Last year, Fortinet’s (News - Alert) FortiGuard Labs global threat research team made a series of predictions about cyber threats in 2016. We are now halfway through the year, and thought this might be a good time to give an update on what we have seen so far for some of these predictions.
Prediction No. 1: The Rise of Machine-to-Machine Attacks
The Threat: The exponential increase of unmanaged, “headless devices” driven by the Internet of Things (IoT) will make these types of devices a tempting target for hackers looking to secure a beachhead into more traditional devices and corporate infrastructures. We will see a rise in the number of attacks that exploit flaws in trusted machine-to-machine (M2M) communication protocols.
So far we have seen a number of attacks and trends that indicate that M2M attacks are on the rise, and that concerns about the security of IoT are well founded. Gartner (News - Alert) has estimated that 6.4 billion new IoT devices will be added to the Internet in 2016. Many of them, such as thermostats, home security systems, smart cars, watering systems and even baby monitors will be connected to other devices, such as tablets and smart phones, for remote monitoring.
Breaking into these devices is far too often not that difficult, mostly because user names and passwords or other security settings are still using default settings or are easily discoverable.
Known as the search engine for the IoT, the Shodan site allows users to search for specific types of computers, devices and connected systems. It looks for systems that have specific open ports, such as FTP servers, web servers, video cameras and other things. It also indexes systems with default passwords, including home routers. Using information from this site, we have been able to successfully hijack home surveillance systems and other devices from thousands of miles away.
We have already begun to see regional trends where such information is used to ascertain not only whether a family is home or not, but also how far away they are or how long they are expected to be gone. That information is then relayed to burglars, who can safely break in because the monitoring app has been compromised.
One interesting trend we have seen emerge in the past few months is the hijacking of IoT for ransom. This represents a significant shift in the ransomware landscape. Leveraging IoT devices allows ransom-based attacks to expand beyond just traditional targets, such as hospitals and police stations, to individual users. We predict that we will soon see things like access to one’s car, or even home, held for ransom.
Going the other direction from more closely targeted attacks, we can also see the possibility of these sorts of attacks expanding beyond cybercrime to cyberwarfare. According to the NIST National Vulnerability Database, we are on track to see an unprecedented number of CVEs (Common Vulnerabilities and Exposures.) The most recent NIST CVE data shows that nearly 4200 common vulnerabilities in publicly available software have already been disclosed and published and we predict that many more will be discovered.
Given the widespread nature of IoT vulnerabilities and their growing ubiquitous deployment, the potential for the catastrophic targeting, penetration, locking down or collapse of critical infrastructure (think water, transportation, power, etc.) by nation-state actors, hacktivists or cyberterrorists is quite real.
Prediction No. 2: Headless Worms Target (News - Alert) Headless Devices
The Threat: Related to the rise in machine-to-machine attacks, the “headless devices” driven by the Internet of Things will also become a focus of worms and viruses that are designed to independently target and automatically propagate to other devices via trusted communication protocols. These viruses could be designed to cause the systematic failure of devices, and the damages would be far more substantial as the numbers of IoT devices grows into the billions.
Controlling swarms of dumb devices is the fantasy of botnet hackers. This past June, a botnet was discovered powered by over 25,000 compromised CCTV devices located around the world. These IoT devices were then used to launch coordinated distributed denial-of-service (DDoS) attacks against websites. Analysis shows that these attacks were made possible by exploiting a remote code execution flaw using a viral headless worm that affected surveillance cameras sold by more than 70 different vendors.
This is a perfect example of a criminal hijacking dumb devices and then weaponizing them, as there is little way to detect such a compromise, and worse, few options for updating or hardening them against such attacks.
This example goes right to the heart of the IoT security problem. Far too often, the communications software and protocols used by IoT devices were never built with security in mind. Worse, this code is often shared widely between vendors as a cut and paste solution, making some IoT vulnerabilities endemic. And since the majority of these devices are headless, there is no way to even update or harden them.
We are seeing more and more of this, driven by the desire to monetize attacks. We expect to see more IoT and consumer-focused attacks targeting IoT (for example, imagine hackers being able to detect when you’re not home, remotely unlocking or disabling your locks or alarms, or simply resetting them and demanding a ransom to get into your own house. Or hijacking and ransoming a life-critical medical device in your home.)
