WIXLIB

Figure3. Numberof RequestsMadePer Versionof Java,by DateNumberof Requestsmade perversionof Java,by DateUsers still vulnerable to CVE-2013-5907Publisher ProductOracleAmericaShare the reportJava(TM)Platform SE 7Java(TM)Platform SE 7 U1Java(TM)Platform SE 7 U2Java(TM)Platform SE 7 U3Java(TM)Platform SE 7 U4Java(TM)Platform SE 7 U5Java(TM)Platform SE 7 U6Java(TM)Platform SE 7 U7Java(TM)Platform SE 7 U9Java(TM)Platform SE 7 U10Java(TM)Platform SE 7 U11Newer VersionsJava(TM)Platform SE 7 U13Java(TM)Platform SE 7 U15Java(TM)Platform SE 7 U17Java(TM)Platform SE 7 U21Java(TM)Platform SE 7 U25Java(TM)Platform SE 7 U40Java(TM)Platform SE 7 U45Java(TM)Platform SE 7 U51Java(TM)Platform SE 7 U55Java(TM)Platform SE 7 U60Java(TM)Platform SE 7 U65Java(TM)Platform SE 7 U67Java(TM)Platform SE 7 U71Java(TM)Platform SE 7 U72Java(TM)Platform SE 7 U75Java(TM)Platform SE 7 U76Java(TM)Platform SE 7 U79Java(TM)Platform SE 7 U80Jan 4Jan 14Jan 24Feb 3Feb 13Feb 23Mar 5Mar 15Mar 25Apr 4Apr 14Apr 24Source: Cisco Cloud Web Security dataFocus on Flash Gives Angler aSignificant Edge over CompetitorsEarlier this year,1 Cisco singled out the Angler exploit kitas the one to watch among known exploit kits observedin the wild because of its innovative use of Flash, Java,Microsoft Internet Explorer, and Silverlight vulnerabilities.So far in 2015, Angler stands as the leader in exploit kitsophistication and effectiveness.The exploit kit’s authors’ recent concentration on, andquick work to take advantage of, vulnerabilities in AdobeFlash is an example of their commitment to innovation.Cisco reports that, on average, 40 percent of userswho encounter an Angler exploit kit landing pageon the web are compromised. (See Figure 4.) Thismeans Angler can identify a known Flash (or other)vulnerability that it can exploit. It then downloads thepayload to the user’s machine.Share the reportBy comparison, in 2014, other widely used kits thatfeatured a mix of exploits had an average success rateof just 20 percent, according to our research.Figure 4. Rate of Visitors Exploited,December 2014–May 2015Angler2015Other Exploit Kits201440%20%Source: Cisco Security Research1 Cisco 2015 Annual Security Report, Cisco, January 2015: urity-report/index.html.Cisco 2015 Midyear Security Report Threat Intelligence10

Angler: Running in the ShadowsAngler’s success in compromising users online canbe attributed partly to its simple but well-constructedweb landing pages. Cisco researchers suggest that theexploit kit’s authors may be relying on data science tocreate computer-generated landing pages that resemblenormal webpages and easily dupe users. Malvertising(malicious online advertising) is likely the key driver fora consistent stream of web traffic to these pages. (Formore on malvertising, see page 29.)that time can be attributed to Angler. The exploit kitserves a range of malicious payloads, including theransomware Trojan Cryptowall, through file exploits.In addition to domain shadowing, the Angler exploit kituses multiple IP addresses to make detection moredifficult. The sample in Figure 5 shows how frequentlyAngler can switch IPs on a given day. The patternappears random.Angler also excels at attempting to evade detection.“Domain shadowing” is one technique its authors haverecently employed. Exploit kit authors compromise adomain name registrant’s account, and then registera subdomain under the legitimate domain of thecompromised user. Unless users review their accountinformation, they will not know these subdomains exist.The subdomains point at malicious servers. They arevery high volume, short-lived, and random, so they’redifficult to block.The Cisco Talos Security Intelligence and ResearchGroup (Talos) blog post “Threat Spotlight: AnglerLurking in the Domain Shadows” discusses howAngler creates subdomains that can serve maliciouscontent, and why a defense-in-depth approach tosecurity is essential to detecting this type of attack.Also, see the Talos Group blog post “DomainShadowing Goes Nuclear: A Story in FailedSophistication,” which examines a Nuclear campaignthat includes domain shadowing. This work inprogress will likely be a successful exploit kit platformonce completed.Domain shadowing is not new, but the use of thistechnique has been increasing since December 2014.According to our research, more than 75 percent ofknown subdomain activity by exploit kit authors sinceFigure 5. Successful Flash Exploits, April 2015Share the report30Count of .243.44.162209.126.113.76*Colors represent IP ranges.Cisco 2015 Midyear Security Report Threat IntelligenceSource: Cisco Security Research11

