Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 PM
Connect Directly

7 Attack Trends Making Security Pros Sweat

A look at the most dangerous threats and what to expect for the rest of 2016.

SAN FRANCISCO -- RSA Conference 2016 --This week RSA Conference has given the security industry a good excuse to take time for some introspection and examine the breaches and attack trends that have plagued it most in the past year. Researchers with the SANS Institute took full advantage of the opportunity to give a packed house a run-down of the threats and the attack techniques that have come to the forefront lately, those which the security industry is most likely to find itself fighting most in the year to come.

 Here's a look:

Weaponization of Windows PowerShell

According to Ed Skoudis, fellow for SANS, in spite of the headway in security made with PowerShell 5, the industry is still going to face years to come of attackers abusing PowerShell. The advent of tools like PowerShell Empire have all but assured that, he explained.

"We have pretty much three to five years left of attackers having unfettered PowerShell access. But I'll take that, right?" he says. "These things are moving in the right direction, but until we get these things thoroughly deployed, there's still a lot of attacks in PowerShell."

Stagefright-Like Mobile Vulnerabilities

A system-level vulnerability in many versions of Android smartphones discovered last year, Stagefright, is a bug in a core library file of the operating system that opened up vulnerable devices to being compromised by attackers using a specially crafted MP3 or MP4 file delivered via MMS or other means. As Skoudis explained, the weakness itself was troubling enough, but what it uncovered was also a fundamental difficulty in getting handset makers, mobile platform developers, and carriers to cooperate quickly enough to enable users to patch their phones.

"If you look at the financial motivations that the various handset providers as well as the mobile operators, their biggest motivation is not patching your existing phone, it's selling you your next phone," he explained.

He exhorted the crowd to nevertheless do its best to keep devices patched and use the most recent versions of smartphone device operating systems possible.

"Also, via your mobile device management infrastructure consider forcing your users to use a recent version of their mobile operating system such as Android or iOS," he said.

Developer Environment Vulns Like Xcode Ghost

Xcode Ghost last year gave the industry a wake-up call about the security of the mobile app supply chain.

"What happened here is the bad guys put up Trojan horse backdoor versions of Apple's Xcode development environment and made them downloadable," Skoudis said. "When the bad guys are able to successfully undermine the software environments that we have, they have a significant leg up on us."

He believes that in the next year the security industry is likely to see more targeting like this, and very likely it'll be aimed in the direction of the enterprise.

"I expect to see in the next year [the] targeting of enterprise application stores. So you could have your own enterprise app store where you're pushing your own code, that you approve in your own enterprise," he said. "The bad guys are going to start going after those enterprise app stores. Not Apple's app store, but the enterprise one, and putting malware on it."

ICS Attacks

Security wonks have been increasing the volume on their cries about the universal weaknesses facing global infrastructure control systems (ICS) that provide the brains behind the world's critical infrastructure like power, gas and water distribution. SANS expert Johannes Ullrich, director of the Internet Storm Center, explained how the recent attack against the Ukranian power grid last December fully highlighted how vulnerabilities in ICS could really put critical infrastructure at risk.

It was a complicated attack that started with a phish, jumped through numerous systems including uninterruptable power supply (UPS) systems and even involved a DDoS-like attack against the customer service phone system, to buy attackers time to get to their target.

As Ullrich explained, the Ukranians were somewhat lucky in that it was only a six-hour outage instead of longer. But the difficulty is the long-lasting impact that this kind of attack has on the underlying ICS infrastructure because the attack involved the use of KillDisk to delete boot sectors in a number systems used by power operators across the grid.

"As far as I know, up to today, they're still working on actually getting full control back. It went into the power system and then caused lasting damage to the power system. Can it be fixed? Sure," he said. "But now you have to go out, you have to replace all of those devices. And how are you ever going to trust your network again?"

Targeting Insecure Third-Party Software Components

"When I code, I don't write software from scratch, nobody does that. I write duct tape that ties a couple of components together," says Ullrich. "That's how software is written these days, and developers never look at the source code that's underneath."

Increasingly, attackers are streamlining their work by attacking vulnerable software components that they know will give them an easy in to a wide array of software rather than a single application. IT organizations are going to need to redouble their efforts toward instituting "standard sane security development practices," Ullrich says.

This means cataloging and enumerating the use of components throughout the corporate code base, understanding when those components change and, even better, working to find ways to standardize on a safe and updated library of components to reduce risk to the organization from third-party components.

Internet of Evil Things

Attackers are starting to push the technical boundaries of the Internet of Things (IoT), seeking profitable ways to take advantage of devices and sensors embedded in our everyday life. According to Ullrich, the early motives seem to be for two main reasons. The first and most obvious is for the purpose of DDoS  attacks, as the small devices "make really nice reflectors."

They're also finding that in the corporate environment, embedded devices and other IoT connection points make for a great way to start probing internal networks.

"Because now they have a little beachhead that they can use to attack other devices, not just other devices on the Internet, but in your network," he says.

Changing Malware Economics Presses Ransomware Push

Finally, Ullrich noted that the recent spate is ransomware is not going to let up because the economics of malware and cybercrime is changing.

As he puts it, "all the data has been stolen" already. With huge credit card heists going non-stop for the better part of a decade, and others like the OPM breach continuing to come to light, attackers are finding that they just can't make the same amount of money off selling stolen data that they used to.

"It's really hard these days to get rid of credit card numbers because there's so many out there," he says. "So then someone had the brilliant idea years ago: 'Why don't we just sell the data back to the owner?'"

This was the opening gambit to what he and many security experts believe will be an increasingly complicated play to defraud via blackmail rather than out-and-out theft and fencing. He warns that enterprises should expect to be the next big ransomware targets.

"It used to be much more of the end user product where grandma's computer gets infected, they encrypt a file, and try to sell it back. Just the last couple of weeks, you had the three different hospitals that had their data encrypted and servers are getting attacked more and more."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/9/2016 | 2:52:01 AM
Thank you for this interesting article Ericka
User Rank: Apprentice
3/7/2016 | 10:12:14 PM
Great Read
Thank you for a rundown of some recent threats. Usually I'm heads down with eyes on glass looking for indicators. Refreshing to know you are pulling this together for the industry. Many thanks!
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...