Kaspersky Security Bulletin: Threat Predictions for 2018
16.11.2017 Kaspersky Analysis
Advanced Persistent Threats in 2018
By Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner on November 15, 2017. 10:01 am
Download the Kaspersky Security Bulletin: Threat Predictions for 2018
As hard as it is to believe, it’s once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike.
As we stated last year, rather than thinly-veiled vendor pitching, our predictions are an attempt to bring to bear our research throughout the year in the form of trends likely to peak in the coming year.
Our record – did we get it right?
As a snapshot scorecard of our performance last year, these are some of our 2017 predictions and some examples where relevant:
Espionage and APTs:
Passive implants showing almost no signs of infection come into fashion
Yes – https://securelist.com/unraveling-the-lamberts-toolkit/77990/
Ephemeral infections / memory malware
Yes – https://securelist.com/fileless-attacks-against-enterprise-networks/77403/
Espionage goes mobile
Yes – https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
The future of financial attacks
Yes – https://securelist.com/lazarus-under-the-hood/77908/
Dirty, lying ransomware
Yes – https://securelist.com/schroedingers-petya/78870/
The ICS Armageddon didn’t come yet (and we are happy to be wrong on that), however, we’ve seen ICS come under attack from Industoyer – https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
A brick by any other name
Yes! BrickerBot – https://arstechnica.com/information-technology/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
Yes, multiple examples – https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
What can we expect in 2018?
More supply chain attacks. Kaspersky Lab’s Global Research and Analysis Team tracks over 100 APT (advanced persistent threat) groups and operations. Some of these are incredibly sophisticated and possess wide arsenals that include zero-day exploits, fileless attack tools, and combine traditional hacking attacks with handovers to more sophisticated teams that handle the exfiltration part. We have often seen cases in which advanced threat actors have attempted to breach a certain target over a long period of time and kept failing at it. This was either due to the fact that the target was using strong internet security suites, had educated their employees not to fall victim to social engineering, or consciously followed the Australian DSD TOP35 mitigation strategies for APT attacks. In general, an actor that is considered both advanced and persistent won’t give up that easily, they’ll continue poking the defenses until they find a way in.
When everything else fails, they are likely to take a step back and re-evaluate the situation. During such a re-evaluation, threat actors can decide a supply chain attack can be more effective than trying to break into their target directly. Even a target whose networks employ the world’s best defenses is likely using software from a third-party. The third party might be an easier target and can be leveraged to attack the better protected original target enterprise.
During 2017, we have seen several such cases, including but not limited to:
ExPetr / NotPetya
These attacks can be extremely difficult to identify or mitigate. For instance, in the case of Shadowpad, the attackers succeeded in Trojanizing a number of packages from Netsarang that were widely used around world, in banks, large enterprises, and other industry verticals. The difference between the clean and Trojanized packages can be dauntingly difficult to notice –in many cases it’s the command and control (C&C) traffic that gives them away.
For CCleaner, it was estimated that over 2 million computers received the infected update, making it one of the biggest attacks of 2017. Analysis of the malicious CCleaner code allowed us to correlate it with a couple of other backdoors that are known to have been used in the past by APT groups from the ‘Axiom umbrella’, such as APT17 also known as Aurora. This proves the now extended lengths to which APT groups are willing to go in order to accomplish their objectives.
Our assessment is that the amount of supply chain attacks at the moment is probably much higher than we realize but these have yet to be noticed or exposed. During 2018, we expect to see more supply chain attacks, both from the point of discovery and as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific swaths of victims and will thus prove irresistible to certain types of attackers.
More high-end mobile malware. In August 2016, CitizenLab and Lookout published their analysis of the discovery of a sophisticated mobile espionage platform named Pegasus. Pegasus, a so-called ‘lawful interception’ software suite, is sold to governments and other entities by an Israeli company called NSO Group. When combined with zero-days capable of remotely bypassing a modern mobile operating systems’ security defenses, such as iOS, this is a highly potent system against which there is little defense. In April 2017, Google published its analysis of the Android version of the Pegasus spyware which it called Chrysaor. In addition to ‘lawful surveillance’ spyware such as Pegasus and Chrysaor, many other APT groups have developed their own mobile malware implants.
Due to the fact that iOS is an operating system locked down from introspection, there is very little that a user can do to check if their phone is infected. Somehow, despite the greater state of vulnerability of Android, the situation is better on Android where products such as Kaspersky AntiVirus for Android are available to ascertain the integrity of a device.
Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. We estimate that in 2018 more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them.
More BeEF-like compromises with web profiling. Due to a combination of increased interest and better security and mitigation technologies being deployed by default in operating systems, the prices of zero-day exploits have skyrocketed through 2016 and 2017. For instance, the latest Zerodium payout chart lists up to $1,500,000 for a complete iPhone (iOS) Remote jailbreak with persistence attack, which is another way of saying ‘a remote infection without any interaction from the user’.
The incredible prices that some government customers have most certainly chosen to pay for these exploits mean there is increasing attention paid towards protecting these exploits from accidental disclosure. This translates into the implementation of a more solid reconnaissance phase before delivering the actual attack components. The reconnaissance phase can, for instance emphasize the identification of the exact versions of the browser used by the target, their operating system, plugins and other third-party software. Armed with this knowledge, the threat actor can fine tune their exploit delivery to a less sensitive ‘1-day’ or ‘N-day’ exploit, instead of using the crown jewels.