Figure 6. Time to Detection for Angler Payload Dropped on April 24, 2015Angler payload Cryptowall 64864CBB45784DD9437F47Payload detectedas “known bad”Time to detection less than 2 daysFurther payload activity4/5632/57Antivirus enginesdetected the payloadApr 24Apr 25Antivirus enginesdetected the payloadApr 26Apr 2702:20:00Apr 2815:14:32Source: Cisco Security ResearchEncrypted Payloads Slow Time to Detection for AnglerAngler usually delivers an encrypted payload, whichis often the ransomware Trojan Cryptowall. If notinitially blocked, this payload can be identified onlyretrospectively, and time to detection of the threatcan take days. 2015-04-24 02:20:00 4/56 (4 of 56 antivirusengines deployed detected the payload) 2015-04-27 15:14:32 32/57 (32 of 57 antivirusengines deployed detected the payload)Once a payload is detected, the exploit kit’s authors,living up to their reputation for innovation, will quicklycreate a technique for delivering threats such asCryptowall and evading antivirus solutions.Cisco identified the threat as “unknown” on April 24, andthen analyzed and retrospectively convicted the threat(categorizing it as “known bad”) less than two days later.Figure 6 shows the time to detection for the Anglerpayload Cryptowall that was first dropped on April 24,2015: 45784DD9437F47.On the first day, only 4 of 56 antivirus engines deployedby VirusTotal had identified the new instance of malware.However, by April 27, 32 of 57 antivirus engines weredetecting the threat.Cisco 2015 Midyear Security Report Threat IntelligenceSee “Time to Detection: Defined,” on page 30, formore information on how we define and calculatetime to detection.Share the report12

Exploit Kit Authors Go High-Brow to Keep Landing Pages on the Down-LowSome exploit kit authors are looking to early19th-century literature to help conceal their 21stcentury threats. Specifically, some adversariesare incorporating text from Jane Austen’s Sense andSensibility into web landing pages that host theirexploit kits.The use of known works instead of random text is justone example of how threat actors are evolving theirschemes to avoid detection.Figure 7. Sample of Sense and Sensibility Text Usedon Exploit Kit Landing PageAdding passages of classic text to an exploit kitlanding page is a more effective obfuscation techniquethan the traditional approach of using random text.The use of text from more contemporary works suchas magazines and blogs is another effective strategy.Antivirus and other security solutions are more likely tocategorize the webpage as legitimate after “reading”such text.For users, encountering unexpected references tobeloved Austen characters such as Elinor Dashwoodand Mrs. Jennings on a webpage may be perplexingbut not a cause for immediate concern. But their lackof unease gives adversaries more opportunity tolaunch their exploits.The Evolution of Ransomware: A Storyof Innovation—and Lowering the BarIn today’s flourishing malware economy, cryptocurrencieslike bitcoin and anonymization networks such as Tor(see page 15) are making it even easier for miscreantsto enter the malware market and quickly begingenerating revenue. To become even more profitablewhile continuing to avoid detection, operators ofcrimeware, like ransomware, are hiring and fundingtheir own professional development teams to createnew variants and tactics.Cisco 2015 Midyear Security Report Threat IntelligenceSource: Cisco Security ResearchShare the reportRansomware encrypts users’ files—targeting everythingfrom financial files to family photos—and provides thekeys for decryption only after users pay a “ransom.”Ransomware targets everyone from large companiesto schools to individual users.The malware is typically delivered through a numberof vectors including email and exploit kits. The exploitkit Angler (see page 11), for example, is known to dropthe Cryptowall payload. Cryptowall emerged after theoriginal variant, Cryptolocker, was taken down by lawenforcement in mid-2014.13

