By Grace Zeng
Summary: SilverSky provides managed security services (MSS) to financial institutions of all sizes. In this report, we summarize security incidents based on data collected from 925 financial institution customers in the first half of 2013. During that period, SilverSky detected and reported 1,513 likely and confirmed compromises. Sixty-seven percent of large institution customers experienced at least one security incident, compared to 57 percent of mid-sized and 40 percent of small institutions. In total, 437, or 47 percent, of financial institutions suffered at least one likely or confirmed compromise, a four percent decline from 2H 2012. Large institutions, on average, had six incidents, compared to four in mid-sized and three in small institutions. Similar to 1H 2012, incidents tended to happen more frequently in spring and summer than in winter. We also observed that about 54 percent of threats and attacks originated from inside the United States. Most of the offending sources were websites hosting malicious content such as exploit kits and malware executables. Over a quarter of the incidents were exploit-kit related. For the third time in a row, the Blackhole exploit kit topped the threat list.
In the first half of 2013, SilverSky continued to process about 15 billion raw security events on monthly basis. These events narrowed down to approximately 150,000 potential security incidents, among which about 6,000 were investigated by SilverSky analysts and categorized into low-, medium- and high-severity incidents. The majority of recorded incidents were information-gathering or reconnaissance-related activities (low-severity), and a small number of incidents were likely or confirmed system compromises (medium- and high-severity). This threat report is entirely focused on these medium- and high-severity incidents.
Figure 1: Number of Incidents and Percentage of Affected Institutions
The left graph in Figure 1 shows that in the first half of 2013, the number of incidents declined compared to last year, though conversely, the customer base under study expanded (right graph). From the right graph, we can see that the percentage of affected financial institutions decreased from 56 percent in 1H 2012 to 47 percent 1H 2013, indicating that fewer financial customers had security incident occurrences. Our readers may find this surprising, as headlines lead us to believe the number of security incidents continues to grow exponentially. However, our research shows that customers became savvier at blocking access to unrated domains in the Web content filtering, which greatly reduced the number of client-side attacks during this period of time. Note that a majority of likely and confirmed compromises are results of client-side attacks, i.e. users are enticed to visit malicious Web pages that deliver exploit code or disguised malware executables. We noticed that most of these malicious domains belong to the unrated category, and many customers used to allow Web traffic to this category. In the past year and a half, we’ve increasingly recommended to customers that they block access to unrated domains. This preventive measure has proven effective. Another reason for this decrease is that many attackers tend to repeat their tactics, and though an end user may be fooled once, it is rarely fooled twice. 2012 witnessed the emergence and evolution of multiple exploit kits, and they continued to circulate in the wild in the first half of 2013. Through our detection and reporting, customers became more aware of such threats and are less likely to fall victim to them again. It is therefore encouraging to see the declining trend of incidents.
In the first half of 2013, the SilverSky security team detected and reported 1,513 likely and confirmed compromises to 437 financial institutions. From a monthly perspective, the number of incidents kept growing from January to June in 2013, similar to the trend in the first half of 2012. Threats and attacks tend to hit customers more in spring and summer than in fall and winter.
Figure 2: Incident Distribution by Month
Financial institution customers in this study (925 in total) include banks, credit unions, savings and loans as well as insurance companies. Among them, 63 percent are small institutions (defined as having assets less than $250 million); 28 percent mid-sized institutions (between $250 million and $1 billion); and 9 percent large institutions (above $1 billion). Figure 3 illustrates the distribution of incidents across SilverSky’s customer base. The vertical axis shows the percentage of financial institutions that had at least n incidents in the first half of 2013. The horizontal axis displays n. 437 financial customers experienced 1,513 incidents. Forty-seven percent of financial customers suffered from at least one incident, a four percent decline from the previous half year. One institution — the outlier at the right side of the chart — had 43 incidents.
Figure 3: Incident Distribution Across All Financial Customers
As observed in previous reports, larger institutions are more likely to be attacked. In 1H 2013, 67 percent of large financial customers experienced at least one incident, a four percent increase from 2H 2012. Fifty-seven percent of mid-size and 40 percent of small institutions experienced at least one incident, a three to four percent decline. On average, each affected institution suffered three incidents.
Figure 4: Percentage of Institutions with Incidents
Of the top 10 customers that had the most security incidents, two are small (assets less than $250 million) and five are large (assets greater than $1 billion) institutions. On average, each large institution had six; each midsize had four; and each small had three incidents. In retrospect, larger institutions have been increasingly targeted due to larger attack surfaces and larger potential financial rewards for attackers. On the other hand, smaller institutions have limited resources, making them especially vulnerable to attacks. Attackers are likely to have a higher success rate going after them.
Table 1: Average Number of Incidents by Institution Size
Table 2: Top 10 countries
Of the security incidents, offending IP addresses were distributed in 49 countries around the world. The heat map (Figure 5) demonstrates countries by number of offending IPs. From Table 2 we can see that about 54 percent of attacks and threats originated from inside the United States. Germany and China rank the second and the third, taking up six percent each. Note that financial institutions in our study are almost all based in the U.S. In many institutions, traffic to or from non-U.S. IP address ranges are proactively blocked and such traffic will not lead to medium or high-severity incidents. On the other hand, a lot of malicious content is hosted on legitimate U.S. sites/domains, which are not blocked by customers. That is the primary reason why we observed a disproportional number of offending sources from the U.S. We will show a detailed malicious activity breakdown by country next.
Figure 5: Geographic Distribution of Offending Sources
At the country level, we further examined incidents to see what specific malicious activities were carried out at these offending IP addresses. In particular, we studied the top three countries (Figure 6): United States, Germany and China. Malicious activities consist of five main categories: serving exploit kits, hosting other malicious contents such as disguised malware executables, botnet command and control, launching vulnerability scans and forced login attempts. Other malicious activities such as code injection and file inclusion attacks only accounted for a small percentage, so they were classified into “others” without distinction. As we can see, across all incidents, offending IPs in the U.S. primarily served exploit kits (29.7 percent) and launched vulnerability scans (29.7 percent) and also had a fair share of hosting other malicious contents (19 percent). Offending IPs in Germany conducted malicious activities similar to those in the U.S. – the top three categories are: hosting malicious contents, serving exploit kit and launching scans. Interestingly, it appeared that offending IPs in China dedicated to launching forced login attempts (57.1 percent) and scans (40.5 percent); none of the incidents involved serving exploit kits or other malicious content, the primary reason being that many financial institutions have geo-blocking in place to deny traffic to countries such as China and Russia, preventing their end users from reaching sites/domain in these countries in the first place.
Figure 6: Malicious Activity Breakdown by Country
In the first half of 2013, old and new threats co-exist on the top ten list (Table 3). For the third time in a row, the Blackhole exploit kit is the top Web threat. Newly surfaced threats including Darkleech and BlackDragon (a Blackhole Exploit Kit 2.0 offspring) lead to exploits as well. In fact, over a quarter of incidents are exploit-kit related. Infamous botnets such as Palevo and Zeus were still active and kept plaguing our customers.
Table 3: Top 10 Threats
We have described how Blackhole exploit kits work in previous reports. Darkleech and BlackDragon work in a similar fashion: a variety of exploitation codes reside on servers controlled by attackers and they are delivered to end users via a landing page on the server. How does a user get to this landing page? It normally involves redirection. For example, a user visits a compromised Web page or clicks a malicious link in a spam message, then the page or link redirects (usually via <iframe> tags) the user to the landing page of the exploit kit server. This landing page then delivers multiple exploits targeting vulnerabilities such as Adobe Flash, Adobe Reader and Java.
Darkleech emerged in early 2013 and specifically aimed at Apache Web servers. After gaining root privilege to a target server, attackers loaded the Darkleech module that could dynamically inject iFrame elements to Web pages at the time of being visited, making detection and removal difficult. These iFrames then pushed end users to exploits. It was reported that Darkleech had infected more than 20,000 websites in just a few weeks.
At present, exploit kits are the most prevalent Web threat and they evolve rapidly. Attackers constantly add zero-day exploits and keep launching various email campaigns leading to these exploit kits. In the wake of such threats, the SilverSky Security Operations Center (SOC) has acted quickly by creating correlations on SIEM to detect traffic to exploit-kit leading/infested domains. The SOC team also continuously updates correlations of existing threats as more information regarding malicious domains, IPs and file lists become available. While exploit kits are a major concern, we also want to stress that many attacks and threats continue to originate from social-engineering emails. Customers should avoid opening or clicking on anything in unsolicited emails. SilverSky’s industry-leading Email Protection Suite (EPS) with advanced data loss prevention (DLP) is fully integrated and built on a single cloud management platform, providing our customers with unified security and control over both their inbound and outbound corporate messaging. It delivers best-of-breed spam and virus detection and effectively blocks spam and malware-infested emails at the gateway, protecting end users from exploit-kit leading threats at the earliest stage.
Although the threat landscape is constantly evolving, there are only two ways that malware can get onto a victim’s computer: via a user-initiated infection (the user is tricked into installing the malware) or via vulnerability exploits that infect silently. SilverSky strives to stop threats and attacks of both types. SilverSky’s Email Protection Suite (EPS) with advanced Data Loss Prevention (DLP), Managed Email Services, Network Protection Suite and Managed Security Services work together to deliver a powerful, multi-layered defense framework to protect our customers. Nevertheless, we can’t stress enough the importance of security fundamentals. As described in this report, most compromises we detected involved some kind of user interaction. Considering the variety and number of current exploits in the wild, customers should: