Bad Ads and Zero-Days: Reemerging Threats Challenge Trust in Supply Chains and Best Practices

In the beginning of 2015, we were faced with a paradox: none of the prominent threats were new—the schemes and attacks we saw used very common cybercriminal tactics—and yet they were all still so effective. Regardless of how well individuals and organizations implemented basic security measures, the simplest of blind spots had left them exposed. Who knew online and mobile ads, over-the-counter transactions, and even basic Word documents could still cause so much trouble?

Online advertising attacks shatter trust in the "supply chain"

Complete and blind trust in third-party vendors or service providers can put online users at risk. Cybercriminals used infected online ads to inject the BEDEP malware, which automatically downloads itself when the ads are displayed. Lenovo® indirectly allowed man-in-the-middle (MitM) attacks by packaging Superfish, a visual search technology that exhibits adware behaviors, in their consumer-grade laptops. Meanwhile, mobile attackers disguised the adware “MobiDash” or “MDash” on Google Play™ and used them to display ads that compromise user mobile safety.

These attacks exploit online advertising systems and reveal security gaps in the “supply chain.” This exposes site visitors to threats, and could potentially damage the reputations of web administrators.

[Read: Malvertising: When Online Ads Attack]

How malvertising works

How Online Advertising Works Diagram

How Online Malvertising Works Diagram

For regular people, malvertisements represent one of the worst threats out there. More than any other threat, malvertisements can hurt people even when they’re doing all the right things. Malvertisements can affect people who don’t click on links, who are fully updated for all security patches and only go to trusted sites. In short, there’s no amount of caution that can protect you from malvertisements: just luck. – Christopher Budd (Global Threat Communications Manager)

Crypto-ransomware breaks into the enterprise

Crypto-ransomware numbers are still rising. Infection counts quadrupled from 1,540 in Q1 2014 to 7,844 in Q1 2015. Crypto-ransomware infections make up almost half (49%) of the total ransomware volume found as of last quarter

Number of Ransomware Infections

The rise of crypto-ransomware numbers will likely continue. Using ransomware is a great way to immediately monetize a malware infection. Compared to getting $500 USD (approx.) right now to set up a botnet, rent out the infected user, steal banking credentials, and get money out of bank accounts, ransomware infections are more immediate. On average, it gets significantly more money per malware infection.
Jon Oliver (Senior Architecture Director)

Notably, work files are continually being held for ransom. Certain crypto-ransomware variants have routines that directly target enterprises. The TorrentLocker copycat CryptoFortress can encrypt files in network shares, a resource sharing behavior usually established in enterprise networks.

Meanwhile, Ransomweb (CRYPWEB) can encrypt websites and web servers. Although similar routines were seen last year, the emergence of two new ones further establishes enterprises as crypto-ransomware targets.

A new crypto-ransomware variant, CRYPAURA, can encrypt over a hundred file types. Meanwhile, Teslacrypt targets online gamers. By using the “freemium” model to establish good faith, cybercriminals were able to trick gamers before going in for the kill.

[Read: Crypto-Ransomware Sightings and Trends for 1Q 2015]

Given the rise of crypto-ransomware numbers and its apparent expansion to cover enterprise targets, there is more reason for individuals and companies to strengthen backup systems and ensure that their files are protected.

[Take the Quiz: How Would You Fare in an Actual Data Disaster?]

Macro malware, prime model for old threats vs new users

Knowing is always half the battle. The continuous surge of macro malware teaches new generations to look back on old threats; ignorance of these can be used to exploit them. Macros automate repetitive tasks in Microsoft Office® to save time, but these have been disabled by default in Office 2003 to avoid being used by malware.

Number of Macro Malware infections as of 1Q 2015

Microsoft has changed their implementation of macros in Office documents when they upgraded their format from .DOC to .DOCX, but macros are still executable. In the past, cybercriminals would use social engineering to get users to run malicious macros in documents. Today, they also exploit vulnerabilities in Office to run the macro. – Numaan Huq (Senior Threat Researcher)

Do note that users need to enable the macro feature for the malware to work. Last quarter, cybercriminals used email attachments and instructed their victims to enable macros to read it. This allowed the download of banking malware VAWTRAK. The BARTALEX Trojan also used spammed messages and embedded macros to automatically spread in user systems.

The use of macros may also be seen as an attempt for threats to bypass traditional antimalware solutions. Macros used in these threats are often obfuscated, allowing them to potentially pass through spam filters or scanners, which are better at detecting executable programs than macros. Macros that can be enabled using batch files are also difficult to detect. Sandboxing may not work due to the obfuscation or because users were already explicitly asked to agree to open the macro, unknowingly allowing malware to run in their system.

FREAK flaw reveals issues with missing vulnerability patches

The FREAK vulnerability arrives hard on the heels of last year’s widely covered flaws Shellshock, Heartbleed, and POODLE. FREAK is a flaw that affects the Transport Layer Security/Secure Sockets Layer (TLS/SSL) authentication protocol used by countless sites and browsers, including roughly 10% of top domains as well as Android and Safari web browsers. Discovered by factoring RSA export keys (FREAK) and thus named, this bug forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.

The fact that the FREAK flaw has been in existence for decades and takes advantage of code written years ago, it revives issues on vulnerability disclosure. The lack of direct accountability for patching these flaws makes it harder for IT administrators to mitigate risks. Such issues call for third-party solutions that independently and proactively researches vulnerabilities in existing systems to shorten the exposure window and avoid exploits.

[Read: Developing Timeless Protection: Not Just for Zero-Day or Legacy Vulnerabilities]

The past quarter also introduced Ghost, a buffer overflow vulnerability in Linux operating systems. Although initially thought of as a serious source of concern, this flaw has already been patched and reduced to a very limited attack surface.

Top Web Application Vulnerabilities Found in 1Q 2015


  • Internal IP address leaked
    Can disclose information about internal networks’ IP-addressing scheme

  • Local path disclosure
    May give attackers an idea on webroot folders, etc. that they can use to craft customized attacks

  • Include file source code disclosure
    Allows attackers to gain access to and abuse sensitive application logic information found in source codes

  • Directory indexing
    Affects Web servers that display the index page of their virtual directory/subdirectory when accessed by user agents

  • Detailed application error messages
    Allows attackers to gain access to sensitive information, including internal Web application logic

  • Sensitive form data transmitted without Secure Sockets Layer (SSL)
    Allows attackers to obtain sensitive data transmitted via applications that do not use SSL

  • Nonpersistent cross-site scripting (XSS)
    Allows attackers to inject malicious scripts (generally client-side) into Web applications

  • Path traversal
    Exploits insufficient security validation in Web applications and also known as “dot dot slash” or “directory traversal” attacks

  • Possible sensitive resource found
    Allows attackers to obtain information on resources that may or may not be linked to applications’ structure (old backup, server configuration, server/database log, database configuration, etc.)

  • SQL injection
    Presents serious threats to any database-driven Web application


iOS, Healthcare industry targeted in recent cyber attacks and data breaches

The past quarter highlighted two notable trends observed in targeted attacks and data breaches: healthcare organizations as targets, and iOS™ devices as attack vectors.

The value of healthcare data was not lost on the perpetrators of separate data breaches against health insurers Anthem and Premera Blue Cross. Attackers stole the names, email addresses, and other personal information of millions of both insurers' customers and patients.

Timeline of notable healthcare breaches



Country: United States
Records Lost: 80M
Types of Information Compromised: Names, dates of birth, member ID numbers, social security numbers, addresses, phone numbers, email addresses, employment information

Premera Blue Cross

Country: United States
*detected in January 2015 but may have occurred as early as May 2014
Records Lost: 11M
Types of Information Compromised: Names, dates of birth, email addresses, addresses, telephone numbers, social security numbers, member ID numbers, bank account information, claims information, clinical information


Community Health Systems

Country: United States
Records Lost: 4.5M
Types of Information Compromised: Five years' worth of patient data, names, addresses, social security numbers


Advocate Medical Group

Country: United States
Records Lost: 4M
Types of Information Compromised: Names, addresses, dates of birth, social security numbers


National Health Service (NHS)

Country: United Kingdom
Records Lost: 8.3M
Types of Information Compromised: Unencrypted patient records


Virginia Department of Health

Country: United Kingdom
Records Lost: 8.3M
Types of Information Compromised: Patient records, prescriptions


Millions of  iOS devices still using iOS 7 were also put at risk viaapps used in Operation Pawn Storm. Researchers found two spyware apps compatible with iOS 7 that can use the device for snooping. Both jailbroken and non-jailbroken ones were affected since these apps can be downloaded via enterprise provisioning.

