Risk
3/3/2016
09:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

7 Attack Trends Making Security Pros Sweat

A look at the most dangerous threats and what to expect for the rest of 2016.

SAN FRANCISCO -- RSA Conference 2016 --This week RSA Conference has given the security industry a good excuse to take time for some introspection and examine the breaches and attack trends that have plagued it most in the past year. Researchers with the SANS Institute took full advantage of the opportunity to give a packed house a run-down of the threats and the attack techniques that have come to the forefront lately, those which the security industry is most likely to find itself fighting most in the year to come.

 Here's a look:

Weaponization of Windows PowerShell

According to Ed Skoudis, fellow for SANS, in spite of the headway in security made with PowerShell 5, the industry is still going to face years to come of attackers abusing PowerShell. The advent of tools like PowerShell Empire have all but assured that, he explained.

"We have pretty much three to five years left of attackers having unfettered PowerShell access. But I'll take that, right?" he says. "These things are moving in the right direction, but until we get these things thoroughly deployed, there's still a lot of attacks in PowerShell."

Stagefright-Like Mobile Vulnerabilities

A system-level vulnerability in many versions of Android smartphones discovered last year, Stagefright, is a bug in a core library file of the operating system that opened up vulnerable devices to being compromised by attackers using a specially crafted MP3 or MP4 file delivered via MMS or other means. As Skoudis explained, the weakness itself was troubling enough, but what it uncovered was also a fundamental difficulty in getting handset makers, mobile platform developers, and carriers to cooperate quickly enough to enable users to patch their phones.

"If you look at the financial motivations that the various handset providers as well as the mobile operators, their biggest motivation is not patching your existing phone, it's selling you your next phone," he explained.

He exhorted the crowd to nevertheless do its best to keep devices patched and use the most recent versions of smartphone device operating systems possible.

"Also, via your mobile device management infrastructure consider forcing your users to use a recent version of their mobile operating system such as Android or iOS," he said.

Developer Environment Vulns Like Xcode Ghost

Xcode Ghost last year gave the industry a wake-up call about the security of the mobile app supply chain.

"What happened here is the bad guys put up Trojan horse backdoor versions of Apple's Xcode development environment and made them downloadable," Skoudis said. "When the bad guys are able to successfully undermine the software environments that we have, they have a significant leg up on us."

He believes that in the next year the security industry is likely to see more targeting like this, and very likely it'll be aimed in the direction of the enterprise.

"I expect to see in the next year [the] targeting of enterprise application stores. So you could have your own enterprise app store where you're pushing your own code, that you approve in your own enterprise," he said. "The bad guys are going to start going after those enterprise app stores. Not Apple's app store, but the enterprise one, and putting malware on it."

ICS Attacks

Security wonks have been increasing the volume on their cries about the universal weaknesses facing global infrastructure control systems (ICS) that provide the brains behind the world's critical infrastructure like power, gas and water distribution. SANS expert Johannes Ullrich, director of the Internet Storm Center, explained how the recent attack against the Ukranian power grid last December fully highlighted how vulnerabilities in ICS could really put critical infrastructure at risk.

It was a complicated attack that started with a phish, jumped through numerous systems including uninterruptable power supply (UPS) systems and even involved a DDoS-like attack against the customer service phone system, to buy attackers time to get to their target.

As Ullrich explained, the Ukranians were somewhat lucky in that it was only a six-hour outage instead of longer. But the difficulty is the long-lasting impact that this kind of attack has on the underlying ICS infrastructure because the attack involved the use of KillDisk to delete boot sectors in a number systems used by power operators across the grid.

"As far as I know, up to today, they're still working on actually getting full control back. It went into the power system and then caused lasting damage to the power system. Can it be fixed? Sure," he said. "But now you have to go out, you have to replace all of those devices. And how are you ever going to trust your network again?"

Targeting Insecure Third-Party Software Components

"When I code, I don't write software from scratch, nobody does that. I write duct tape that ties a couple of components together," says Ullrich. "That's how software is written these days, and developers never look at the source code that's underneath."

Increasingly, attackers are streamlining their work by attacking vulnerable software components that they know will give them an easy in to a wide array of software rather than a single application. IT organizations are going to need to redouble their efforts toward instituting "standard sane security development practices," Ullrich says.

This means cataloging and enumerating the use of components throughout the corporate code base, understanding when those components change and, even better, working to find ways to standardize on a safe and updated library of components to reduce risk to the organization from third-party components.

Internet of Evil Things

Attackers are starting to push the technical boundaries of the Internet of Things (IoT), seeking profitable ways to take advantage of devices and sensors embedded in our everyday life. According to Ullrich, the early motives seem to be for two main reasons. The first and most obvious is for the purpose of DDoS  attacks, as the small devices "make really nice reflectors."

They're also finding that in the corporate environment, embedded devices and other IoT connection points make for a great way to start probing internal networks.

"Because now they have a little beachhead that they can use to attack other devices, not just other devices on the Internet, but in your network," he says.

Changing Malware Economics Presses Ransomware Push

Finally, Ullrich noted that the recent spate is ransomware is not going to let up because the economics of malware and cybercrime is changing.

As he puts it, "all the data has been stolen" already. With huge credit card heists going non-stop for the better part of a decade, and others like the OPM breach continuing to come to light, attackers are finding that they just can't make the same amount of money off selling stolen data that they used to.

"It's really hard these days to get rid of credit card numbers because there's so many out there," he says. "So then someone had the brilliant idea years ago: 'Why don't we just sell the data back to the owner?'"

This was the opening gambit to what he and many security experts believe will be an increasingly complicated play to defraud via blackmail rather than out-and-out theft and fencing. He warns that enterprises should expect to be the next big ransomware targets.

"It used to be much more of the end user product where grandma's computer gets infected, they encrypt a file, and try to sell it back. Just the last couple of weeks, you had the three different hospitals that had their data encrypted and servers are getting attacked more and more."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
audrey-privateblog
50%
50%
audrey-privateblog,
User Rank: Apprentice
3/9/2016 | 2:52:01 AM
Interesting
Thank you for this interesting article Ericka
jc01480
50%
50%
jc01480,
User Rank: Apprentice
3/7/2016 | 10:12:14 PM
Great Read
Thank you for a rundown of some recent threats. Usually I'm heads down with eyes on glass looking for indicators. Refreshing to know you are pulling this together for the industry. Many thanks!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers