Most orgs unprepared to handle a cyber incident
In the latest quarter, Solutionary SERT performed a broad analysis of the threat landscape, including information on the Shellshock and Aftershock vulnerabilities present in Bash.
This quarter’s Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report reveals that more than 75 percent of organizations the team assisted had neither an incident response team nor policies or procedures in place to effectively address a cyber incident.
The team also tracked the Shellshock disclosure closely and found that 67 percent of the Shellshock signatures were tied to known malicious actors as soon as 24 hours after the vulnerability was disclosed.
In addition, as follow-on research to information collected in Q4’13 and Q2’14, the report highlights the top-ten ISPs hosting malware. GoDaddy-hosted sites had a massive resurgence from two percent to 44 percent, reclaiming the number one spot from Amazon Web Services (AWS). Conversely, AWS’s fall from 41 percent of hosted malware to 17 percent in Q3 reflects the dramatic and consistent fluctuation in hosting providers being used as attack vectors.
“Organizations have been inundated with a constant flow of news about data breaches, so the frequency and magnitude of successful attacks actually comes as little surprise. The findings in the Q3 Threat Report highlight not only the challenges security teams are facing but also how little is being done to prepare businesses for these incidents,” said Rob Kraus, SERT director of research, Solutionary. “Nearly three quarters of our team’s incident response engagements showed minimal, even zero, preparation by IT teams when it came to identifying and remediating security events.”
Other key topics include:
Malware distribution analysis updates
The United States had a seven percent increase in malware hosting, up to 63 percent, and maintained the number-one rank among malware-hosting countries. New players Spain and Switzerland entered into the top 10, while China experienced a three percent decrease as a host of malware, appearing at number four on the top 10.
Threat research focus: Anatomy of a Web-based botnet
Botnets are increasingly able to enlist multiple device types and platforms, including Windows, Linux, Web servers, workstations and more. Of the 1,900 unique IPs analyzed, as part of a larger Perl-based botnet, a total of 205 Web technologies were identified. 197 of the identified technologies were PHP implementations, encompassing 309 Web-server versions in 73 countries. Additionally, 47 percent of the top-targeted servers were Apache based.
Attacks on UDP Port 40000
The quarter has seen a marked increase in connectionless-based User Datagram Protocol (UDP) port probes, especially from UDP Port 40000. This, however, does not discount Transmission Control Protocol (TCP), with 20 percent of the traffic directed at the Remote Desktop Protocol (RDP) originating from Morto Worm activity over TCP Port 6000.
Spear phishing with VistaTeam
SERT researched a spear phishing campaign by a group dubbed “VistaTeam” because of its use of the free Web-hosting trial offered on the Vistaprint website. This attack is designed to evade many standard protection methods and targets companies conducting wire transfers, resulting in hundreds of thousands of dollars in losses.