Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
01:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud, China, Generic Malware Top Security Concerns for 2019

FireEye researchers unveil an extensive list of security risks waiting in the new year's wings.

There may still be nearly seven weeks left in 2018, but security leaders are already looking ahead to the new year. Enterprise concerns, from cloud attacks to nation-states, are already piling high.

This year, on track to be the worst-ever for data breaches, has already proved exhaustive for the infosec community. From Jan. 1 to Sept. 30, a total of 3,676 breaches were reported, involving over 3.6 billion records – the second-most number of reported breaches in a year.

The threats ahead are numerous, according to a new report entitled "Facing Forward: Cyber Security in 2019 and Beyond." The report was compiled by FireEye CEO Kevin Mandia, chief security officer Steve Booth, vice president of global intelligence Sandra Joyce, and numerous analysts and strategists.

What's top of mind for senior leaders? Nations building offensive capabilities, breaches continuing due to lack of attrition and accountability, the widening skills gap, lack of resources (particularly for SMBs), holes in the supply chain, cloud attacks, social engineering, and cyber espionage, cybercrime, and other threats targeting the aviation sector.

FireEye's Threat Intelligence, Mandiant, and Labs teams, which have a close eye on the frontlines, are particularly worried about how Chinese cyber espionage is restructuring, the increase in Iranian activity targeting the US, attackers using publicly available malware, the increase of business email compromise, abuse of legitimate services for command-and-control, and e-commerce and online banking portals being caught in the crosshairs of cyberthreats.

China Is Changing and Other Nation-State Threats
Ben Read, senior manager of cyber espionage analysis at FireEye, says he has noticed the threat from China evolve throughout this year. It's no longer "smashing and grabbing" intellectual property, he says. Attackers' actions are far subtler – and more nefarious.

"They're doing a lot, going after people's data after it goes outside their premises," he explains. Organizations including law and investment firms, which have troves of client data, are prime targets.

FireEye's threat intelligence team has noticed Chinese cyber espionage restructure and believes this will drive the growth of its activity through, and beyond, 2020. Changes have been gradual and driven by high-profile events: the Obama-Xi agreement shifting Chinese cyber espionage away from intellectual property (IP) theft, the People's Liberation Army bringing cyber functions under a Strategic Support Force (SSF), and China beginning projects for its 13th Five-Year Plan.

Analysts believe 2019 will bring an increase in state-sponsored and financially driven supply chain attacks. APT10, "a Chinese espionage group," is focused on hitting the supply chain of major US companies to steal business data and improve targeted technology theft by "non-cyber means" to avoid violating the Xi-Obama Agreement, which prohibits cybertheft of IP.

"The supply chain is so global and so integrated … it's more a problem in the software supply chain," Read adds. Auto updates are good for deploying patches but "also a very attractive vector to get into lots of victim computers." NotPetya and CCleaner are key examples. Software supply chain attacks could involve integrating backdoors into legitimate software or using stolen certificates to sign malicious files and bypass detection.

"The change in China is something we've seen over a number of years," Read says. "China wants to be a respectable place to do business on the world stage. That's something you can't be if you're very noisily stealing stuff."

Other nation-state threats he's watching include Iran and North Korea. Both are in "delicate situations," he says. Analysts anticipate Iranian cyber activity against the United States is likely to increase after the US exit from the Joint Comprehensive Plan of Action (JCPOA). North Korea, which is keeping up its standard activities – stealing money, spying on South Korea – is taking an interest in Japan ahead of the 2020 Olympics in Tokyo.

Simple Malware and Cloud-Based Threats
Another top-of-mind trend is the growing use of publicly available malware among sophisticated attackers. Financially driven espionage actors, who previously developed their own threats, are now browsing underground forums for the generic, Read says.

"It's cheaper to use something off the shelf," he explains, and a lot of pen-testing tools come at low cost. But that's not all: "It can also give a false sense of security to defenders," he adds.

When advanced actors use simple tactics, they obfuscate their sophistication and lull their targets into a false sense of security. It's easy to dismiss a generic threat as something that's not to worry about. Unfortunately, now the attackers know they're likely to be dismissed, and they can remain anonymous while launching generic threats against several victims at once.

"There have always been espionage groups that use lower rent malware," Read says. "What we've seen is it increasingly be part of the ecosystem for even the advanced groups."

Attackers' choices vary by geography. Russia uses a mix, he explains, with some groups using open source and others using custom malware. North Korea tends to develop its own. The adoption of generic malware is more common among Iranian and Chinese actors.

Attackers are also eyeing the cloud as more data heads there.

"Everyone in the industry is seeing huge migrations to the cloud, but most companies are not doing anywhere near as much work as they need to be doing to protect the cloud the way they used to protect their data centers — and the bad guys know this," states Booth in the report.

The bad guys go where the money is, and throughout 2019 they will find more opportunities in the cloud because it presents a wide attack surface without advanced technology to detect malicious activity, he adds. Roughly 20% of breaches FireEye investigates involve the cloud.

One way to approach cloud security, he says, is to treat the infrastructure hosting enterprise "crown jewels" as a higher priority than the laptop belonging to the person who clicked a malicious link. Ask yourself what your greatest assets are — what you're trying to protect.

Cyberattacks Aren't Slowing
Mandia, who holds that security breaches are "inevitable," points to the lack of risks or consequences for the people behind them. As a result, they will continue to act.

"The attackers are not waking up fearful that they are going to get arrested for stealing email or extorting someone for a certain amount of cryptocurrency," he explains. "Without a deterrent, attackers are going to keep targeting networks and getting through."

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15256
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
CVE-2020-15261
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
CVE-2020-6084
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-6085
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-10746
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.