Figure 8 depicts a sample message that users mightreceive when they encounter TeslaCrypt ransomware;TeslaCrypt pretends to be a derivative of Cryptolocker.Figure 8. Example of On-Screen Message fromTeslaCrypt Ransomwarecomputer network layer that allows applications to sendmessages to each other pseudonymously and securely.Many ransomware operations also have developmentteams that monitor updates from antivirus providers sothat the authors know when a variant has been detectedand it’s time to change techniques.Adversaries rely on the cryptocurrency bitcoin forpayments, so transactions are more difficult for lawenforcement to trace. And to maintain a good reputationin the marketplace—that is, being known to fulfill theirpromise to give users access to their encryptedfiles after the payment has been processed—manyransomware operators have established elaboratecustomer support operations.We have recently observed a number of customizedcampaigns that were designed to compromise specificgroups of users, such as online gamers. Someransomware authors have also created variants inuncommon languages like Icelandic to make sure thatusers in areas where those languages are predominantlyspoken do not ignore the ransomware message.Source: Cisco Security ResearchThe ransom demanded is not exorbitant. Usually, apayment between 300 and 500 is required. Why sucha modest fee? Adversaries who deploy ransomwarehave done their market research to determine the idealprice point. The idea is that the ransom is not set so highthat a user won’t pay it or, worse, that it will motivate theuser to contact law enforcement. Instead, the ransomis more of a nuisance fee. And users are paying up.In fact, Cisco reports that nearly all ransomware-relatedtransactions are carried out through the anonymous webnetwork Tor (see page 15). Adversaries keep the risk ofdetection low, and profitability high, by using channelslike Tor and the Invisible Internet Project (I2P). I2P is aCisco 2015 Midyear Security Report Threat IntelligenceUsers can protect themselves from ransomware bybacking up their most valuable files and keeping themisolated, or “air gapped” from the network. Users shouldalso realize that their system could be at risk even afterthey pay a ransom and decrypt their files. Almost allransomware is multivector. The malware may have beendropped by another piece of malware, which means theinitial infection vector must still be resolved before thesystem can be considered clean.For more on ransomware trends, see the Talos Groupblog posts “Cryptowall 3.0: Back to Basics” and“Threat Spotlight: TeslaCrypt—Decrypt It Yourself.”Share the report14

Tor Adopted by Cybercriminals to Hide Network CommunicationMalware authors naturally attempt to evade detectionand keep their server locations unknown. To do this,many use the anonymous web network Tor to relaycommand-and-control communications.If security professionals detect Tor activity in theirnetworks, they should correlate this finding with otherpossible indicators of malicious activity—such asdownloads of unknown executable files or connectionsto exploit kit servers—to determine whether the Tortraffic is legitimate.Our researchers have detected several instanceswhere malware families—especially ransomwarevariants—were generating Tor traffic. Although Tor isoften used within enterprises for legitimate purposes(for example, by security professionals), its presencecan indicate that there is malware traffic on a network.Some of the qualities that attract legitimate users toTor are also attractive to wrongdoers.As Figure 9 shows, adversaries deploying theransomware Cryptowall 2.0, as well as severalmalware families, are users of Tor. (See “The Evolutionof Ransomware: A Story of Innovation—and Loweringthe Bar,” page 13). The data comes from Cisco’smonitoring of customer networks and shows incidentswhere Tor was used within malware families betweenOctober 2014 and May 2015.Figure 9. Malware Families Using Tor for CommunicationsCryptowall 2.0CryptoDefenseLusy POSCTBLockerFsysnaCryptowall3.0ChanitorSource: Cisco Security ResearchMicrosoft Office Macros Make a Comebackas Vehicle for Launching ExploitsThe upswing in the use of Microsoft Office macros todeliver banking Trojans shows the convergence of twotrends in the world of online criminals: resurrecting oldtools or threat vectors for reuse, and changing the threatso quickly and frequently that they can relaunch attacksover and over again and evade detection.Cisco 2015 Midyear Security Report Threat IntelligenceShare the reportThe old tools used by the perpetrators of these Trojansare macros in Microsoft Office products such as MicrosoftWord. Popular with adversaries years ago, these macroshad fallen out of favor because they were eventuallyturned off by default. However, using social engineeringtechniques, bad actors can persuade users to turn onmacros, thereby adding a new tactic to their toolboxes.15

