," IBM said.

A lot of attention is being given to zero-day exploits, IBM said, noting that some of the campaigns delivered zero-day attacks using watering hole techniques. The attackers compromise a trusted website that is commonly visited by targeted employees and set it up as an attack platform. IBM tracked nearly a dozen zero-day exploits in the first half of 2013. Zero-day exploits were detected being used against Internet Explorer, Java, Adobe Flash and Reader, and Microsoft Office.

IBM warned website administrators to harden their servers, keep software up to date and safeguard server login credentials. In addition, businesses can take steps to lower their attack surface. Employees should review installed browser plug-ins and uninstall those that have not been used, IBM said. They also should enable Click-to-Play in the browser to prevent drive-by attacks and disable ActiveX controls in Microsoft Office, which are a common target of attackers.

PUBLISHED SEPT. 25, 2013