[BreachExchange] Why do cybercriminals target vulnerabilities?

Destry Winant destry at riskbasedsecurity.com
Thu Sep 13 09:05:10 EDT 2018


https://www.itproportal.com/features/why-do-cybercriminals-target-vulnerabilities/

We all know many enterprises are riddled with unpatched servers and
PCs, vulnerable web applications and easy to fool end users. Despite
growing awareness of the risk posed by vulnerabilities – from
Heartbleed back in 2014 to the Equifax mega breach last year – we
still found 77 per cent of applications have at least one
vulnerability when initially scanned.

Why is action not being taken? Too frequently in development teams,
we’re seeing security sacrificed to accommodate the speed of business.
In fact, 83 per cent of IT decision makers working in cyber security
reported having released code before testing or resolving security
issues.

This is not because software developers do not care about security.
Most enterprises aren’t doing enough to incentivise development teams
to invest more time and resources into developing code that is not
only high quality, but secure. This failure is increasing the risk of
the vulnerabilities in their applications.

As new motivations constantly change the threat space for the worst,
it is crucial that businesses – as well as their development teams –
understand the potential cost of the dormant vulnerabilities in their
IT environment.

So, why do cybercriminals target vulnerabilities?

Data resale

The traditional reason cybercriminals exploited vulnerabilities was to
gain entry to a network from which they could exfiltrate valuable
data. The rise of today’s dark web markets has allowed for
cybercriminals to monetise stolen information such as passwords,
personally identifiable information (PII), and credit card numbers.

However, this approach is becoming less lucrative than it used to be.
The price of stolen Visa or MasterCard details on the dark web
typically costs just £11today, which might not be worth the effort.
With that said, information leakage is still a prevalent consequence
of a vulnerability, present in 66 per cent of applications.

Ransom

The decreasing value of personal data, along with the risk of a
pseudonymous transaction required on dark web markets, has resulted in
many criminals making a shift towards the ransom model.

Ransomware was developed by cybercriminals as an easier way to
monetise exploiting a vulnerability.  Instead of hunting for PII, the
attacker can use the flaw to inject ransomware that will just encrypt
the data on the victims PC, or in the case of an enterprise, an entire
network of PCs, and demand a ransom in cryptocurrency to get their
data back.  There is no longer a need for a dark web transaction, as
the victim pays the attacker directly.  This approach exploded around
the world when researchers detected a 3500 per cent increase in newly
observed ransomware domains being created.

Ransom tactics have since continued to evolve, with some
cybercriminals taking the trend further by holding the "cure" to
ransom as well. During the San Francisco Muni ransomware attack, for
example, the hacker did not only demand 100 bitcoins to unlock its
computer systems and ticketing machines, but the hacker also offered
to "help" them protect themselves against future attacks by revealing
details of the vulnerability in their system for a few extra bitcoins.

Mining cryptocurrency

The next evolution to come in easy-to-monetise attacks is to directly
mine cryptocurrency. In such cases, attackers will be able to
compromise a network of machines in a data centre or a cloud
environment and be able to install mining programmes that create
cryptocurrency that is then added into the attacker's own wallet.

We have seen web application vulnerabilities exploited repeatedly to
mine cryptocurrency. IBM's X-Force team reported familiar infection
techniques were used, such as using command injection vulnerabilities,
in WordPress, Joomla, and JBoss web servers.

Talk about direct monetisation!  With this approach, the attacker does
not even need to communicate with another party to carry out the
incursion.  The cryptocurrency just shows up in their wallet.

Hacktivism

There are more frequent examples of another form of attack –
hacktivism. Hacktivism is an attack in which a group has the means,
motive and skill to exploit vulnerabilities for the purposes of
disrupting, financially harming or embarrassing an organisation to
raise awareness for a cause. Usually driven by fuelling social or
political change, these groups may seek access through social
engineering, DDoS campaigns and other alternate techniques. If
successful, hacktivists may leak information, demand change to
government policy, or promote attacks to call attention to an issue
they feel is overlooked and deserves wider attention. Many enterprises
and government bodies around the world have been targeted by
hacktivists repeatedly. Recent examples include hacktivists cracking
into one of Isis's main online outlets and exfiltrating the details of
over 1,700 newsletter subscribers in 2017. Another example from
earlier this year occurred when hackers managed to control thousands
of Cisco Systems switches and used it as an opportunity to warn others
not to interfere with future U.S. elections.

Putting a price on a vulnerability

There is no question cybercriminals are successfully monetising their
efforts to exploit vulnerabilities. Just as mining cryptocurrency is a
relatively new phenomenon, I am confident that as new emerging
technologies are deployed, and applications increasingly underpin core
business processes as well as financial functions, cybercriminals are
creating new ways to exploit them.

However, while organisations cannot underestimate this threat, it is
not an unsurmountable task to improve security against these different
attacks. For example, if an organisation built security into their
software supply chain they could significantly reduce exposure.

With the rise of Agile and DevOps, we have seen many organisations
adopt a “shift left” approach to security, providing sandboxing tools
and on-the-job security eLearning to enable their developers to
deliver secure software at speed.  Coupled with regular application
security testing in post-production (dynamic and/or static),
organisations can significantly reduce the risk of vulnerabilities
waiting to be exploited by cybercriminals.

Great software means secure software – just as a seatbelt in a car
isn’t functionally necessary for it to operate, we treat this type of
safety feature with the same level of importance. And when security
becomes akin to a functional requirement, companies will make software
secure starting from the earliest phases. There is financial incentive
to do so as well – it is 30 times less expensive to secure software
during the development phase versus after it is released.


More information about the BreachExchange mailing list