Computerworld

AI-assisted imposters, IoT and crypto-jacking: cyber security in 2019

With the cyber security industrial complex in full swing for 2019, Computerworld wonders what horrors this dystopian hell world will spew forth next

With the cyber security industrial complex in full swing and good business for all the major players, from governments and state sponsored groups, to criminal attackers and the vendors as well as their shareholders, we wonder what horrors this dystopian hell world will spew forth next.

It was arguably 2017's devastating WannaCry and NotPetya ransomware variants that brought cyber security into mainstream focus, taking it from the idea of banking scams and into the realm of hobbling hospitals and businesses that depended on critical systems with real-world physical consequences.

Then 2018, just as GDPR came into effect, brought with it data breach after data breach, affecting millions of customers across industries, including customers of household names like Reddit, Facebook, Uber, British Airways and the Marriott hotel chain.

But it won't be just consumers that pay the price of these incidents. When GDPR was implemented in May this year, the regulation meant companies that were found to have allowed a breach due to malpractice would face hefty fines.

State-sponsored breaches or attacks continued throughout the year, and it will be intriguing to see where these 'advanced persistent threat' groups head next - perhaps further underground, according to some commentators.

And while the majority of attackers are still going for the low-hanging fruit, there are methods of attack that are becoming increasingly more sophisticated.

Here's what 2019 might hold in cyber security.

Better, smarter IoT botnets

The first truly global case of a powerful Internet of Things (IoT) botnet was Mirai in 2016. It was achieved with a few lines of quite simple code, but was so effective because it targeted objects like IP cameras that were connected to the internet but rarely secured or updated, and managed to bring down a decent chunk of the internet.

The internet providers and DNS companies have buffeted their defences since Mirai, but the IoT market - which could reach $6.5 trillion by 2024 - is only going to increase dramatically.

Some manufacturers may have sharpened up their products to be updatable but certainly not all will have, especially when these things become interwoven into the fabric of everyday life.

Malwarebytes' lead malware analyst Chris Boyd notes that in 2018 several thousand MikroTik routers were compromised to quietly be transformed into crypto coin miners.

"This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from coin miners to malware," he says.

"Large-scale compromises of routers and IoT devices are going to take place and they are a lot harder to patch than computers. Even just patching does not fix the problem if the device is infected."

Kaspersky adds that IoT botnets will keep growing at an "unstoppable" pace, in what is becoming a recurring warning that shouldn't be underestimated.

Mike O'Malley, VP for carrier strategy and business development at Radware, adds that hackers will attempt to turn IoT devices into a 'swarm' network of self-sufficient bots that can make semi-autonomous decisions, pool their collective intelligence together to solve problems, or "opportunistically and simultaneously target vulnerable points in a network".

"'Hivenets' take this a step further and are self-learning clusters of compromised devices that simultaneously identify and tackle different attack vectors," he adds.

"The devices in the hive can talk to each other and can use swarm intelligence to act together, and recruit and train new members to the hive."

A 'hivenet' that can identify and compromise more devices would be able to grow "exponentially" and "thereby widen its ability to simultaneously attack multiple victims".

"This is especially dangerous as we roll out 5G," he adds, "as hivenets could take advantage of the improved latency and become even more effective."

According to VP of IoT at Sectigo, Damon Kachur, it's important to consider the role of digital certificates.

"From an end user perspective, the slow uptake of security in IoT devices has prompted governments to regulate," Kachur says.

"Nations and more US states will follow California's lead and enact legislation requiring security for IoT networks. This is particularly important for healthcare, transportation, energy, and manufacturing sectors, which face the highest risk.

"The legislation stops short of prescribing strong forms of authentication, but thankfully consortium groups such as the Open Connectivity Foundation and AeroMACS have championed the use of strong certificate-based authentication in their best practice standards for IoT.

"The attack vectors and threat actors to the IoT are constantly evolving, warranting best practice device provisioning and the ability to quickly and proactively manage current cryptographic algorithms with those that will supersede them in the future.

"This will be vital within the lifespan of the devices being deployed to customers."