Meanwhile, Operation Woolen Goldfish, a politically motivated campaign that continued its operations in the past quarter, was found attacking a number of public and private Israeli and European organizations using a malicious file hosted in Microsoft OneDrive®. This operation is one of the two campaigns ran by the Rocket Kitten cyber threat group, the other one being the GHOLE malware campaign.

Retailers also remain targets of cyber attacks as Point-of-Sale (PoS) malware infections continue to rise. One-man PoS malware campaign, FighterPOS, had stolen more than 22,000 unique credit card from late February to early April 2015.

Meanwhile, the old but just recently detected PwnPOS malware believed to have existed since 2013, was found using a RAM scraper to look for data and connect to SMTP to steal valuable information.

Healthcare data represents the ‘holy grail’ in terms of data theft. When credit card data is stolen, the criminals can use that only until the credit or debit cards are cancelled. But how do you “cancel” your social security number? You can’t. Healthcare data can be used more than once for financial fraud as criminals open account after account in your name. It’s not just your name though: healthcare data can give enough information to facilitate identity theft not just from you but potentially from your spouse and children as well. Blackmail is another area where traditional crime tactics will move into the realm of cybercrime. – Christopher Budd (Global Threat Communications Manager)

New and evolving exploit kits prevail on the Web

Exploit kits, notorious for being effective means to deliver Web-based attacks, have been around since 2006 and have since evolved to adapt new technologies in their routines. In the underground market, exploit kits are easily sold as on-the-go Web threat programs.

Compared to the same quarter last year, we found a 30% increase in attacks using exploit kits. Of these attacks, the most exploited apps were Java™, Adobe®, and Internet Explorer.

There has been a notable a dip in the number of newly released exploit kits. Even so, the prevalent use of old and developed exploit kits prove that Internet users can expect related infections to continue for the rest of the year and beyond.

Threats analysts Brooks Li and Joseph Chen also noted a harrowing pattern, saying, “zero-day exploits are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.”

[Read: Exploit Kits and Malvertising: A Troublesome Combination]

Countries Most Affected by Exploit-Kit-Related Attacks

It's not surprising that exploit kit attacks are still growing even after the notorious Blackhole exploit kit (BHEK) takedown at the end of 2013. The malvertising and exploit kit combination is one main reason for the increase of exploit kits. This makes it possible for attackers to hijack visitors of popular websites, like YouTube, and take advantage of advertising networks to hide themselves. – Joseph Chen (Threat Analyst)

Critical web application flaws, prime entry points

Similar to client- and server-side vulnerabilities, web application vulnerabilities need to be patched as these are possible entry points for attackers. These applications are able to process business-relevant data and store them in a back-end database, which may have security holes.

Organizations are prone to attacks exploiting vulnerabilities in the widely used PHP platform—nearly all of which are associated with server-related vulnerabilities. These flaws are rated High to Critical and have been patched in the latest versions of the program.

Many web applications are most vulnerable to non-persistent cross-site scripting (XSS), a severe flaw that only needs users to visit planted URLs so that attackers can access  personal user accounts. Other critical flaws to web apps include SQL injection, which are attacks that issue malicious SQL statements to gain site access, and OS commanding, which are attacks that execute system-level commands.


The Trend Micro Smart Protection Network™ blocked a total of 14, 006, 002, 252 or over 14 billion threats in Q1 2015 alone.

Total number of threats blocked

Q1 2015

Detection rate (Number of threats blocked per second)

Q1 2015


Of these threats, the top three malware families counted last quarter were SALITY (85K), DOWNAD/ CONFICKER (83K), and KRYPTIK (71K). SALITY variants are known for critically damaging routines done by spreading infected .EXE and .SCR files. DOWNAD/ CONFICKER variants are notorious in the threat landscape for their persistence in exploiting vulnerabilities and propagating fast. KRYPTIK variants are Trojan types that have recently been used to attack victims during the tax season.


Top Malware Families

*based on PC detections

There are now a total of 5,395,718 or roughly 5.4 million malicious and high-risk Android apps, a 27% increase compared to Q4 2014 (4.3 million). Of these apps, roughly half are adware apps which display advertising content usually without the consent of mobile device users.



Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.