hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015ConclusionSoftware vendors continue to make it more difficult for attackers with the implementationof security mitigations, but they aren’t enough when they are built on decades-old code stillinherently vulnerable. The one exception seems to be the success of Oracle’s click-to-playmitigation in thwarting Java attacks. While it is more difficult for attackers to succeed, we areexperiencing very high success rates with exploits in the wild, which may indicate they wereauthored by professional exploit developers with high exploit development skills. The qualityof exploits is improving and sometimes reveals a deep understanding of the nature of thevulnerability and the internals of the target applications.Malware and exploitsYear after year, exploits have been the main vector for a wide range of malware attacks. Theyserve as one of the early steps in achieving control over the target in a cyber-attack sequence. 56Over the years we have seen hundreds of vulnerabilities exploited with different applicationsand operating systems being affected, ranging from Web browsers to multimedia apps and runtimeenvironments such as Oracle Java.Every year thousands of CVE numbers are issued for various vulnerabilities, but maliciousactors are interested in the most serious class of vulnerabilities—the ones that allow theattacker to achieve remote code execution. HP Security Research, together with ReversingLabs,has a catalog of more than 100,000 exploits collected over the course of the year. In this Reportwe display and discuss 2014’s top trends.Top CVE-2014 numbers collected in 2014The most common CVE-2014 exploit discovered by our teams is CVE-2014-0322. 57 Firstreported by FireEye in February, 58 CVE-2014-0322 exploits a use-after-free vulnerability inInternet Explorer and commonly uses an Adobe Flash stage to bypass exploit mitigationsin Windows to deliver its final executable payload. The exploit was first seen in OperationSnowMan, which allegedly targeted U.S. government entities and defense companies.CVE-2014-6332, 59 also known as “Windows OLE Automation Array Remote Code ExecutionVulnerability,” is another vulnerability that attracted a lot of attention in the securitycommunity, especially because the vulnerability has been present in various versions ofWindows for over 18 years, 60 since the days of Windows 95. The exploit is delivered through VBScript, so it can only be delivered to Internet Explorer. It allows for an easy sandbox escape ifcombined with a routine that changes flags to disable Internet Explorer’s Safe Mode.In the wild, however, the exploit often uses a combination approach, similar to the deliveryof CVE-2014-0322. The exploit is triggered by redimensioning an array to transfer control toAdobe Flash shellcode. This bypasses exploit mitigations, including older versions of Microsoft’sEnhanced Mitigation Experience Toolkit (EMET). A specially crafted JPG image with an appendedencrypted data buffer is loaded into memory space which, when decrypted by shellcode presentin the SWF file, drops and runs the final executable payload. 6156http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf.57http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322.58https://www.fireeye.com/blog/threatresearch/2014/02/operation-snowmandeputydog-actor-compromises-us-veterans-offoreign-wars-website.html.59http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332.60http://securityintelligence.com/ibm-x-forceresearcher-finds-significant-vulnerability-inmicrosoft-windows/.61http://researchcenter.paloaltonetworks.com/2014/11/addressing-cve-2014-6332-swfexploit/.18