Attacks on critical national infrastructure

A recent parliamentary committee warned that critical national infrastructure is at risk from cyber attackers. The National Cyber Security Centre also recently warned that states hostile to Britain would likely target the infrastructure of Britain.

While high profile real-world examples of these sorts of attacks have been relatively scarce (especially in Britain - with only WannaCry and NotPetya coming close to date) some experts are warning that 2019 could see intra-state rivalries become more realised in the cyber realm.

Even taking hostile states out of the equation, attackers motivated by money might see weakness in the country's current approach to critical national infrastructure and hit it for financial reasons before it's fixed.

James Wickes, CEO and cofounder of Cloudview, said that attacks on infrastructure could also be linked to the increase in internet-connected devices.

"Many of these devices are poorly secured, posing serious risks to individuals, businesses, utilities, and ultimately national security," Wickes says.

"Experts have already identified that new smart energy meters, which the government wants installed in millions of homes, will leave householders vulnerable to cyber attacks.

"Cyber criminals could artificially inflate meter readings, making bills higher, but ultimately this could lead to a catastrophic attack on our electricity grid.

"The National Grid was put on alert in March 2018 by officials from the NCSC amid fears of a Russian cyber attack, and given advice on how to boost its defences to prevent power cuts."

Former DHS Under Secretary and Nozomi Networks adviser Suzanne Spaulding adds that the electric grid in America has a "fair amount of physical redundancy" to back cyber controls, but as virtual infrastructure becomes embraced, those physical redundancies are abandoned, which would make it easier for an attacker to have "cascading impacts that can cause real damage".

"With fewer physical controls in place it will be harder to regain control of systems, minimise damage, and stop an attack from progressing," she adds.

"Given the benefits of the networked world the move to digitalisation isn't going to slow down. It's important we realistically asses our dependence upon cyber and the potential consequences of a disruptive attack.

"Maintaining physical backups or other redundancies, changing operational processes, and even keeping less data can reduce the impact of a successful attack."

Crypto-jacking

If 2017 saw the Tulip-mania style boom and bust of crypto currencies, 2018 saw a significant uptick in crypto-jacking, the process of taking control of a device or network of devices to use the additional compute for crypto mining.

Webroot went as far as to claim in its mid-year threat report that crypto-jacking accounted for as much as 35 percent of all threats - and that its customers attempted to visit websites running crypto-jacking scripts three percent of the time.

The most popular crypto mining domain was Xxgasm.com for 31 per cent of traffic while Coinhive.com accounted for 38 per cent of traffic. Check Point, meanwhile, said that the global impact of crypto miners had doubled in the first half of 2018.

Read more on the next page...

Page Break

Commenting, Rich Campagna, CMO for Bitglass said that we can expect to see "a lot more of this in 2019 and beyond".

"This technique combines two commonly used types of attacks: crypto-jacking, when malicious individuals appropriate devices' compute power in order to mine for crypto currency, and cloud-jacking, when illegitimate third-parties hijack enterprise cloud resources," Campagna says.

"Together, the two hacking methods can be used to mine crypto currency at a highly-accelerated rate."

More ransomware

Ransomware has persisted for so long both because it can be used to such devastating effect and for its relative simplicity. Indeed, scripts are available to buy on the dark web for mere pennies in many cases, just point and shoot.

According to John Fokker, head of cyber investigations at McAfee, the ransomware underworld will "consolidate", creating "fewer but stronger malware-as-a-service families that will actively work together".

"We also predict a continuation of the strongest ransomware 'brands' using affiliate structures to increase their threat," he adds.

Good old blackmail

According to enterprise architect at Carbon Black's threat analysis unit, Paul Drapeau, compromised data sets could very easily enable a new path to traditional blackmail.

"Breaches in Facebook and other social media platforms represent a wealth of data to be mined by bad actors," he says. "This data could be used to correlate activities between people to find illegal, scandalous or compromising behaviour and then leverage that for traditional blackmail at scale."

