One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 459644 |
| Date de publication | 2018-01-16 14:00:00 (vue: 2018-01-16 14:00:00) |
| Titre | OTX Trends Part 1- Exploits |
| Texte |
By Javvad Malik and Christopher Doman
Introduction
Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform.
We have combined these two data-sets to help provide a blueprint for how to prioritise the response to varied threats. You can find the scripts we used to get this data from our free APIs on GitHub.
Executive Summary
Some of the standout findings from our data covering 2017 are:
The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery.
njRat malware variants were the most prevalent malware we saw persisting on networks.
Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech.
Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China.
OTX Trends: Exploits
This is the first of a three part series on the trends we identified in 2017:
Part 1 focuses on exploits
Part 2 will talk about the malware of concern and trends
Part 3 will discuss threat actors and patterns
Which exploits should I be most concerned about?
There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported. If you’re responsible for an organisation’s security, it’s important to know:
Which ones are the most important to patch quickly?
Which ones are being actively exploited in the wild?
What exploits are being reported in vendor reports?
The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX:
A CVE 2017-0199 sample used by criminals
This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights:
Effective exploits proliferate quickly
The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig).
It has also been heavily abused by criminal gangs such as some of those deploying Dridex.
|
| Envoyé | Oui |
| Condensat | “arguably alienvault 0158 0199 0199 is extremely 2001 2010 2012 2013 2015 2017 2017: 2568 from 6282 about abused actively activity actors after against aggregated alerted also been ancient android anonymised apis approximately are are: assigned associated attackers attacks attempts available based been being between biased billions blog blueprint but can changing china christopher combined comes comprehensively concern concerned confirmation consists continues covering criminal criminals customer customers cve data decade” defense deploying described despite discovered discovery discuss diverse does domains doman don’t dridex drop due each effective emanating escalate establish events every exceptionally exchange executive explains exploit exploit: exploited exploits extremely fairly find finding findings first focuses following four free freemilk friends from further gangs get github groups has has also have heavily help highest how however important in russia increase initial insights: installed interested introduction iran isn't it’s javvad kaspersky kenna know: korea landscape large last lists located locations long macro malik malware malwaretech many mature microsoft more most nation network networks new njrat nopsec north number office oilrig old once one ones open operating order organisation’s other others’ otx otx: overall part patch patterns period persisting phenomenon phone platform popular prevalent prevent prior prioritise prioritize prioritizing privileges processes proliferate provide provides quickly ranked real recommend recording records referenced remain reported reportedly reports reports in response responsible sample saw scanners scripts security seeing seen seen by series set sets should shows significant sinkholed slip small software’s some sophos sourced standout state stay stuxnet vulnerability cve such summary system table talk targeted telemetry ten than these third those thousands threat threats three through time times towards trends trends: tuned two ubiquity used users using variants varied vendor vendors' very victim’s vulnerabilities vulnerability we identified we’d we’ll we’re what where which why wild will windows winnti work world worms year years you’re |
| Tags | |
| Stories | APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.