Security Experts:

Spam Rises Amid Lower Exploit Kit Activity in 2016: Cisco

Spam messages accounted for 65% of overall email in 2016, with 8-10% of spam considered malicious, a recent report from Cisco reveals.

According to the Cisco 2017 Annual Cybersecurity Report (PDF), activity of the Necurs botnet, which has been distributing the Locky ransomware and Dridex banking Trojan, is driving spam volume up. In fact, data from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spam-sending computer infections, shows that spam volume is close to the record-high levels seen in 2010.

Citing data from the SpamCop Block List (SCBL), Cisco explained that Necurs’ activity has generated spikes in the number of IP addresses associated with spam. Because the botnet’s operators use an address for only 2-3 days in a row but then stop using it for weeks, researchers have a hard time responding to spam attacks.

In October, 75% of spam had malicious attachments, with Necurs responsible for most of it. As attackers are experimenting with various attachment types to ensure they can avoid detection, .docm, JavaScript, .wsf, and .hta files emerged as popular among spammers. In July, .wsf accounted for 22% of malicious attachments, while .docm accounted for 8% of them. Last week, Google decided to block JavaScript attachments in Gmail.

Attackers are also using different types of spam attacks to circumvent defenses, with "hailstorm" and "snowshoe" attack emerging as a popular methodd last year. A hailstorm spam attack usually involves the sending of a massive amount of spam from a single IP address in a short period of time, so that defenders don’t have enough time to react, while snowshoe attacks rely on keeping spam volumes low enough to fly under radar.

In addition to malicious spam, adware that packs nefarious behavior represents yet another risk organizations are facing. Legitimate adware is meant to download or display advertisements through redirections, pop-ups, and ad injections, but cybercriminals are using adware to facilitate other malware campaigns, such as DNSChanger malware, in addition to injecting ads.

According to a Cisco investigation that took place between November 2015 and November 2016, 75% of a set of 130 organizations across verticals faced adware infections. These included ad injectors (usually residing in the browser), browser-settings hijackers, utilities (web applications that supposedly offer a useful service to users, such as PC optimization, but which turn to be scams in many cases), and downloaders (adware that can deliver toolbars or other software).

Adware that evolved into Potentially Unwanted Programs has been already said to be putting enterprise data at risk, but Cisco believes that all adware can place users and organizations at risk for malicious activity. “Security teams must recognize the threat that adware infections pose and make sure that users in the organization are fully aware of the risks,” Cisco notes.

Malvertising was yet another issue for both users and companies, as malvertising activity jumped132% last year, a recent report from RiskIQ reveals. According to Cisco, attackers recently started using brokers (also known as gates) to ensure they can switch quickly from one malicious server to another without changing the initial redirection. Malvertising is one of the primary means for redirecting users to exploit kits (in addition to compromised websites) with one long-standing malvertising campaign being ShadowGate, which emerged in 2015.

“Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively,” Cisco notes.

Initially, ShadowGate was redirecting to the Angler exploit kit (EK) only, but it switched to Neutrino after the toolkit disappeared in the summer of 2016. Angler’s disappearance was tied to the Lurk gang arrests and resulted in a 96% decrease in EK activity. The second largest EK a year ago, Nuclear, had disappeared a month before Angler, while Neutrino abruptly ceased operations in September.

These changes resulted in a massive overall decrease in exploit kit landing page blocks, from 7407 in March to 1051 in November (the number dropped below 1000 in September). Flash vulnerabilities remained the most popular in EKs in 2016, with Internet Explorer and Silverlight bugs also targeted by attackers.

However, with Flash being used less and less on websites and with major browsers turning it off by default, EKs and other types of threats are seeing a decrease in the available viable options. Java and PDF Internet traffic experienced notable declines in 2016, while Silverlight traffic is so low that “is not worthwhile for threat researchers to track regularly,” Cisco notes.

However, adversaries have a large array of tools to take advantage of when conducting their attacks, including social engineering, malware injections in legitimate ads, lapses in patching and updating, middleware vulnerabilities, malicious spam, and more. Internet traffic is growing, largely driven by faster mobile speeds and the proliferation of online devices, and attackers are taking advantage of this, because it expands their attack surface.

“Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection,” Cisco says.

Related: Malvertising Jumped 132% in 2016: Report

Related: 4.2 Billion Records Exposed in Data Breaches in 2016: Report

view counter