Anomali Labs 2017 predictions

The past year has been a whirlwind tour of challenges and changes. Targeted threat activity took on a new emphasis by focusing on both disinformation and weaponised confidential information. Ransomware activity continued to grow and jumped to the OS X platform with the KeRanger malware. Also world policies have shifted towards protectionist strategies throughout the world. Based upon this environment I predict the following for the upcoming year and near term future. By Aaron Shelmire, Anomali Senior Threat Researcher.

  • Monday, 12th December 2016 Posted 8 years ago in by Phil Alsop
Mobile or IoT Ransomware
In 2017, we expect to see a continued evolution in ransomware. The Mirai malware has already demonstrated the ease with which IoT compromises can be automated. It’s only a matter of time before some enterprising ransomware author’s decide that the hordes of non-managed, non-backed up webcams, routers and refrigerators can be held to ransom for a cheap price, or else they will flash the eprom (erasable programmable read-only memory) bricking the devices. We also expect to see ransomware make the jump to mobile devices, where many people store their most cherished personal data.
 
Cloud Services Compromised
Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon this past year. In 2017, we expect to see the leading security organisations begin to catch malicious actors breaching their cloud management infrastructure. In addition, we would expect to see malware purpose built to capture cloud services credentials, similar to the banking Trojans that are able to intercept two-factor authentication input. After the malicious actors gain access to cloud infrastructure, we expect to see new methods of persistence established via the cloud management profiles. This activity will present a significant challenge for understanding intrusion timelines.
 
Cloud Vendor Compromise
Thus far, none of the large cloud storage/infrastructure companies have detailed a breach since the Aurora attacks that Google did in 2009. This is occurring in an environment where as many as 89% of healthcare organisations experienced a data breach in 2015, yet we aren’t hearing much about them from the companies that host these industries data and systems. Next year, we expect that a major cloud vendor will be in the news for a significant security breach.
 
C2aaS
APT (advanced persistent threats) actors have been using cloud services for Command and Control (C2) channels for a few years now. There has been a continued evolution in this activity by many threat actor groups over the past two years. In 2017, we expect to see continued development of malicious software using cloud services. It is likely that security companies will not report on this activity for fear of losing potential clients.
 
Nation State Hacking
As Nations draw inwards and leave draw back free-trade, we expect that diplomatic solutions in place to prevent nation states from preying on corporate entities will falter. This will bring Nation state back to the front and centre of threats.
 
Mail Dump Protection
In 2016, we saw a large amount of mail spools (email headers and message body) dumped after they had been compromised. This activity has been used many times over the years, including in February 2011 when LulzSec hackers dumped HBGary Federal’s email spool. The recent mail dumps had mild impacts, while that mail spool dump ultimately resulted in crippling the entire company. Leading organisations will likely renew emphasis on protecting the confidentiality of their data, particularly mail sensitive spools. This will likely come in the form of greater file and email message encryption, and an increased adoption in two-factor authentication.
 
Balkanisation of the Internet
Many countries are focusing inward rather than on open-border and free-trade strategies. This includes recent advances in tax-policy, where previous approaches to multi-national corporate governance has come under the microscope of the world’s treasurers. Further initiatives are expanding in the Internet realms, with new operating system initiatives being pursued to remove dependency upon foreign software, and foreign hosted SaaS offerings being excluded from other countries such as the Russian LinkedIn Ban. Additionally multiple governments are enhancing their surveillance initiatives, such as the Russian governments requirement to hold all cryptography keys to decrypt Internet traffic. We believe this will continue, resulting in an even more balkanised and separated Internet. Governments are likely to require that their countries data stay within their own law enforcements reach, rather than relying upon Mutual Legal Assistance Treaties (MLATs) for data access.
 
The Global Collections Threat
As the Nation states balkanise the Internet, border collections systems will be enhanced. This will take forms similar to the Great Dam in China or the border initiatives in other countries. Russia has publicly announced efforts that can only be realised through these types of systems. Corporations and activists will become even more sensitive to the implications of bulk traffic interception, decryption, and collection. Confidentiality concerns will become a mainstay threat to both corporations and threat actors alike. Threat actors will subsequently encrypt more C2 channels by default.
 
A shadow adversary arises
Over 60 countries have intelligence based cyber initiatives. Thus far, very few of those countries operations have been publicly detailed. In Western countries the focus has most recently been on Russian and US operations, as Chinese APT operations have fallen out of the news. Chinese security companies have recently been exposing suspected US operations in actor reports. Over this next year we believe a previously un-exposed countries operations will be discovered and exposed. After this is exposed many security companies will dig into their data repositories creating a long timeline of that group’s activity.