The third quarter of 2015 (July – September) was a time where we saw some significant threat activity in the areas of Point of Sale (PoS) malware, vulnerabilities and sophisticated Pawn Storm attacks. In our third quarter security roundup Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks we address all these activities.
In the area of PoS malware, we saw attacks increase. However, attackers have shifted their focus to the small and medium sized businesses (SMB). In this quarter, overall attacks nearly doubled compared with those in the second quarter (April – June) of 2015. In this quarter, SMBs accounted for 45 percent of the overall PoS malware detections worldwide, with consumers coming in at No. 2 with 27 percent. Enterprises accounted for just 19 percent. This trend reflects a common one in financial-focused attacks: SMBs represent the “sweet spot” for attackers with more money to steal than consumers but generally lacking the resources for more advanced security countermeasures that enterprises have available. In the United States, the run-up to the October 11, 2015 deadline for implementing EMV also likely plays a role, as larger organizations have the resources to pay for the necessary upgrades to support EMV.
The third quarter was also an important one in terms of vulnerabilities. We saw multiple zero day situations during this quarter due mainly to the successful attack against the Hacking Team in July and the dumping of nearly 400GB of their stolen data. Within that trove of data was information on multiple vulnerabilities that the Hacking Team had discovered (and was likely using in their tools). With the dumping of that data, vulnerability researchers, including those from Trend Micro, quickly set to work to find what vulnerabilities they could so that vendors could fix them quickly. All total, five new unpatched vulnerabilities were found in the Hacking Team trove, three of them found by Trend Micro researchers. These vulnerabilities mainly affected Adobe Flash but also Microsoft Windows. Unfortunately, attackers were also looking at this trove and were able to incorporate some vulnerabilities into Exploit Kits quickly, most notably the Angler Exploit Kit which incorporated one of the Adobe Flash vulnerabilities within days of the data dump.
The Pawn Storm attackers continued to be active in the third quarter as well and added to the zero day situation in the quarter. Trend Micro vulnerability researchers working with our Forward-Looking Threat Research Team (FTR) uncovered the first Java zero day attack in nearly two years being used by Pawn Storm attackers. We were able to work with Oracle to get this fixed quickly, but this also underscored how Flash and Java together remain prime targets for attackers. The Pawn Storm attackers let us and the world know they know we’re following them: in the third quarter they redirected some of their Command and Control (C&C) traffic back to an IP address on our network to send a message.
This is just a taste of the trends we outline in this quarter’s threat report. The full report contains more details on these and other attack trends for the quarter.