'Watering holes' join Java as a major threat to corporate security, says F-Secure

'Watering holes' join Java as a major threat to corporate security, says F-Secure

Summary: What are today's main malware threats across PCs and mobiles? F-Secure has just released its Threat Report for the first half of 2013...

SHARE:
TOPICS: Security
4
F-Secure Threat Report cover

Helsinki-based F-Secure has just released its Threat Report for the first half of 2013, and much remains the same: Java in the browser is the main vector for attacks on PCs, Android is taking the brunt of mobile attacks, and Mac malware is growing from a minuscule base.

However, the company says: "The most notable information security occurrence of early 2013 is undoubtedly the hacking and breach of several Internet giants (Twitter, Facebook, Apple, Microsoft) and of numerous other Silicon Valley companies via a watering hole at iPhone Dev SDK."

The "watering hole attack" is a response to good corporate security.  Instead of mounting a direct attack, the idea is to exploit a third-party website where employees typically hang out and chat. It seems that Facebook and other major tech companies were breached in this way using "a zero-day Java exploit via a mobile developer website".

F-Secure's report says: "The attack was targeted and required human labor — it wasn’t automated crimeware. But it didn’t need to be. For targets as valuable as Twitter, Facebook, Apple and Microsoft — the attackers were apparently more than willing to put in the man-hours."

Another significant development came through what F-Secure calls Advanced Persistent Threat (APT) attacks. These "typically involve a carefully crafted exploit document being delivered (usually through some form of social engineering) to a user, or users, in a targeted organization or industry".

APT attacks often use PDF reports as bait, and drop backdoors as a way to plant malware. F-Secure says: "Corporate users are mostly targeted with bait documents that look like conference proceedings or reports. This does make sense as conference proceedings are normally propagated by email as part of standard business practices anyway, making them easy for the attackers to obtain, modify and pass on as ‘revised’ editions. The second most common type of corporate-targeted ATP documents were reports, which are also relatively easy to obtain and are easily passable as credible business material."

Many APT attacks are aimed at military staff and people in the defense industries, aerospace, and the energy sector who "have some form of contact with Asian countries" such as China and India, says F-Secure.

For ordinary PC users, the Java Runtime Environment (JRE) and Java running in the browser account for four of the top five vulnerabilities targeted by malware writers, and the top five account for 95 percent of all attacks. In a webcast today, F-Secure's Mikko Hypponen recommended uninstalling Java in the main browser. If users find it unavoidable, Java can be installed in a second browser for occasional use.

But "far and away the most commonly targeted vulnerability in H1 2013 was the CVE-2011-3402 Truetype font vulnerability in Windows. This vulnerability first came to prominence when it was used by the Duqu malware in a targeted attack campaign in early 2012," says F-Secure. Obviously, every competent IT department patched this last summer with MS13-051.

Kaspersky 2013 H1 exploits
Source: F-Secure Threat Report for the first half of 2013

In the Mac market, F-Secure saw "the first Mac malware signed with a valid Apple Developer ID" in the name of Rajinder Kumar, which Apple promptly revoked. Associated malware is called KitM for "Kumar in the Mac."

Although the amount of Mac malware remains extremely small (see below), Hypponen said he could no longer recommend running Macs without anti-virus software.

On mobiles, F-Secure said: "Google's Android continues to be the most targeted mobile operating system, accounting for 96 percent of all new mobile malware families or variants we saw in H1 2013. Despite lingering questions about the Play Store's security, it remains by far the safest Android app market around, as the majority of new Android malware we saw were found on non-Play Store sites.

"In terms of functionality, most of the mobile threats we’ve seen were either banking-trojans or were involved in malvertising. Banking-trojans, which typically steal Mobile Transaction Authentication Numbers (mTans), appear to be increasing as more banks shift to using this form of authentication to verify online transactions.

"In the last few months we’ve also noticed increased instances of malvertising — advertisements leading to sites that distribute mobile malware — both in-app and on sites accessed during mobile web browsing sessions."

Stels was the most common Android Trojan. It was often distributed with games but sometimes as an update to the Flash player, as "Google Updater". However, 76 percent of F-Secure's detections of Stels came from Russia, and another five percent from Uzbekistan. It does not appear to be a problem in Europe or North America.

Finally, F-Secure noted that malware writers were now interested in Bitcoins, and said that botnet owners could generate substantial amounts of money by using slave PCs to mine digital currencies. This was a new way to monetize malware, which previously used techniques such as spam, pop-up advertising, password-stealing, and blackmail or ransomeware.

The full report is available from F-Secure (PDF).

Kaspersky-2013H1 Mac Malware
Source: F-Secure Threat Report for the first half of 2013

 

Topic: Security

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • the real truth

    "But "far and away the most commonly targeted vulnerability in H1 2013 was the CVE-2011-3402 Truetype font vulnerability in Windows"


    microsoft paid propagandists can scream about viruses for linux (lol!), viruses for mac, viruses for java...but let's face it...windows is only hopeless virus breather
    ljenux
  • the real truth

    "But "far and away the most commonly targeted vulnerability in H1 2013 was the CVE-2011-3402 Truetype font vulnerability in Windows"


    microsoft paid propagandists can scream about viruses for linux (lol!), viruses for mac, viruses for java...but let's face it...windows is only hopeless virus breather
    ljenux
    • You are clueless!

      That vulnerability was patched by MS ages ago. Ergo only people of similar diminished intellect as you would be affected.
      allis0
  • Mac Malware

    "Although the amount of Mac malware remains extremely small...Hypponen said he could no longer recommend running Macs without anti-virus software." Did he ever recommend running Macs without anti-virus software? Somehow I doubt it. I've never seen any security professional do so. Rather, they were recommending security software for the Mac even when it was not broadly necessary. Now that there are occasional exploits focussed on the Mac, such warnings are more appropriate. Unfortunately, these "professionals" have cried wolf so often that their standing in the Mac community is negligible. Indeed, the strongest argument they've had for anti-virus software on the Mac is to prevent the inadvertent spread of Windows malware - that doesn't actually affect a Mac computer at all. While a valid concern, this is hardly likely to move more than a small minority of Mac users to take precautions. Fortunately, Apple is taking security more seriously these days, even if their users are not. Among other things, Apple security updates have for some time now disabled Java in Apple's own web browser, Safari.

    However, if the current trend continues, in the next few years malware on the Mac will gradually emerge as a serious problem. It will become more important for Mac users to take security seriously. Sadly, getting them to do so, after all the false alarms, will be difficult. The best way I see to counteract this false sense of security would be for Apple itself to begin recommending third-party security software. But how likely is that? Instead, it will probably take a widely successful malware exploit on the Mac to grab the public's attention.

    Ironically, what the critics have claimed to be the greatest weakness of iOS on Apple's mobile platforms, the walled garden of the Mac App and iTunes Stores, provides almost 100% security for the iPhone and iPad. As malware on Android continues to proliferate, looking more and more like the early years of Windows, Apple's walled garden only grows more fragrant and attractive. Even so, there are now security apps for iOS. Again, the primary justification for these is to prevent the spread of Windows exploits via e-mail.

    So, though the Mac is no longer as isolated as it once was, far and away the most serious and numerous security exploits continue to target Windows. This is not entirely Microsoft's fault, but it is still their problem. And their users' problem. And now Android has jumped on the malware bandwagon with both feet, giving Google serious cause for concern, thus forcing them to move, however slowly and reluctantly, toward Apple's model of a curated app store.
    thewhitedog