Invincea detected and blocked malvertising attacks representing 2.1 million malicious advertisements, which on an annualized basis are estimated to cause more than $1 billion of damage. With two million users running Invincea Advanced Endpoint Protection globally, Invincea has a view into the latest attack techniques, such as just-in-time (JIT), on-host malware assembly.
"Our latest research shows the relentless innovation of threat actors’ techniques that in turn highlights the inadequacy of most organizations’ network defenses," said Invincea Founder and CEO Anup Ghosh. "This is consistently leading to intellectual property loss, costly remediation, loss of employee productivity, and reputational harm."
Online attacks against employees and other end users remain the most effective way to compromise an organization due to the consistent success of spear phishing campaigns and malvertising, and the relative ease of compromising web servers to distribute malware.
"The endpoint is today the pivotal battleground in security, as both traditional anti-virus and newer network security controls are blind to now common attack techniques used in pervasive cyber crime, industrial espionage, and nation-state campaigns," Ghoshnoted.
Invincea’s report noted common threats are consistently defeating layered security measures such as network sandboxes, next-generation firewalls, Web URL filters and proxies and traditional anti-virus solutions.
Key trends identified in the report include:
The billion dollar malvertising problem: Invincea detected and blocked approximately 2,100 malvertising attacks against customers, representing 2.1 million malicious advertisements. Invincea estimated this caused $525 million of damage in repairand recovery expense, excluding the impact of any data breaches.
On an annualized basis, the malvertising campaigns Invincea observed generate more than $1 billion in damage per year. Malvertising was observed affecting visitors of major Web sites including The Weather Channel, eBay UK, Zillow, and many more.
The rapid emergence of just-in-time (JIT) malware assembly: By creating malware from seemingly benign components directly on target endpoints, JIT assembly bypasses network sandbox defenses that look for complete executables in network traffic.
Advancement of weaponized Microsoft Office documents: Word, Excel and PowerPoint vulnerabilities were exploited by multiple criminal gangs via weaponized documents sent in spear phishing emails during the first half of 2015.
Reflecting a "plug and play" level of exploit commercialization, multiple threat actors were observed delivering Dridex, Dyreza, Pony, Zeus and Zbot malware families through this vector.
White House and Anthem breaches: Advanced adversaries with common approaches: Spear phishing initiated attacks against the White House and health insurer Anthem shared key common attributes. In each, employees were lured into clicking on malicious content that enabled the threat actors to gain a crucial beach-head on the targeted networks.
Once the malicious attachments were opened, Trojan backdoors were silently installed on the endpoints. These incidents prove that highly security-aware users are still fallible, and that even advanced adversaries do not necessarily use zero-day exploits when a far simpler approach — spear phishing with known exploits — can be just as effective.
Invincea’s analysis shows not only were the Anthem and White House attack vectors nearly identical, but the malware employed in each attack was also similar, although customized to avoid detection by traditional security tools. This raises the question of whether two different advanced threat actors used largely off-the-shelf malware.