During an impromptu press conference on New Year's Eve, U.S. President-elect Donald Trump responded to a question about cybersecurity by stating that, "no computer is safe and if you have something important, write it and send it by courier". While that statement might be a little dramatic, many experts across the cybersecurity landscape agree that 2016 was just a warmup for what’s to come. The explosive growth of IoT, the introduction of new types of malware and the cybercriminal exploitation of AI and machine learning are sparking alarm bells for cybersecurity specialists worldwide. Here’s what we believe is in store for organizations to contend with in 2017.
Evolution of IoT based DDoS attacks
Cybercriminals love IoT devices because they are making for easy targets. More often than not, IoT devices are not designed with security in mind and share weak default passwords across multiple devices or even classes of devices. As a result, most IoT devices are extremely easy to hack into. What is even more troubling, is that by breaking into one device the hacker gets access to multiple devices, rapidly growing his botnet army.
Putting the lack of security-centric approach aside, advanced security features on IoT devices are often not feasible as they require too much disk space to be practical for devices that typically have only as much processing capacity and memory as needed for their highly limited tasks.
These flaws can lead to massive IoT-based DDoS attacks, like the one that hit Singapore’s StarHub a few months back. Multiple IoT devices, such as CCTV cameras and routers were hijacked by Mirai botnet to perpetrate a massive DDoS attack on StarHub servers, leading to downtime and disruption of service.
Mathew Bing, a Research Analyst at Arbor Networks laid out five reasons why IoT devices are becoming the favorite method to create DDoS bot armies. IoT devices usually:
- Contain a weak version of Linux, which allows for easy malware penetration.
- Have limited or no bandwidth limitations, meaning they have unfettered access to the internet.
- Maintain simple operating systems that do not allow for extensive security features.
- Share default passwords.
- Share software from other classes of devices.
While the above five shortcuts might save time during the development stage, it ends up costing companies and consumers heavily down the line.
Following the massive IoT-powered DDoS attack on KrebsOnSecurity, the source code behind Mirai malware has been publically released. “Mirai,” spreads by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. In all, there were merely 68 username and password pairs in the botnet source code. However, many of those are generic and shared across multiple devices, including routers, security cameras, printers and DVRs. To make matters worse, these credentials are hardcoded in the firmware of the product and cannot be changed, so there is nothing to remedy this vulnerability at the moment.
How has Mirai evolved? Initially Mirai only attacked IoT devices via default usernames and passwords to create a botnet of IoT devices. However, as Mirai became more advanced, it began also perpetrating multiple and simultaneous types of attacks like SYN, UDP, VSE, GRE and ACK flooding against even unrelated targets. Additionally, once a device is infected and connected to a Mirai botnet, the infected device begins scanning and corrupting more devices and thus the botnet zombie army grows.
IoT device based DDoS attacks are certainly on the rise and new more dangerous breeds are developing, as the recent massive Mirai powered DDoS attack on Dyn via 100,000 IoT devices demonstrates. While individual websites have been overwhelmed before by IoT bots, this attack succeeded in disrupting a major internet provider and harmed access to multiple sites like Amazon.
The rise of Gooligan-like threats
It appears that Ghost Push has risen again, but this time in the form of Gooligan. This new and furious super-malware is perhaps the fastest growing malware on the planet, hacking over 13,000 Google accounts per day and compromising over 1 million accounts over the last few months. The malware infects mobile devices like Android 4 and 5 and steals google authentication tokens on a number of OS versions like Ice Cream Sandwich, Jelly Bean, KitKat or Lollipop.
According to Checkpoint, Gooligan accounts for the largest Google breach to date, and is boosted by a growing number of fake apps. Checkpoint clearly spelled out how the scheme works.
- The fake app is downloaded by an unsuspected user, either via a malicious link or a third-party app store, and the malware starts to automatically transmit data from the device to a C&C (Command and Control server).
- The C&C then downloads a rootkit to take advantage of exploits like VROOT and takes over the control of the phone. Gooligan can then steal Gmail accounts, install more fake apps and rate them to boost ratings and even install adware to generate revenue.
According to a report by Business Insider, the Gooligan malware is generating $300,000 in ad revenue from fake ad views, which is probably the biggest cyber-fraud affecting media industry in history.
Gooligan has been joined by a number of related fake apps that carry malware and specialize in targeting banks like "The Trojan", which has already hacked 94 major banking apps in the US and Europe. Major targets like American Express, PayPal Deutsche Bank among others have been hit. There is no doubt that malware will continue to evolve and grow even more dangerous going into 2017.
Exploitation of A.I. and Machine Learning
If all the above problems were not enough, artificial intelligence and machine learning are presenting new concerns for the IT community. The NY Times ran an article mentioning that as the $75 Billion computer security industry begins to openly talk about how to incorporate A.I. into cyberdefense the bad guys are already one step ahead. New technologies allow for automation of cybercrime, making it exponentially scalable.
For instance, the article cited the use of Blackshades, which was developed to allow technically inept people to easily deploy ransomware to perform video or audio eavesdropping. This has become known as a “criminal franchise in a box", because actions are executed with the click of a mouse. While the developer is now sitting in a US jail, the high demand means that we will encounter more and more of such “user-friendly” solutions in the future.
With A.I. the opportunities are endless and now the criminals can even take advantage of voice-recognition technology like Apple’s Siri, Microsoft’s Cortan, Amazon’s Echo voice-controlled speaker and Facebook’s Messenger chatbot. In fact, back in 2015 UAB researchers found that cybercriminals could steal someone's voice and use voice morphing tools to perpetrate identity theft or steal bank account information.Organized cybercriminal campaigns
2016 was witness to an increase in highly organized cybercriminal campaigns that have affected everyone from mega banks to the mom-and-pop jewelry shops. Politically or economically motivated cyber-gangs are growing more organized and dangerous. The “lone hacker” stereotype is becoming a thing of the past.
In May 2016, "Anonymous" launched a 30 day DDoS campaign against banks worldwide targeting Guernsey, Cyprus, Panama, Jordan, British Virgin Isles, Dominican Republic, Netherlands and Maldives among many others. They are claiming that they will soon run the mother of all campaigns to wipe out world debt. While this might make some people happy, it would certainly throw the world into chaos.
From the exploitation of A.I. by organized hacker groups to the ever-evolving nature of DDoS with the help of an IoT zombie army, cyber criminals are moving in sync with the latest developments in technology. That is why it is now imperative for companies of all sizes to redefine their cybersecurity strategy and move from a defensive to offensive posture. When facing a cutting edge cyberattack, the firewall and antivirus are simply not going to do the trick.
Contact Cyberint and learn to keep your organization one step ahead and protect itself beyond the perimeter.