Helsinki-based F-Secure has just released its Threat Report for the first half of 2013, and much remains the same: Java in the browser is the main vector for attacks on PCs, Android is taking the brunt of mobile attacks, and Mac malware is growing from a minuscule base.
However, the company says: "The most notable information security occurrence of early 2013 is undoubtedly the hacking and breach of several Internet giants (Twitter, Facebook, Apple, Microsoft) and of numerous other Silicon Valley companies via a watering hole at iPhone Dev SDK."
The "watering hole attack" is a response to good corporate security. Instead of mounting a direct attack, the idea is to exploit a third-party website where employees typically hang out and chat. It seems that Facebook and other major tech companies were breached in this way using "a zero-day Java exploit via a mobile developer website".
F-Secure's report says: "The attack was targeted and required human labor — it wasn’t automated crimeware. But it didn’t need to be. For targets as valuable as Twitter, Facebook, Apple and Microsoft — the attackers were apparently more than willing to put in the man-hours."
Another significant development came through what F-Secure calls Advanced Persistent Threat (APT) attacks. These "typically involve a carefully crafted exploit document being delivered (usually through some form of social engineering) to a user, or users, in a targeted organization or industry".
APT attacks often use PDF reports as bait, and drop backdoors as a way to plant malware. F-Secure says: "Corporate users are mostly targeted with bait documents that look like conference proceedings or reports. This does make sense as conference proceedings are normally propagated by email as part of standard business practices anyway, making them easy for the attackers to obtain, modify and pass on as ‘revised’ editions. The second most common type of corporate-targeted ATP documents were reports, which are also relatively easy to obtain and are easily passable as credible business material."
Many APT attacks are aimed at military staff and people in the defense industries, aerospace, and the energy sector who "have some form of contact with Asian countries" such as China and India, says F-Secure.
For ordinary PC users, the Java Runtime Environment (JRE) and Java running in the browser account for four of the top five vulnerabilities targeted by malware writers, and the top five account for 95 percent of all attacks. In a webcast today, F-Secure's Mikko Hypponen recommended uninstalling Java in the main browser. If users find it unavoidable, Java can be installed in a second browser for occasional use.
But "far and away the most commonly targeted vulnerability in H1 2013 was the CVE-2011-3402 Truetype font vulnerability in Windows. This vulnerability first came to prominence when it was used by the Duqu malware in a targeted attack campaign in early 2012," says F-Secure. Obviously, every competent IT department patched this last summer with MS13-051.
In the Mac market, F-Secure saw "the first Mac malware signed with a valid Apple Developer ID" in the name of Rajinder Kumar, which Apple promptly revoked. Associated malware is called KitM for "Kumar in the Mac."
Although the amount of Mac malware remains extremely small (see below), Hypponen said he could no longer recommend running Macs without anti-virus software.
On mobiles, F-Secure said: "Google's Android continues to be the most targeted mobile operating system, accounting for 96 percent of all new mobile malware families or variants we saw in H1 2013. Despite lingering questions about the Play Store's security, it remains by far the safest Android app market around, as the majority of new Android malware we saw were found on non-Play Store sites.
"In terms of functionality, most of the mobile threats we’ve seen were either banking-trojans or were involved in malvertising. Banking-trojans, which typically steal Mobile Transaction Authentication Numbers (mTans), appear to be increasing as more banks shift to using this form of authentication to verify online transactions.
"In the last few months we’ve also noticed increased instances of malvertising — advertisements leading to sites that distribute mobile malware — both in-app and on sites accessed during mobile web browsing sessions."
Stels was the most common Android Trojan. It was often distributed with games but sometimes as an update to the Flash player, as "Google Updater". However, 76 percent of F-Secure's detections of Stels came from Russia, and another five percent from Uzbekistan. It does not appear to be a problem in Europe or North America.
Finally, F-Secure noted that malware writers were now interested in Bitcoins, and said that botnet owners could generate substantial amounts of money by using slave PCs to mine digital currencies. This was a new way to monetize malware, which previously used techniques such as spam, pop-up advertising, password-stealing, and blackmail or ransomeware.
The full report is available from F-Secure (PDF).