According to several security research firms 2015 saw a massive decline in the number of reported malware infections, a decline in exploit activity of 84% compared to that of 2013. The few active exploit kits worth noting were Angler, Neutrino and Rig but besides those three there were virtually no other major campaigns detected in 2015. In previous years, such as 2013 there were detentions of over 30+ different exploit kits owned and operated by their own cyber crimeware actor groups. The number of new malware families and variants also dropped by over 50%. DDoS attacks rose by 30% and SQLi and XSS also rose around 10% over the previous year.

2016 has continued the same trends we saw for 2015, an even smaller number of exploit campaigns have been detected. The primary vector crimeware families are implementing is spam and spear phishing attacks. The spam e-mails and phishing campaigns are not like the ones we saw in years past, it appears the hostile actors have learned how to use spell checker and the content of these e-mails are closer to home for most would be victims. Spammers are learning how to relate to those they want to infect by choosing e-mail subjects and content related to things a majority of internet users would be interested in clicking. Examples, focusing on shipping around Christmas and holidays with topics such as click here for tracking of your package or download your purchase receipt in .Doc format or .xls which average internet users would think are completely harmless when in fact if you have not disabled macros in Microsoft Word/Excel, opening a malicious attachment will result in the macro being activated which will download a malicious executable from the hackers infrastructure or most likely a hacked webserver from SQLi/XSS vulnerabilities. Spammers are focusing on PayPal account issues, eBay account problems and now that it is coming up on tax season expect to see fake IRS and TurboTax e-mails or bank focused campaigns to download your W4 for taxes.

The biggest threat to enterprise security is social engineering, when your organization does vulnerability assessments and penetration testing make sure they focus on exploiting your employees and clients desire to trust in others. Your patch management and configuration management can be top notch but if the people you employ and do business with are susceptible to social engineering attacks your still at risk for compromise. Mitigating the risk of social engineering is not a simple task, human beings by nature are trustworthy and may click links and follow tasks without cognitively processing what they are doing. There is also the issue of intelligence, unfortunately some of your employees are just not going to be intelligent enough to see through the facade that an attacker is creating. Put up posters, have mandatory awareness seminars and meetings.

The next threat that is on the rise is denial of service (DoS) but more specifically Distributed reflected Denial of Service attacks. These attacks are easy to conduct, an attacker doesn’t even have to compromise hosts and servers to build a botnet anymore, they simply take advantage of services that openly reply to UDP requests from outside your network. The most common services that are susceptible and leveraged by attackers are NTP, SSDP, DNS, SNMP, Chargen and peer-to-peer file transfers. NTP offers the highest “amplification factor” up to 500 to 1, an attacker spoofs the IP of the target they wish to attack and request the monlist from a vulnerable NTP server and this request is say 5 bytes, when the NTP server responds to the request and delivers the monlist results to the spoofed IP target. An attacker simply needs to scan the internet for port 123 and make a request and log any servers that respond. The NTP servers that respond get put into a list and become leveraged in attacks.

As of February 2016 and an analysis of 400 of the latest NTP attacks reported we have grepped the logs and found that there are at least a minimum of 16,740 vulnerable NTP servers in the world. This number is significantly lower than the beginning of 2015 which we counted 54,300 vulnerable NTP servers. Never the less, a few thousand vulnerable servers is enough to take down most targets. In 2015 there were 4.9 million hosts vulnerable to SSDP amplification attacks, that number has dropped to 1.6 million, while that number is still staggering and capable of generating 100MB/sec attacks, the amplification factor is far lower for SSDP than NTP.

DNS however is on the rise, there are many ways an attacker can leverage vulnerabilities in the protocol to create amplification attacks, DNS Flooder is a tool that is commonly used to launch such attacks. DNS amplification attacks are on the rise, a 25% increase from 2015. Attackers create domain names with massive TXT records which when queried return large responses to the victim. Domain servers that respond to request for “.” are a huge concern as they will return all results to the victim, attackers combine many different vulnerabilities in the DNS system and put them together to amplify attacks at enormous rates. In 2016 an attack was observed delivering over 500gigabytes/second which leveraged all forms of DrDoS protocol weaknesses. DNS Amplification attacks with huge TXT record domain names is currently the largest risk we are facing from attackers and it works like this:

A video depicting the attack process: