Looking Back at our 2016 Predictions

Last year, Fortinet’s FortiGuard Labs team made a series of predictions about cyberthreats in 2016. We are now halfway through the year, and thought this might be a good time to give an update on what we have seen so far for some of these predictions.

Prediction #1: The Rise of Machine-to-Machine Attacks

The Threat: The exponential increase of unmanaged, “headless devices” driven by the Internet of Things will make these types of devices a tempting target for hackers looking to secure a beachhead into more traditional devices and corporate infrastructures. We will see a rise in the number of attacks that exploit flaws in trusted machine-to-machine (M2M) communication protocols. 

So far we have seen a number of attacks and trends that indicate that M2M attacks are on the rise, and that concerns about the security of IoT are well founded. Gartner has estimated that 6.4 billion new IoT devices will be added to the Internet in 2016. Many of them, such as thermostats, home security systems, smart cars, watering systems, and even baby monitors will be connected to other devices, such as tablets and smart phones, for remote monitoring.

Breaking into these devices is far too often not that difficult, mostly because user names and passwords or other security settings are still using default settings or are easily discoverable.

Known as the search engine for the Internet of Things, Shodan allows users to search for specific types of computers, devices, and connected systems. It looks for systems that have specific open ports, such as FTP servers, web servers, video cameras, and other things. It also indexes systems with default passwords, including home routers. Using information from this site, we have been able to successfully hijack home surveillance systems and other devices from thousands of miles away.

We have already begun to see regional trends where such information is used to ascertain not only whether a family is home or not, but also how far away they are or how long they are expected to be gone. That information is then relayed to burglars, who can safely break in because the monitoring app has been compromised.

One interesting trend we have seen emerge of the past few months is the hijacking of IoT for ransom. This represents a significant shift in the ransomware landscape. Leveraging IoT devices allows ransom-based attacks to expand beyond just traditional targets, such as hospitals and police stations, to individual users. We predict that we will soon see things like access to one’s car, or even home, held for ransom.

Going the other direction from more closely targeted attacks, we can also see the possibility of these sorts of attacks expanding beyond cybercrime to cyberwarfare. According to the NIST National Vulnerability Database, we are on track to see an unprecedented number of CVEs (Common Vulnerabilities and Exposures.) The most recent NIST CVE data shows that nearly 4200 common vulnerabilities in publicly available software have already been disclosed and published, and we predict that many more will be discovered.

Given the widespread nature of IoT vulnerabilities and their growing ubiquitous deployment, the potential for the catastrophic targeting, penetration, locking down, or collapse of critical infrastructure (think water, transportation, power, etc.) by nation-state actors, hacktivists, or cyberterrorists is quite real.

Prediction #2: Headless Worms Target Headless Devices

The Threat: Related to the rise in machine-to-machine attacks, the “headless devices” driven by the Internet of Things will also become a focus of worms and viruses that are designed to independently target and automatically propagate to other devices via trusted communication protocols. These viruses could be designed to cause the systematic failure of devices, and the damages would be far more substantial as the numbers of IoT devices grows into the billions. 

Controlling swarms of dumb devices is the fantasy of botnet hackers. This past June a botnet was discovered powered by over 25,000 compromised CCTV devices located around the world. These IoT devices were then used to launch coordinated distributed denial-of-service (DDoS) attacks against websites. Analysis shows that these attacks were made possible by exploiting a remote code execution flaw using a viral headless worm that affected surveillance cameras sold by more than 70 different vendors.

This is a perfect example of a criminal hijacking of dumb devices and then weaponizing them, as there is little way to detect such a compromise, and worse, few options for updating or hardening them against such attacks.

This example goes right to the heart of the IoT security problem. Far too often, the communications software and protocols used by IoT devices were never built with security in mind. Worse, this code is often shared widely between vendors as a cut and paste solution, making some IoT vulnerabilities endemic. And since the majority of these devices are headless, there is no way to even update or harden them.

We are seeing more and more of this, driven by the desire to monetize attacks. We expect to see more IoT and consumer-focused attacks targeting IoT (for example, imagine hackers being able to detect when you’re not home, remotely unlocking or disabling your locks or alarms, or simply resetting them and demanding a ransom to get into your own house. Or hijacking and ransoming a life-critical medical device in your home.)

Prediction #3: Ghostware Conceals Indicators of Compromise

The Threat: As cybercriminals become the focus of investigation and prosecution in the criminal justice system, careful hackers will develop a new variant of malware that is designed to achieve its mission and then erase all traces before security measures can detect that a compromise has taken place. FortiGuard predicts that we will witness Ghostware in 2016, written to steal data and disappear to conceal its creators. 

Evidence of “Ghostware” – an attack that erases the indicators of compromise, making it difficult for organizations to track the extent of data loss or what systems were compromised – began emerging in the first half of 2016.

In a blog post published June 15, 2016, someone using the handle Guccifer 2.0 published hundreds of pages of documents that the author claimed were taken during a hack of servers owned by the US Democratic National Committee. What is interesting about this attack is that the original infection and indicators of compromised were never seen or found. And information around the hack was not pieced together until a similar attack on a different group was caught.

One thing that makes these sorts of attacks possible is the expanding attack surface of networks. Traditionally isolated security devices are simply not designed to correlate information in order to quickly detect sophisticated, multi-vector attacks - especially when networks expand out to IoT, remote mobile devices, virtualized networks, and the cloud. Instead, protection in most organizations depends on live security experts (often serendipitously) catching anomalous behavior and then hand correlating threat intelligence between multiple security devices.

These sorts of attacks go beyond prevention techniques and tools. Detection in real time is essential, which requires an integrated security architecture approach like Fortinet’s Security Fabric, which allows devices to share attack data in real time, correlate and generate actionable threat intelligence, and coordinate a response to isolate malware and identify all instances of that attack deployed anywhere across the network. Which is also why we recently acquired the AccelOps next generation SIEM technology, which expands visibility and correlation across highly distributed, multi-vendor environments.

We expect to see more Ghostware-based attacks that are, frankly, often established and know attack methodologies that have been redesigned to exploit the double challenge of the growing security skills gap and isolated legacy security devices.

Prediction #4: Two-Faced Malware

The Threat: Malware has been continually evolving features to avoid detection as security measure like sandboxing become more prevalent. As Sandboxing becomes more resistant to these countermeasures, we anticipate the development of Two-Faced Malware designed to execute an innocent task to avoid detection and then execute a malicious process once it has cleared security protocols. 

While we haven’t seen full-blown two-faced malware yet, we have seen its precursor: malware designed to look for and evade sandbox technologies. For example, recently we have seen new variants of the Locky ransomware exploit that employs a new anti-sandbox technique. In these new variants, the malware code is encrypted to evade detection. Locky’s loader code then uses a seed parameter provided by its JavaScript downloader to decrypt its embedded malicious payload and execute it.

Similarly, we have seen incidents of encrypted malware hidden in smartphone apps that managed to bypass vendor application vetting processes. While many of these have now been caught and removed, variants of evasion-based infected applications continue to be discovered. In fact, we have seen a nearly 700% increase in infected mobile device applications in the past year.

Likewise, some ghostware variants - like that used in the DNC attack described above - are able to assess the environment where they have been deployed, and if they finds that they is in, say, a virtualized environment or a sandbox, they simply deletes themselves.

We expect to see additional development of evasion-based attack software over the coming months, eventually leading to the development of true two-faced malware.