Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 PM
Connect Directly

7 Attack Trends Making Security Pros Sweat

A look at the most dangerous threats and what to expect for the rest of 2016.

SAN FRANCISCO -- RSA Conference 2016 --This week RSA Conference has given the security industry a good excuse to take time for some introspection and examine the breaches and attack trends that have plagued it most in the past year. Researchers with the SANS Institute took full advantage of the opportunity to give a packed house a run-down of the threats and the attack techniques that have come to the forefront lately, those which the security industry is most likely to find itself fighting most in the year to come.

 Here's a look:

Weaponization of Windows PowerShell

According to Ed Skoudis, fellow for SANS, in spite of the headway in security made with PowerShell 5, the industry is still going to face years to come of attackers abusing PowerShell. The advent of tools like PowerShell Empire have all but assured that, he explained.

"We have pretty much three to five years left of attackers having unfettered PowerShell access. But I'll take that, right?" he says. "These things are moving in the right direction, but until we get these things thoroughly deployed, there's still a lot of attacks in PowerShell."

Stagefright-Like Mobile Vulnerabilities

A system-level vulnerability in many versions of Android smartphones discovered last year, Stagefright, is a bug in a core library file of the operating system that opened up vulnerable devices to being compromised by attackers using a specially crafted MP3 or MP4 file delivered via MMS or other means. As Skoudis explained, the weakness itself was troubling enough, but what it uncovered was also a fundamental difficulty in getting handset makers, mobile platform developers, and carriers to cooperate quickly enough to enable users to patch their phones.

"If you look at the financial motivations that the various handset providers as well as the mobile operators, their biggest motivation is not patching your existing phone, it's selling you your next phone," he explained.

He exhorted the crowd to nevertheless do its best to keep devices patched and use the most recent versions of smartphone device operating systems possible.

"Also, via your mobile device management infrastructure consider forcing your users to use a recent version of their mobile operating system such as Android or iOS," he said.

Developer Environment Vulns Like Xcode Ghost

Xcode Ghost last year gave the industry a wake-up call about the security of the mobile app supply chain.

"What happened here is the bad guys put up Trojan horse backdoor versions of Apple's Xcode development environment and made them downloadable," Skoudis said. "When the bad guys are able to successfully undermine the software environments that we have, they have a significant leg up on us."

He believes that in the next year the security industry is likely to see more targeting like this, and very likely it'll be aimed in the direction of the enterprise.

"I expect to see in the next year [the] targeting of enterprise application stores. So you could have your own enterprise app store where you're pushing your own code, that you approve in your own enterprise," he said. "The bad guys are going to start going after those enterprise app stores. Not Apple's app store, but the enterprise one, and putting malware on it."

ICS Attacks

Security wonks have been increasing the volume on their cries about the universal weaknesses facing global infrastructure control systems (ICS) that provide the brains behind the world's critical infrastructure like power, gas and water distribution. SANS expert Johannes Ullrich, director of the Internet Storm Center, explained how the recent attack against the Ukranian power grid last December fully highlighted how vulnerabilities in ICS could really put critical infrastructure at risk.

It was a complicated attack that started with a phish, jumped through numerous systems including uninterruptable power supply (UPS) systems and even involved a DDoS-like attack against the customer service phone system, to buy attackers time to get to their target.

As Ullrich explained, the Ukranians were somewhat lucky in that it was only a six-hour outage instead of longer. But the difficulty is the long-lasting impact that this kind of attack has on the underlying ICS infrastructure because the attack involved the use of KillDisk to delete boot sectors in a number systems used by power operators across the grid.

"As far as I know, up to today, they're still working on actually getting full control back. It went into the power system and then caused lasting damage to the power system. Can it be fixed? Sure," he said. "But now you have to go out, you have to replace all of those devices. And how are you ever going to trust your network again?"

Targeting Insecure Third-Party Software Components

"When I code, I don't write software from scratch, nobody does that. I write duct tape that ties a couple of components together," says Ullrich. "That's how software is written these days, and developers never look at the source code that's underneath."

Increasingly, attackers are streamlining their work by attacking vulnerable software components that they know will give them an easy in to a wide array of software rather than a single application. IT organizations are going to need to redouble their efforts toward instituting "standard sane security development practices," Ullrich says.

This means cataloging and enumerating the use of components throughout the corporate code base, understanding when those components change and, even better, working to find ways to standardize on a safe and updated library of components to reduce risk to the organization from third-party components.

Internet of Evil Things

Attackers are starting to push the technical boundaries of the Internet of Things (IoT), seeking profitable ways to take advantage of devices and sensors embedded in our everyday life. According to Ullrich, the early motives seem to be for two main reasons. The first and most obvious is for the purpose of DDoS  attacks, as the small devices "make really nice reflectors."

They're also finding that in the corporate environment, embedded devices and other IoT connection points make for a great way to start probing internal networks.

"Because now they have a little beachhead that they can use to attack other devices, not just other devices on the Internet, but in your network," he says.

Changing Malware Economics Presses Ransomware Push

Finally, Ullrich noted that the recent spate is ransomware is not going to let up because the economics of malware and cybercrime is changing.

As he puts it, "all the data has been stolen" already. With huge credit card heists going non-stop for the better part of a decade, and others like the OPM breach continuing to come to light, attackers are finding that they just can't make the same amount of money off selling stolen data that they used to.

"It's really hard these days to get rid of credit card numbers because there's so many out there," he says. "So then someone had the brilliant idea years ago: 'Why don't we just sell the data back to the owner?'"

This was the opening gambit to what he and many security experts believe will be an increasingly complicated play to defraud via blackmail rather than out-and-out theft and fencing. He warns that enterprises should expect to be the next big ransomware targets.

"It used to be much more of the end user product where grandma's computer gets infected, they encrypt a file, and try to sell it back. Just the last couple of weeks, you had the three different hospitals that had their data encrypted and servers are getting attacked more and more."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
3/7/2016 | 10:12:14 PM
Great Read
Thank you for a rundown of some recent threats. Usually I'm heads down with eyes on glass looking for indicators. Refreshing to know you are pulling this together for the industry. Many thanks!
User Rank: Apprentice
3/9/2016 | 2:52:01 AM
Thank you for this interesting article Ericka
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.