Malware & Ransomware Attacks, Threats to IoT Shoot Up

By Invitation Derek Manky

In recent past, IoT (Internet-of-Things) devices were hijacked to shut down a huge section of the Internet. Stolen documents were used in an attempt to influence the US presidential election. Ransomware began to reach epidemic proportions, including high value targeted ransom cases. These and similar attacks have had sweeping impacts beyond their victims.

Russell Skingsley

Watching cyber threats evolve over the past year, a few trends have become apparent to Fortinet:

• The digital footprint of both businesses and individuals has expanded dramatically, increasing the potential attack surface.
• Everything is a target and anything can be a weapon.
• Threats are becoming intelligent, can operate autonomously and are increasingly difficult to detect.
• We are seeing two threat trends: automated attacks against groups of smaller targets and customized attacks against larger targets. These two trends are increasingly being blended together, with automated attacks being used as a first phase, and targeted attacks as a second.

Based on these trends, FortiGuard Labs is making six predictions about the evolution of the cyberthreat landscape for 2017.

1. IoT manufacturers will be held accountable for security breaches

We are in the middle of a perfect storm around IoT. A projected growth to over 20 billion connected devices by 2020, a huge M2M (machine-to-machine) attack surface, built using highly vulnerable code and distributed by vendors with literally no security strategy. And of course, most of these devices are headless, which means we can’t add a security client or even effectively update their software or firmware.

Right now, attackers are having a lot of success simply exploiting known credentials, such as default usernames and passwords or hardcoded backdoors. Beyond these, there is still much low-hanging fruit to exploit in IoT devices, including coding errors, back doors and other vulnerabilities resulting from the junk code often being used to enable IoT connectivity and communications. Given their potential for both mayhem and profit, we predict that attacks targeting IoT devices will become more sophisticated, and be designed to exploit the weaknesses in the IoT communications and data gathering chain.

One likely development is the rise of shadow nets – or IoT botnets that can’t be seen or measured using conventional tools. Shadow net attacks will initially take the form of targeted DDoS attacks combined with demands for ransom. Collecting data, targeting attacks, and obfuscating other attacks are likely to follow.

The security issues around IoT devices are becoming too big for governments to ignore. We predict that unless IoT manufacturers take urgent action, they will not only suffer economic loss, but will be targeted with legislation designed to hold them accountable for security breaches related to their products.

2. From smart to smarter: human-like attacks demand more intelligent offense

Most malware is dumb − it is only programmed with a specific set of objectives. A hacker simply points it at a target, and it either accomplishes its task or it doesn’t. Cybercriminals compensate for the binary nature of such malware in two ways; either through the time-intensive management of multiple tools to guide an attack to a specific target, or through volume. Send out enough malware, or have it replicate itself enough times, and it will eventually find itself loaded onto a device that it can exploit. However, this is about to change.

Threats are getting smarter and are increasingly able to operate autonomously. In the coming year, we expect to see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, autonomous malware will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.

3. 20 billion IoT and endpoint devices are the weakest link for attacking the cloud

The move to cloud-based computing, storage, processing, and even infrastructure is accelerating. The millions of remote devices accessing cloud resources make this mode of providing IT services vulnerable to hackers.

Cloud security depends on controlling who is let into the network and how much they are trusted. In this next year, we expect to see attacks designed to compromise this trust model by exploiting endpoint devices, resulting in client side attacks that can effectively target and breach cloud providers.

4. Attackers will turn up the heat in smart cities

More and more countries are building smart cities. The interconnectedness of critical infrastructure, emergency services, traffic control, IoT devices (such as self-driving cars), and even things like voting, paying bills, and the delivery of goods and services will create a massive attack surface. The potential for massive civil disruption should any of these integrated systems be compromised is high, and they are likely to be high-value targets for hackers.

We predict that hackers will move to target building automation and building management systems. Like with the IoT DDoS attacks, these exploits will likely be blunt instrument attacks at first, such as simply shutting down a building’s systems. But the potential for holding a building for ransom by locking the doors, shutting off elevators, rerouting traffic, or simply turning on the alarm system is significant. Once this happens, taking control of centralized systems deployed across a smart city is not far over the horizon.

5. Ransomware was just the gateway malware

Due to its lucrativeness, 2016 growth of ransomware-as-a-service (RaaS) is likely to continue into 2017. We can also see the following ransom-based trends coming:

Higher costs for targeted attacks

We expect to see very focused attacks against high-profile targets, such as celebrities, political figures, and large organizations. In addition to simply locking down systems, these attacks are likely to include the collection of sensitive or personal data that can then be used for extortion or blackmail.

Automated attacks and IoT ransoming

There is a cost threshold for targeting average citizens and consumers that has traditionally prevented it from being cost-effective for attackers. How much will an individual pay to unlock their hard drive, or their car, or have their fire alarm turned off? We predict that this limitation will be overcome in 2017 as automated attacks introduce an economy of scale to ransomware that will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting online IoT devices.

Continued targeting of healthcare

The ransom value of a kidnapped record is based on its ability to be replaced. Patient records and other human data are much harder to replace than credit cards. These records also have higher value because they can be used to establish fraud.

Unless healthcare organizations get serious about security, we predict that more of them will be targeted for ransom-based attacks. Other businesses that collect and manage human data, such as law firms, financial institutions, and government agencies, will probably see more attacks too.

6. Technology will have to close the gap on the critical cyber skills shortage

The current shortage of skilled cyber security professionals as calculated by Forbes means that many firms looking to participate in the digital economy will do so at great risk. They simply do not have the experience needed to develop a security policy, protect critical assets that move across network environments, or identify and respond to today’s sophisticated cyber-attacks.

For many, their first response will be to buy traditional security tools, such as a firewall or IPS device. But managing these devices requires specialized resources, and increasingly, such tools cannot effectively secure highly dynamic and widely distributed networks in use today.

We predict that savvy organizations will instead turn to security consulting services that can guide them through the labyrinth of security, or to managed security services providers who can provide a turnkey solution. They may also move the bulk of their infrastructure to the cloud where they can simply add security services with a few clicks of a mouse.

The author of this article, Derek Manky is Global Security Strategist at Fortinet