Rise of the Shadow Hacker: Cisco’s Threat Assessment

Ransomware, domain shadowing and malvertising are just a few of the menacing terms you’ll need to get familiar with in order to protect your network in 2015. Cisco’s 2015 Midyear Security Report is out and it’s just the sort of reading that could give any chief information officer nightmares. The 41-page report confirms every security professional’s greatest fears: the bad guys are getting sneakier and our general ability to stop them is lagging dangerously behind.

ShadowHacker94365892BlogEven with all of the headlines about data breaches and the millions of dollars corporations are pouring into security solutions, Cisco’s report argues that the adversaries (i.e. hackers) are rapidly developing and deploying new attacks and malware that can breach network defenses and evade detection far quicker than the security industry is developing measures to stop them. The report argues that many organizations, in their attempt to respond to the breach of the moment, have ended up with a patchwork of security solutions that often duplicates capabilities while rarely working together in a seamless fashion.

Cisco’s midyear report is chock full of things to be concerned about, not the least of which, is the significant increase in attacks on Adobe Flash vulnerabilities. In the first five months of 2015, the Common Vulnerabilities and Exposures (CVE) project published 62 vulnerabilities for Adobe Flash Player that resulted in code execution on users’ machines. This figure is up from only 41 such vulnerabilities in 2014 and if this pace continues, there could be more than 100 of these exploits in 2015. By far, these vulnerabilities have been the most widely used by bad actors who favor exploit kits like Angler and Nuclear. Angler has Adobe Flash attacks integrated into it, bringing new levels of sophistication and effectiveness to the world of exploit kits. Cisco reports that on average, 40 percent of users who encounter an Angler exploit kit landing page on the Web are compromised.

Beyond the tools of the trade, cybercriminals are also turning to the anonymous network Tor and the Invisible Internet Project (I2P) to shield their activities and relay command-and-control communications. Anonymization networks such as Tor coupled with cryptocurrencies such as bitcoin are making it increasingly easy for operators of crimeware, like ransomware, to hire and fund their own professional development teams. Cisco reports that nearly all ransomware-related transactions are carried out through the anonymous Web network Tor. By using Tor or I2P, a computer network layer that allows applications to send messages to each other pseudonymously and securely, attackers are able to keep their risk of detection low.

Of course, some things never go out of style such as attacks that use Microsoft Office macros to deliver malware. This once passé technique has re-emerged this year as hackers look for ways to overcome security protections. Cisco’s report calls out an increase in the use of these macros to deliver banking Trojans at a time when a convergence of two trends in the cybercriminal world is taking place: cybercriminals are resurrecting old tools or threat vectors for reuse, and also changing the threat so quickly and frequently that they can relaunch attacks over and over without being detected. One such attack posture uses Dridex Trojans delivered in a Microsoft Word document attached to an email. Cisco researchers found that such campaigns were extremely brief, sometimes only lasting a few hours, and that they mutated rapidly as an evasive tactic. While anti-virus software can be helpful, these rapid changes often mean that by the time a campaign is detected, attackers have already changed the email’s content, user agents, attachments and refer, forcing anti-virus systems to begin from scratch to detect them again.

Another new trick is incorporating real text from novels such as Jane Austen’s “Sense and Sensibility” into Web landing pages. Lest you think hackers have gone highbrow, this little trick is being used so that anti-virus software will be more likely to categorize these pages as legitimate after they “read” the text. Whether it’s classic text or something more modern from a magazine or blog, these seemingly misplaced pieces of content may strike readers as odd but may not immediately cause concern. By using passages such as these, attackers have found a more effective means of obfuscation than the more traditional use of random text, which anti-hacking tools have been trained to view as a red flag of suspicious activity.

Perhaps one of the most concerning pieces of malware discussed in the midyear report is Rombertik, which is designed to extract and deliver sensitive user information to a server controlled by the attackers. These attacks are initially launched as spam and phishing messages that rely on social engineering to gain the user’s trust and get them to download and unzip an attachment. Once a user unzips the file, it appears as a PDF, but in reality it is a screensaver executable file that begins to quickly compromise the system.

To get a better look at this dangerous piece of malware, Cisco reverse engineered it. What Cisco found was that this very sophisticated piece of malware can detect attempts to tamper with the binary. When these attempts occur, Rombertik tries to destroy the master boot record of its host computer. If that’s not possible, it will attempt to destroy the files in the user’s home directory. Rombertik’s self- preservation capabilities are one of the most concerning parts of this piece of malware.

Rombertik’s combination of evasive techniques, combined with its ability to damage the operating system software on compromised machines, shines a bright light on not only the need to protect against malware, but also protect against the ever increasing costs of cleaning systems once they are infected. It will likely be only a short matter of time until other malware authors adopt Rombertik’s approach and perhaps make future malware even more destructive.

Cisco’s midyear report is replete with attack trends, tools and enough emerging threats to make even the most seasoned security professional run screaming into the night. Luckily, it also offers some guidance on how to face these threats and brave the new future ahead. In their cybersecurity call to action, Cisco outlines the belief that change is imminent within the security industry. These changes will bring a wave of consolidation and integration for innovative, adaptive and trustworthy security solutions that will be designed to reduce detection time and increase the prevention of attacks.

Cisco believes that the patchwork of products most organizations have today is increasingly wieldy for security teams to manage and keep up to date. Often these various solutions have overlapping capabilities and may not meet industry standards, much less provide interoperability. Cisco calls this an unsustainable model and by contrast offers a vision of adaptive solutions built within a detection-and-response framework to support faster response to known and emerging threats.

As the global leader in IT training and Cisco’s Learning Partner of the Year, Global Knowledge is uniquely positioned to help organizations assess their security capabilities and provide them with the knowledge and skills to create an adaptive, responsive security posture built upon Cisco technology. To help security professionals achieve the defense-ready skills required to thwart ever changing threats, Global Knowledge offers training in all levels of Cisco technology including FirePOWER, FireAMP, Advanced ASA, as well as CCNA through CCNP Security certification preparation. Global Knowledge is also proud to be one of only three global Advanced Technology Learning Partners to be able to offer SCYBER, which focuses on threat prevention, recognition and response.

Related Training
Cisco Security Training

In this article

Join the Conversation