We studied two recent campaigns in which Dridex Trojanswere delivered as attachments to emails—each sent tospecific recipients—that purported to deliver invoicesor other important documents. As of mid-2015, we aredetecting new Dridex-related campaigns on a daily basis.Dridex: Campaign 2While the email subject lines in the first campaign(Campaign 1) attempted to fool recipients into thinkingthe attachments were crucial business documents,some of the emails themselves were blank.Dridex: Campaign 1When the recipients opened the attachments, they sawa Word document filled with nonsense text.In both campaigns, as soon as an email recipient openedthe attached Word document, malicious activity occurred:Behind the scenes, a macro used cmd.exe and PowerShellto download a malicious executable from a hardcoded IPaddress. In some campaigns that we observed, instructionswere included to tell the user how to enable macros. Oncethe macros were enabled, Dridex could then attempt tosteal logins and passwords to the victims’ bank accounts.Our researchers noticed that the spam campaigns carryingthe Dridex payload tended to be very short-lived—perhapsjust a few hours long—and that they also mutatedfrequently, as an evasion tactic. While antivirus solutionsperform useful security functions, they are not well suited todetecting these short-lived spam campaigns. By the time acampaign is detected, attackers have already changed theemails’ content, user agents, attachments, and refers. Theythen launch the campaign again, forcing antivirus systemsto detect them anew. As seen in Figure 10 showing aDyrezaC malware campaign, antivirus updates can occurafter a campaign has completed.Emails in the second campaign we analyzed (Campaign 2)included a message that appeared to be legitimate,referencing specific accounts and invoice numbers andclaiming that the attached documents were invoices.But when recipients opened the Word attachment,they also saw nonsensical text, similar to what usersin Campaign 1 encountered.Figure 10. DyrezaC Can Work Faster than Antivirus SystemsCampaign peaked andadversaries move onto the next datedMalwareactivity levelShare the reportFeb 1911:5014:3016:3019:30Feb 1921:30Source: Cisco Security ResearchCisco 2015 Midyear Security Report Threat Intelligence16

This approach—combining spam, Microsoft Officemacros, and Dridex—appeared to be catching on withcybercriminals during the first half of 2015. We examined850 unique samples of the emails and attachedMicrosoft Office files carrying this Trojan, a relativelylarge number of unique examples for a spam campaign.The creators of these quickly mutating campaignsappear to have a sophisticated understanding of evadingsecurity measures. They are aware of the reliance onantivirus detection for these threats, and they work tomake sure they avoid detection.In the example in Figure 11, the image shows that severalhours passed before antivirus engines started to detectthe Dridex threat. Because the campaign lasted for aboutfive hours, antivirus solutions provided protection only forthe tail end of the campaign.Since they may view macro exploits as a thing of thepast, security professionals may not be prepared todefend their networks against these threats. The bestdefe

The Cisco 2015 Midyear Security Report examines these intersecting challenges while also providing updates on some of the most compelling threats. Using research by our experts, it provides an overview of the major threats observed in the first half of 2015. This report also explores likely future trends and offers advice for small, midsize, and