The year 2019 in a nutshell
Last year was extremely profitable for cybercriminals and threat actors as cybercrime generated over 2.1 trillion US dollars revenue. It is estimated that every year, cybercrime damages will cost the world $6 trillion by 2021. It is more than all major illegal drugs combined make and can cause the world’s greatest transfer of economic wealth in history. Before we jump into the future let’s see what happened in the year 2019.
- The 773 Million Record “Collection #1” Data Breach – huge database (87GB in size) with usernames and passwords from multiple hacked websites and applications. You can see if your username or email was hacked here. If you don’t remember the user but you want to check a password go here. (It’s safe to use as website is not storing or seeing your password, thanks to client-side hashing.)
- 540 Million Facebook user’s records leak – information was collected and insecurely stored on Amazon cloud servers by third-party Facebook app developers.
- Russian group Fxmsp hacked major Anti-Virus vendors – members of this group offered for sale 30 terabytes of data allegedly stolen from industry leaders McAfee, Symantec, and Trend Micro.
- Cities and companies were struck with targetted ransomware – many cities decided no to pay the ransom and were forced to recover the data which had cost them in total over 175$ million. Some decided to pay the ransom which fluctuated in the range of 300.000 to 600.000 US dollars.
- iPhones were beeing hacked for at least two years without being noticed – 14 vulnerabilities were exploited by unknown attackers to hack iPhone just by getting them to visit a website.
Top 5
Public Cloud
More than 90% of enterprises use some type of cloud services. 84% admits having a multi-cloud strategy. The cloud industry is expected to rise from the current revenue of $227 Billion in 2019 to $354 Billion by 2022. Companies are fascinated with the flexibility and agility of cloud solutions and moving fast towards it but the speed of this migration is affecting data security and putting the business at risk. Last year, a record number of data with employees, clients and business-critical information was stolen. Terabytes of sensitive data of roughly 80 million Americans were exposed online on a Microsoft cloud servers. The same situation happened to 540 million Facebook records stored on the Amazon cloud. Millions of Lion Air and Malindo Air passenger records, including physical address, phone number, email address, date of birth, passport numbers and expiration dates were found unencrypted stored on AWS S3 Bucket. All of this was caused by the misconfiguration of the cloud environment done because of human error. But the public cloud is not only a source of information for threat actors but also a tool used to actively make money using cryptomining software and as a building block for a vast range of malicious campaigns. The most obvious vectors of attacks against public cloud in the year 2020 are:
- misconfiguration of cloud services
- weak authentication methods for admin accounts
- insufficient identity, credential, access, and key management
- insecure API interfaces
- insider attacks
Unfortunately, public cloud and especially multi-cloud solutions are very hard to monitor and investigate during and after security incidents, because of limited visibility inside the cloud architecture and frequent changes of deployed machines and provided cloud solutions.
Tailor-made phishing
This very well known method is living its second youth as threat actors are now using artificial intelligence to prepare global phishing campaigns. AI learns the corporate jargon and improves mails over time so the campaigns have higher conversion rates. Although complex systems are being used to create those e-mails, an attentive and trained employee should identify such malformed messages. However, this gets trickier when e-mails are tailor-made. In this case, an attacker can spend days, sometimes weeks to observe the victim and learn its habits, so the attack is 100% personalized and have a very high rate of success. Those e-mails are almost never stopped by anti-phishing and anti-spam mechanisms and the employee must decide whether the message is fraudulent or not. Imagine a situation where a user is getting an e-mail with new contract terms from a valid health insurance company agent. This happens a few days after the company has posted the information on an internal portal that new insurance will be available starting at the beginning of the new month and terms will be provided via e-mail from 3rd party agent. The attachment on the first sight seems a simple PDF file with but it turns out to be an attack vector with the 0-day payload. Such phishing techniques are not limited only to e-mails but can use company collaborate tools, SMS or even social media. In 2020 we need to be prepared for personalized, manufactured messages on every platform we use.
