It’s an annual tradition that security vendors and pundits alike can’t resist: threat predictions for the coming year. However, this is much more than an exercise in crystal ball gazing. Vendors need to accurately predict changes in the threat landscape to design products that effectively address emerging issues. Organizations need to plan appropriate defenses and deploy countermeasures before a novel attack occurs instead of trying to pick up the pieces afterwards.
So what are the trends beyond the buzzwords? Fortinet’s FortiGuard Labs has picked the top five emerging threats that will challenge our defenses and push vendors to develop novel solutions that protect customers from increasingly savvy cybercriminals, more intelligent malware, and more determined state actors.
No, this isn’t the title of a bad sci-fi movie. 2015 saw a number of proofs of concept and active attacks involving connected “headless devices” – the so-called Internet of Things. Malware that infects Point of Sale devices, for example, is now in Japan’s top 10 list of malware in the wild, while researchers made headlines by compromising and controlling a connected vehicle in motion.
In 2016, though, we expect to see further development of exploits and malware that target trusted communication protocols and APIs like Bluetooth, Zigbee, and others commonly used by IoT devices. More importantly, IoT will become central to “land and expand” attacks. Hackers will take advantage of vulnerabilities in everything from smart home devices to wearables to compromise corporate-issued devices or corporate networks. As the attack surface for IoT grows dramatically, so do the opportunities to propagate malware among the devices, many of which may find their way onto corporate networks or connect to repositories of personal data.
Yes, the sci-fi allusions continue, but for good reason: IoT will not just give rise to larger attack surfaces with more exploitable vulnerabilities but also to new targets for destructive malware. Consider the Morris worm, which hit Unix-based operating systems in 1989. It infected roughly 10% of connected Unix machines (at the time, a mere 6000 servers and workstations). Damage estimates ran into the millions from this worm. Now consider that Gartner predicts that there will be more than 20 billion IoT devices by 2020. You can do the math, but the potential damage caused by “headless worms” that could disable these machines is staggering.
FortiGuard researchers and others have already demonstrated that it is possible to infect headless devices with small amounts of code that can propagate and persist. Worms and viruses that can propagate from device to device are just around the corner.
Just this year, a decade-old vulnerability known as Venom captured media attention when it became clear that it could use floppy disk drivers on virtualized systems to break out of the hypervisor and access the host operating system. As adoption of cloud and virtualization technologies continues to increase, we expect attackers to develop malware and seek out vulnerabilities that can further compromise host systems. It’s a short step then, to additional corporate assets and the larger network in virtualized and private/hybrid cloud environments.
Beyond attacks on virtualized systems, though, attacks on both public and private cloud-based systems are increasingly likely. The prevalence of mobile applications (again, both from public and corporate app stores) make mobile devices potential vectors for remote attacks on cloud-based applications and virtualized systems.
In 2014, we predicted the emergence of “blastware”, malware designed to destroy both itself and the host system if it was detected by antivirus software. Rombertik, though somewhat overblown in the media, gave the first hint of what this kind of software could do to infected systems. We expect blastware to continue to surface, especially in cases of hacktivism and state-sponsored cybercrime.
However, ghostware takes this concept further. Whereas blastware leaves the ultimate indicator of compromise (a crashed or disabled system), ghostware is designed to extricate data and then erase indicators of compromise before it can be detected, making it very difficult for organizations to track the extent of data loss associated with an attack.
If evading detection after infection is the name of the game for ghostware, two-faced malware is all about evading detection at the outset, even under inspection by advanced sandboxing techniques. Sandboxes are designed to observe the behavior of potentially malicious files at runtime, detecting software that may not be flagged by traditional antivirus. If malware is developed, though, that behaves normally while under inspection and then delivers a malicious payload once it has been passed by the sandbox, this can prove quite challenging to detect.
More significantly, this two-faced malware may be flagged as safe by the sandbox and then reported back to vendors’ threat intelligence systems so they aren’t inspected in the future, compounding the challenges to vendors and organizations associated with this type of malware.
The bottom line for vendors is that malware authors are getting savvier while attackers are taking advantage of growing attack surfaces. For organizations, selecting vendors that can keep up with these new threats will be critical to staying on top of malware and preventing data loss and system destruction in 2016.
Click here to download the full report from FortiGuard Labs.