hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015ConclusionSoftware vendors continue to make it more difficult for attackers with the implementationof security mitigations, but they aren’t enough when they are built on decades-old code stillinherently vulnerable. The one exception seems to be the success of Oracle’s click-to-playmitigation in thwarting Java attacks. While it is more difficult for attackers to succeed, we areexperiencing very high success rates with exploits in the wild, which may indicate they wereauthored by professional exploit developers with high exploit development skills. The qualityof exploits is improving and sometimes reveals a deep understanding of the nature of thevulnerability and the internals of the target applications.Malware and exploitsYear after year, exploits have been the main vector for a wide range of malware attacks. Theyserve as one of the early steps in achieving control over the target in a cyber-attack sequence. 56Over the years we have seen hundreds of vulnerabilities exploited with different applicationsand operating systems being affected, ranging from Web browsers to multimedia apps and runtimeenvironments such as Oracle Java.Every year thousands of CVE numbers are issued for various vulnerabilities, but maliciousactors are interested in the most serious class of vulnerabilities—the ones that allow theattacker to achieve remote code execution. HP Security Research, together with ReversingLabs,has a catalog of more than 100,000 exploits collected over the course of the year. In this Reportwe display and discuss 2014’s top trends.Top CVE-2014 numbers collected in 2014The most common CVE-2014 exploit discovered by our teams is CVE-2014-0322. 57 Firstreported by FireEye in February, 58 CVE-2014-0322 exploits a use-after-free vulnerability inInternet Explorer and commonly uses an Adobe Flash stage to bypass exploit mitigationsin Windows to deliver its final executable payload. The exploit was first seen in OperationSnowMan, which allegedly targeted U.S. government entities and defense companies.CVE-2014-6332, 59 also known as “Windows OLE Automation Array Remote Code ExecutionVulnerability,” is another vulnerability that attracted a lot of attention in the securitycommunity, especially because the vulnerability has been present in various versions ofWindows for over 18 years, 60 since the days of Windows 95. The exploit is delivered through VBScript, so it can only be delivered to Internet Explorer. It allows for an easy sandbox escape ifcombined with a routine that changes flags to disable Internet Explorer’s Safe Mode.In the wild, however, the exploit often uses a combination approach, similar to the deliveryof CVE-2014-0322. The exploit is triggered by redimensioning an array to transfer control toAdobe Flash shellcode. This bypasses exploit mitigations, including older versions of Microsoft’sEnhanced Mitigation Experience Toolkit (EMET). A specially crafted JPG image with an appendedencrypted data buffer is loaded into memory space which, when decrypted by shellcode presentin the SWF file, drops and runs the final executable payload. 6156http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf.57http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322.58https://www.fireeye.com/blog/threatresearch/2014/02/operation-snowmandeputydog-actor-compromises-us-veterans-offoreign-wars-website.html.59http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332.60http://securityintelligence.com/ibm-x-forceresearcher-finds-significant-vulnerability-inmicrosoft-windows/.61http://researchcenter.paloaltonetworks.com/2014/11/addressing-cve-2014-6332-swfexploit/.18
HP Security Research | Cyber Risk Report 2015Figure 1. Top discovered CVE-2014 exploitsCVE-2014-0322 Microsoft Internet Explorer 36%CVE-2014-0307 Microsoft Internet Explorer25%CVE-2014-0515 Adobe FlashCVE-2014-4114 Microsoft Windows11%10%CVE-2014-1761 Microsoft Office7%CVE-2014-1776 Microsoft Internet ExplorerCVE-2014-0496 Mozilla FirefoxCVE-2014-6332 Microsoft WindowsCVE-2014-0497 Adobe FlashCVE-2014-0502 Adobe FlashOthers3%2%1%1%1%3%0% 5% 10% 15% 20% 25% 30% 35% 40%Top CVE-2014 for malware attacksAs discussed above, of the top 10 CVE-2014 exploits seen, none of them targets Java, one ofthe most commonly exploited targets in previous few years. This may indicate that the securitypush, 62 which caused delay in the release of Java 8, is getting some results, although it maybe too early to tell. It may also be a consequence of browser vendors blocking outdated Javaplugins 63 by default, making the platform a less attractive target for attackers.The breakdown of the top 10 discovered exploits over different applications is as follows. Fourexploits are delivered through Internet Explorer; these four together account for almost twothirdsof all CVE-2014-based exploits discovered this year, Two Windows exploits are deliveredusing Microsoft Office files, three using Adobe Flash, and one through Adobe Reader.In-depth analyses of CVE-2014-0505, 64 CVE-2014-1761, 65 CVE-2014-4114, 66 and CVE-2014-1776 67 have been published on the HP Security Research blog over the course of the year.62http://threatpost.com/does-java-8-delay-mean-oracle-finally-serious-aboutsecurity/99908.63http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-beginsblocking-out-of-date-activex-controls.aspx.64http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Technical-Analysis-of-CVE-2014-0515-Adobe-Flash-Player-Exploit/bap/6482744.65http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Technical-Analysis-of-CVE-2014-1761-RTF-Vulnerability/ba-p/6440048.66http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Technical-analysis-of-the-SandWorm-Vulnerability-CVE-2014-4114/ba-p/6649758.67http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/6476220.19
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 17: HP Security Research | Cyber Risk R
Page 68 and 69:
HP Security Research | Cyber Risk R
Page 70 and 71:
Page 72 and 73:
Page 74:
show all

hp-security-research-cyber-risk-report-pdf-2-w-1408

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?