What could that look look? "'Pay me the bitcoins or your spouse/employer gets copies of these direct messages' an example note might read," he explains.

"We can fight ransomware with anti-malware tools or backups but we depend on giant companies to protect our more personal details.

"The breach doesn't even have to be real to result in extortion attempts, as was seen in 2018 with the mass email scam purporting to have compromising video and passwords of the victims. Imagine an attacker building on data from a breach and fabricating message contents, and then demanding ransom be paid.

"This type of attack is definitely more work, more targeted and difficult, but the payoff could be there. Victims may be willing to pay more money and pay up more readily when it is their real lives and reputations at stake versus their digital lives."

That could look like a 'spearphishing' attempt but rather than tricking a high-worth individual like a CFO into transferring money - it's a lot more personal.

APT groups, nation states, state-sponsored attacks

Kaspersky believes that the advanced persistent threat groups (think Fancy Bear, Shadow Brokers) might do more to cover their tracks - less outspoken branding or signature attacks, in short, which would make detection and attribution "extremely difficult".

The vendor adds that one of the most likely scenarios in this new approach would be building tools catered to highly specific targets.

According to Priscilla Moriuchi, director of strategic threat development at Recorded Future, state-sponsored groups are likely to place an increasing focus on telecommunications companies and ISPs.

"Telecoms and ISPs are woven into the fabric of the internet and provide threat actors with access to trusted infrastructure to enable secondary attacks or intrusions," she says.

"They also are the midpoints for global telecommunications and intrusions into these types of companies can expose not just user data, but phone calls, text messages, geolocational history, contacts, and more.

"Telecommunications companies and ISPs are the crown jewels for hostile foreign intelligence services and I expect to see a proliferation of operations targeting these companies from a wider variety of nation-state actors in 2019."

She adds that non-traditional attacks and access points are also likely to become more widely used, including attacking the supply chain, hardware vulnerabilities and such, while state-directed influence campaigns that use social media will expand.

According to the former DHS Under Secretary Suzanne Spaulding, and current Nozomi Networks adviser, the USA will become more aggressive in naming hackers.

"Until recently the US did not publicly attribute various cyber incidents to specific nations, despite public pressure to do so," she says. "It can be difficult to attribute cyber activity with 100 percent certainty but US officials were also concerned about public demands to respond if they were to attribute an attack."

The US is "already less afraid of attribution," she says, pointing towards sanctions against Russia in response to perceived threats on American infrastructure.

Encrypted traffic malware

The increased understanding of the importance of encryption could well be exploited by groups that hide malware itself within encrypted traffic.

Omar Yaacoubi, founder and CEO of Barac, points out Google research that suggests 80 per cent of all traffic will be encrypted in 2019, and a PwC study that says 60 per cent of attacks will occur on encrypted traffic.

"The downside of encryption is that security tools can't inspect encrypted traffic for malware, making it the perfect place for a threat actor to hide any kind of malicious traffic," he says.

"A recent Vanson Bourne survey of 500 CIOs found that 90 per cent of firms had experienced or expected to experience a network attack using SSL/TLS, and 87 per cent believed their defences were less effective because of this emerging trend to bury malware in encrypted traffic.

"The challenge for organisations is how to detect this malware without decrypting the traffic – which opens a whole new can of worms about privacy and also has a massive impact on network performance.

"One solution is to look at the metadata associated with these traffic flows, using AI and machine learning to accurately detect the difference between bad and good flows.

"This allows businesses to identify and block bad traffic without going through the pain of decrypting and examining the contents of each and every data packet, and to be compliant with data privacy laws."

AI-assisted imposters

Nvidia just this month unveiled extremely lifelike human face rendering, and there's no reason that this technology won't end up in the hands of bad actors, whether they're hacking groups or nation states.

Could facial rendering technologies like these be used to create entirely new personas, perhaps for the spreading of disinformation - in a country like the USA that under the Obama administration made propaganda against its own population entirely legal?

That might sound paranoid, but fifteen years ago you'd be paranoid for suggesting people were watching you through your webcam, until that, well, happened.