Surge in mobile exploits and shell command injection attacks

IBM released the results of its X-Force 2011 Trend and Risk Report which shows surprising improvements in several areas of Internet security such as a reduction in application security vulnerabilities, exploit code and spam.

Attackers today are being forced to rethink their tactics by targeting more niche IT loopholes and emerging technologies such as social networks and mobile devices.

The report revealed a 50 percent decline in spam email compared to 2010; more diligent patching of security vulnerabilities by software vendors with only 36 percent of software vulnerabilities remaining unpatched in 2011 compared to 43 percent in 2010; and higher quality of software application code, as seen in web-application vulnerabilities called cross site scripting half as likely to exist in clients’ software as they were four years ago.

In light of these improvements, it seems attackers are evolving their techniques. The report uncovers a rise in emerging attack trends including mobile exploits, automated password guessing, and a surge in phishing attacks. An increase in automated shell command injection attacks against web servers may be a response to successful efforts to close off other kinds of web application vulnerabilities.

Nick Bradley, senior manager, IBM Global Security Operations, comments for Help Net Security: “While the findings of our X-Force 2011 Trend and Risk Report show surprising improvements in several areas of Internet security, new technologies such as mobile and cloud computing also continue to create challenges for enterprise security. The changing threat landscape really shows that security needs a new, holistic approach with a layer of intelligence and analytics.”

According to the report, there are positive trends as it appears companies implemented better security practices in 2011:

Thirty percent decline in the availability of exploit code – When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributable to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities.

Decrease in unpatched security vulnerabilities – When security vulnerabilities are publicly disclosed it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent in 2010.

Fifty percent reduction in XSS vulnerabilities due to improvements in software quality – The IBM X-Force team is seeing significant improvement in the quality of software produced by organizations that use tools like IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code. IBM found XSS vulnerabilities are half as likely to exist in customers’ software as they were four years ago. However, XSS vulnerabilities still appear in about 40 percent of the applications IBM scans. This is still high for something well understood and able to be addressed.

Decline in spam – IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which likely hindered spammers’ ability to send emails. The IBM X-Force team witnessed spam evolve through several generations over the past seven years as spam filtering technology has improved and spammers have adapted their techniques in order to successfully reach readers.

Even with these improvements, there has been a rise in new attack trends and an array of significant, widely reported external network and security breaches. As malicious attackers become increasingly savvy, the IBM X-Force documented increases in three key areas of attack activity:

Attacks targeting shell command injection vulnerabilities more than double – For years, SQL injection attacks against web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a website. As progress has been made to close those vulnerabilities – the number of SQL injection vulnerabilities in publicly maintained web applications dropped by 46 percent in 2011- some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a web server. Shell command injection attacks rose by two to three times over the course of 2011. Web application developers should pay close attention to this increasingly popular attack vector.

Spike in automated password guessing – Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers (SSH) in the later half of 2011.

Increase in phishing attacks that impersonate social networking sites and mail parcel services – The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven’t been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.