Prediction No. 3: Ghostware Conceals Indicators of Compromise
The Threat: As cybercriminals become the focus of investigation and prosecution in the criminal justice system, careful hackers will develop a new variant of malware that is designed to achieve its mission and then erase all traces before security measures can detect that a compromise has taken place. FortiGuard predicts that we will witness Ghostware in 2016, written to steal data and disappear to conceal its creators.
Evidence of “Ghostware”—an attack that erases the indicators of compromise, making it difficult for organizations to track the extent of data loss or what systems were compromised—began emerging in the first half of 2016.
In a blog post published June 15, 2016, someone using the handle Guccifer 2.0 published hundreds of pages of documents that the author claimed were taken during a hack of servers owned by the U.S. Democratic National Committee. What is interesting about this attack is that the original infection and indicators of compromise were never seen or found. And information around the hack was not pieced together until a similar attack on a different group was caught.
One thing that makes these sorts of attacks possible is the expanding attack surface of networks. Traditionally isolated security devices are simply not designed to correlate information in order to quickly detect sophisticated, multi-vector attacks - especially when networks expand out to IoT, remote mobile devices, virtualized networks and the cloud. Instead, protection in most organizations depends on live security experts (often serendipitously) catching anomalous behavior and then hand correlating threat intelligence between multiple security devices.
These sorts of attacks go beyond prevention techniques and tools. Detection in real time is essential, which requires an integrated security architecture approach which allows devices to share attack data in real time, correlate and generate actionable threat intelligence, and coordinate a response to isolate malware and identify all instances of that attack deployed anywhere across the network.
We expect to see more Ghostware-based attacks that are, frankly, often established and known attack methodologies that have been redesigned to exploit the double challenge of the growing security skills gap and isolated legacy security devices.
Prediction No. 4: Two-Faced Malware
The Threat: Malware has been continually evolving features to avoid detection as security measures like sandboxing become more prevalent. As sandboxing becomes more resistant to these countermeasures, we anticipate the development of Two-Faced Malware designed to execute an innocent task to avoid detection and then execute a malicious process once it has cleared security protocols.
Similarly, we have seen incidents of encrypted malware hidden in smartphone apps that managed to bypass vendor application vetting processes. While many of these have now been caught and removed, variants of evasion-based infected applications continue to be discovered. In fact, we have seen a nearly 700 percent increase in infected mobile device applications in the past year.
Likewise, some ghostware variants—like that used in the DNC attack described above—are able to assess the environment where they have been deployed, and if they find that they are in, say, a virtualized environment or a sandbox, they simply delete themselves.
We expect to see additional development of evasion-based attack software over the coming months, eventually leading to the development of true two-faced malware.
Security for the Distributed Network
We are facing an arms race in terms of security. There’s a very large playground for attackers, and consumer and corporate information is running in that playground. Why, after all the money and research being spent on security, are not only the number of attacks increasing, but many older attacks continuing to persist? The sophisticated cybercriminal community wouldn’t still be using these if they weren’t successful.
The answer is complicated. Simply deploying security point solutions end-to-end is not enough. New devices and applications, new communications methods, the increase of virtualized and cloud-based networking and IoT continue to expand the attack surface. And far too many organizations are simply getting by on doing the minimum hoping they get overlooked, or because the tradeoff between productivity and security seems too high.
Companies need something different: an integrated security architecture designed to unify management, centralize and coordinate threat detection and intelligence, and provide a dynamically coordinated response to threats anywhere across the distributed network, from IoT to the cloud. The idea of a security fabric represents a complete rethinking of how security is to be designed, implemented and managed, allowing organizations to stop playing catch-up with cybercriminals and finally get out in front of the threat community.
About the author:
Derek Manky, Global Security Strategist, Fortinet, formulates security strategy with more than 15 years of cyber security experience, his ultimate goal to make a positive impact towards the global war on cyber crime. Manky provides thought leadership to industry, and has presented research and strategy world-wide at premier security conferences. As a cyber security expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cyber security. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST; all in effort to shape the future of actionable threat intelligence and proactive security strategy.