These profiling techniques have been fairly consistent with APT groups like Turla and Sofacy, as well as Newsbeef (a.k.a. Newscaster, Ajax hacking team, or ‘Charming Kitten’), but also other APT groups known for their custom profiling frameworks, such as the prolific Scanbox. Taking the prevalence of these frameworks into account in combination with a surging need to protect expensive tools, we estimate the usage of profiling toolkits such as ‘BeEF‘ will increase in 2018 with more groups adopting either public frameworks or developing their own.
Sophisticated UEFI and BIOS attacks. The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start.
The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.
Destructive attacks continue. Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the ‘Cutting Sword of Justice’ took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.
The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations. While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware that appears to be targeting organizations in Saudi Arabia. We’ve called this new wiper StoneDrill and have been able to link it with a high degree of confidence to the Newsbeef APT group.
In addition to Shamoon and Stonedrill, 2017 has been a tough year in terms of destructive attacks. The ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’ attacks, in which there is little chance for the victims to recover their data; all cleverly masked ‘wipers as ransomware’. One of the lesser known facts about ‘wipers as ransomware’ is perhaps that a wave of such attacks was observed in 2016 from the CloudAtlas APT, which leveraged what appeared to be ‘wipers as ransomware’ against financial institutions in Russia.
In 2018, we estimate that destructive attacks will continue to rise, leveraging its status as the most visible type of cyberwarfare.
More subversion of cryptography. In March 2017, IoT encryption scheme proposals developed by the NSA came into question with Simon and Speck variant ISO approvals being both withdrawn and delayed a second time.
In August 2016, Juniper Networks announced the discovery of two mysterious backdoors in their NetScreen firewalls. Perhaps the most interesting of the two was an extremely subtle change of the constants used for the Dual_EC random number generator, which would allow a knowledgeable attacker to decrypt VPN traffic from NetScreen devices. The original Dual_EC algorithm was designed by the NSA and pushed through NIST. Back in 2013, a Reuters report suggested that NSA paid RSA $10 million to put the vulnerable algorithm in their products as a means of subverting encryption. Even if the theoretical possibility of a backdoor was identified as early as 2007, several companies (including Juniper) continued to use it with a different set of constants, which would make it theoretically secure. It appears that this different set of constants made some APT actor unhappy enough to merit hacking into Juniper and changing the constants to a set that they could control and leverage to decrypt VPN connections.
These attempts haven’t gone unnoticed. In September 2017, an international group of cryptography experts have forced the NSA to back down on two new encryption algorithms, which the organization was hoping to standardize.
In October 2017, news broke about a flaw in a cryptographic library used by Infineon in their hardware chips for generation of RSA primes. While the flaw appears to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our everyday life, from smart cards, wireless networks or encrypted web traffic. In 2018, we predict that more severe cryptographic vulnerabilities will be found and (hopefully) patched, be they in the standards themselves or the specific implementations.
Identity in e-commerce comes into crisis. The past few years have been punctuated by increasingly catastrophic large-scale breaches of personally identifiable information (PII). Latest among these is the Equifax breach reportedly affecting 145.5 million Americans. While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Sure, fraud and identity theft have been problems for a long time, but what happens when the fundamental identifying information is so widely proliferated that it’s simply not reliable at all? Commerce and governmental institutions (particularly in the United States) will be faced with a choice between scaling back the modern comforts of adopting the Internet for operations or doubling down on the adoption of other multi-factor solutions. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for modernizing tedious bureaucratic processes and cutting operational costs.
More router and modem hacks. Another known area of vulnerability that has gone vastly ignored is that of routers and modems. Be they home or enterprise, these pieces of hardware are everywhere, they’re critically important to daily operations, and tend to run proprietary pieces of software that go unpatched and unwatched. At the end of the day, these little computers are Internet-facing by design and thereby sitting at a critical juncture for an attacker intent on gaining persistent and stealthy access to a network. Moreover, as some very cool recent research has shown, in some cases attackers might even be able to impersonate different Internet users, making it possible to throw off the trail of an attacker entirely to a different connecting address. At a time of increased interest in misdirection and false flags, this is no small feat. Greater scrutiny of these devices will inevitably yield some interesting findings.
A medium for social chaos. Beyond the leaks and political drama of the past year’s newfound love for information warfare, social media itself has taken a politicized role beyond our wildest dreams. Whether it’s at the hand of political pundits or confusing comedic jabs at Facebook’s CEO by South Park’s writers, eyes have turned against the different social media giants demanding some level of fact-checking and identification of fake users and bots attempting to exert disproportionate levels of social influence. Sadly, it’s becoming obvious that these networks (which base their success on quantified metrics like ‘daily active users’) have little incentive to truly purge their user base of bots. Even when these bots are serving an obvious agenda or can be tracked and traced by independent researchers. We expect that as the obvious abuse continues and large bot networks become accessible to wider swaths of politically unsavory characters, that the greater backlash will be directed at the use of social media itself, with disgusted users eagerly looking for alternatives to the household giants that revel in the benefits of the abuse for profits and clicks.
APT predictions – conclusion
In 2017 we pronounced the death of Indicators of Compromise. In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above. Each year’s themes and trends shouldn’t be taken in isolation – they build on each other to enrich an ever-growing landscape of threats facing users of all types, be it individuals, enterprise, or government. The only consistent reprieve from this onslaught is the sharing and knowledgeable application of high-fidelity threat intelligence.
While these predictions cover trends for advanced targeted threats, individual industry sectors will face their own distinct challenges. In 2018, we wanted to shine the spotlight on some of those as well – and have prepared predictions for the connected healthcare, automotive, financial services, and industrial security sectors, as well as cryptocurrencies. You can find them all here!