Targetted ransomware
Ransomware is the curse of our time. Businesses are experiencing a ransomware attack every 14 seconds and its amount had increased by 350% since the previous year. The U.S. Department of Justice has described ransomware as a new business model for cybercrime and it seems a weapon of choice for most cybercriminals nowadays because of low TCO (Total Cost of Ownership) and high RoI (Return on Investment). Damage done in the year 2019 is estimated to $11.5 Billion worldwide but those numbers are probably higher. It’s because on the long-range of victims we can find not only companies but also local governments, hospitals, and cities around the world. Unfortunately not only money is at risk as some hospitals links increased mortality with ransomware attacks at their institution. Specific industries seem to be targetted more by the attackers but anyone can be next, as ransomware attacks can be bought online in Ransomware-as-a-Service model. The stake is high as many cities and large-scale organizations were brought down this year. Ransomware is often used in connection with other malware, such as Emotet which increases the chance of bypassing security checkpoints. Ransomware is nowhere to be gone and will haunt us in the next years too so please do the backup and store it somewhere safe. If you want to read more about the biggest ransomware attacks happened in the last years go here.
Mobile malware
Nowadays everything can be hacked. From a fridge to a fitband, everything is connected to the internet. Threat actors were aware of that for a long time but this year was a huge increase in mobile-related security incidents. That’s because most of the cyber-attacks are now being adjusted to work on mobile devices. Overlay attacks such Cerberus, Remote Access Trojans, adware, cryptominers, and ransomware are available on many Android devices and in some cases even on iPhones. Some techniques allow attackers to bypass two-factor authentications schemes and steal money from a user’s bank account. Reality proves that no phone is immune to security threats and we must protect ourselves if we don’t want to get victimized. Some of the most-downloaded applications available at Google Play were susceptible to long-known vulnerabilities hidden in their dependencies with Messenger, Facebook, and AliExpress in the list. But malicious software can be found in App Store too, as threat actors are playing cat and mouse game with Apple security teams and automatic scanners. In this mobile landscape, we can’t forget about the Internet of Things as smart devices from IP cameras, industrial controllers to saving-life medical tools are extremely vulnerable and easy to hack because they lack even basic security mechanisms such as anti-virus or firewall. Kaspersky detected over 105 million attacks on IoT devices in H1 2019 which is seven times more than the number found in H1 2018.
Artificial Intelligence
The last on the list but in fact can cause the most harm in the coming years – artificial intelligence usage in creating malware, ransomware and phishing campaigns is on the rise. What was once used only by security researchers to stop the unknown threats and identify malicious software is now a double-edged sword. Attackers are using machine learning mechanisms to obfuscate code, teach software to avoid detection and even learn to attack by themselves. Many researchers around the world proved that using artificial intelligence against artificial intelligence is in some situations extremely efficient. Skylight Cyber published an attack against the Cylance Protect Engine (Blackberry AI-driven endpoint security), where a list of strings added to the end of any malware was tricking the engine to whitelist the malware. These lists of strings were determined by observing how the engine model works, reverse engineering some of used dependencies and googling a little bit. All together has let the researchers bypass the engine with an 83.59% success rate for 384 malicious files tested.
“Namely, if you could truly understand how a certain model works, and the type of features it uses to reach a decision, you would have the potential to fool it consistently, creating a universal bypass.”
https://skylightcyber.com/2019/07/18/cylance-i-kill-you/
What’s worse so-called “Deepfakes” are starting to do real damage as Fraudsters deepfake CEO’s voice to trick manager into transferring $243,000. Both images and video fakes are based on deep learning neural networks. It’s only a matter of time when the quality will get to the point where no one would be able to spot the difference and we will be forced to use applications checking the content before we see it to avoid misinformation. We can only imagine how this new technology will be used by criminals in the future. Identity theft, money loss, political crisis, potential war?
Summary
One thing’s for sure, security is nothing that can be achieved, preserved or established once and then forgotten. Security is a process. Just like health, it is not something given and ensured forever. You need to take care of it every day and every day you’re exposed to a new kind of bacteria or viruses. It’s a never-ending arms race.
“Hackers are not wooden dummies, they fight back, and you have to be ready for the counter-punch, constantly innovating and increasing the cost of attack. “
https://skylightcyber.com/2019/07/18/cylance-i-kill-you/
Enterprises need to stop blindly investing money in new devices promising impenetrable solutions for all kinds of threats and instead build a group of security specialists ready to use AI as the weapon of choice. Only when our struggle to be “healthy” will overcome the cybercriminal’s lust and dedication, drainage of money and resources can be stopped. Only then can we say that “We’re winning this war”.
