Around the Watercooler – “Trendspotting” Edition

The new year is a time when many look back at the last 12 months to reflect on what’s gone by, while others look at the year ahead and try to predict what it might hold in store – including in cybersecurity.

Across our industry you see predictions and year-end reports from vendors and analysts. Given that the not-too-distant cyber “future” and cyber “past” are thus accounted for, we thought it might be worth asking a handful of our experts to speak about the cyber “present.”

A quick but close look at current trends offers an opportunity to ferret out a deeper understanding of important developments that may lie under the radar and are worth watching.

In this edition of Around the Watercooler, we buttonholed folks from several different departments who are in the trenches and put them on the spot to talk about emerging trends they’re seeing right now – particularly those which they feel aren’t getting enough attention.

What we got back was exactly what we asked for: namely, off-the-cuff viewpoints of individual subject matter experts. We hope this gives readers range of perspectives from which to learn.
 

Threat Intelligence:

Attribution is getting harder – not easier. We are tracking a growing trend that sees threat actors leveraging the confirmation bias and traditional approaches of security researchers, incident responders, and forensic investigators to cause the misattribution of campaigns and attack groups.  

Last year, we noted the increased use of publicly available hacking tools by a range of threat actors, including state and state-sponsored groups. And while we’ve known for some time that in some locations, there is crossover between organized crime groups and nation-states in terms of personnel, this year we’ve noticed a widespread blurring between those two groups in terms of tools and attack style. 

Criminals and so-called “APT” groups are each taking a page out of the other’s playbook, adopting elements of the other to make their work easier and harder to attribute.

For example, the CCleaner attack, widely thought to be state or state-sponsored, used a scattershot attack approach to waterhole and target sites and organizations that were tangential to the goal – something criminal groups have been doing for a long time. They did so because it works, but such an approach has the added bonus of obscuring the final target if detected beforehand.

In another example, we’ve seen Dridex, a criminal enterprise, conducting reconnaissance and singling out specific servers in its victims in a more surgical, targeted manner commonly associated with state-sponsored threat actors. But when they get to what they’re looking for, Dridex drops ransomware instead of conducting espionage. This puts the focus on the payload and obscures their infection method.

Unless you are watching hops or are omnipresent on major links (read: you are a government), attribution should not be your game. That’s not to say sometimes people don't make mistakes that reveal themselves, but in the realm of nation states, all is fair.”

          ~ Jon Gross, Director of Threat Intelligence
 

Applied Research:

Start here, but substitute the word “documents” for “developers”:

          •   Steve Ballmer: Developers (video)

The trend doesn’t necessarily follow the calendar year, but we can see a dramatic increase in MS Office code execution vulnerabilities starting in late 2017 through 2018. Looking at CVE statistics, there are 56 CVEs in 2018 compared to 37 CVEs in 2017 - that’s a 51% increase. In both 2017 and 2018, approximately 70% of the reported CVEs have a CVSS score of 9.3 due to the exploit providing code execution.

In 2017, the state was set with malicious scripts and macros embedded in documents (poorly named “fileless attacks”). This was a good tipoff to the offensive side that victims will blindly click the button to allow active content (DDE, scripts, loading remote assets, etc.) to run. I think the trend started in late 2017 when the Dynamic Data Exchange (DDE) exploit was released which was quickly picked up and deployed by red teams, cybercrime, and nation state groups. 2018 saw a resurgence of documents with exploits such as CVE-2018-8174 (DoubleKill) along with a number of RTF based exploits which rely on vulnerabilities in MS Word.

If you think about it in terms of complexity, the operating system (OS) is the most complex piece of code, followed by modern web browsers, and then productivity suites (MS Office, Adobe Acrobat, etc.). As an industry, we’ve understood how to write secure code for quite some time, but it’s taken a long time to see the results of it in the OS until recently. These practices were then re-learned in the browser development space as browsers became the OS for the Internet end-user.

We haven’t seen secure coding nor defensive mitigations applied to productivity suites so it’s a natural progression for attackers to target MS Office; it’s a highly complex code base which supports numerous (hundreds? thousands?) of standards which involve parsing and evaluating untrusted code delivered in a document file format.

If that wasn’t enough, you can embed a browser object inside an office document and get the combined attack surface to carry out an exploit.”

          ~ Jeff Tang, Senior Manager of Applied Research

 

Product Security:

“This year we’ve witnessed an uptick in the rate at which attackers are outpacing “old,” “traditional,” and “legacy” antivirus solutions.

It’s not just custom malware and exploits that are to blame. It’s the degree to which attacks are increasingly and insidiously leveraging the target system’s own built-in functionality.

Today, we’re seeing more and more “living off the land” attacks that take advantage of native functions in operating systems to turn them on their users. This has happened quickly in Windows and is developing more slowly in Mac OS. This trend will continue, with more and more attacks using the operating system as a stepping stone.

The other focus is on attacks that land within the target environment, but away from the traditional endpoint, even in corporate or enterprise situations. With advances in tablets like the iPad and laptops like the Chromebook that are cheap and lightweight but have less storage space, cloud applications and infrastructure are drawing increased attention from attackers because that is where the data is.

As a result, we’re back at our previous point: With more and more targets on web- only enabled devices, more and more web-based attacks are hitting the threat landscape.”

          ~ Tom Wabiszczewicz – Senior Director of Product Security & Research
 

Professional Services:

From a red team or offensive standpoint, we’re seeing a major shift in offensive tradecraft and tactics, particularly when targeting Windows enterprise environments.

Host-based protections have gotten better, causing lot of the tried and true tradecraft of the last 2-3 years to become unreliable (e.g. PowerShell loaders and other tooling). This has caused a move to lower-level/native tooling to fill the gap (e.g. re-implementation of capabilities in C#), closer attention to host-based indicators, abuse/mis-use of native and legacy functionality, and an increased reliance on credential abuse vs. traditional payload delivery methods (e.g. Windows COM objects).

There’s a marked increase in interest in legacy Windows OS functionality as security for these obscure pieces of the operating system have not matured in the way that PowerShell has with the introduction of AMSI and other script-based controls.

At same time, we’ve seen some interesting shifts in the overall composition of the organizations that we target. It’s becoming more common to see organizations that rely on third-party services for core security-related capabilities (e.g. identify management, authentication, data storage, etc.). Our tradecraft is having to evolve to accommodate these less-traditionally managed and maintained environments with less direct/centralized control of the endpoint and more reliance on third-party providers for key security functions.”

          ~ Matt Maley – Practice Director, Red Team
 

“With the recent indictment of the alleged SamSam ransomware authors who were identified, according to the authorities, because their Bitcoin usage was traced, ransomware threat actors have started to use other, less traceable cryptocurrencies like ZCash or Monero. This said, one can never discount the “Darwinian Criminal Mind”, as the world watches the most recent Dark Overlord “9-11 Papers” story unfold, with the extortionists demanding, you guessed it, payment in Bitcoin.” Feel free to track their winnings here (including the several transfers they’ve already made from their wallet….). And, even though Steemit removed/banned their account, the irony is that every post has been permanently recorded on, you guessed it, their blockchain, here and here (the irony).

For example, Monero is being used now by KIRK ransomware threat actors. And even threat actors who have been associated with the North Korean government have started to use Monero.  

From my perspective, the jockeying between ransomware and crypto-mining as competing trends that are either rising or falling is a false choice. These two attacks are, at the code level, actually merging, such that the attacker has options to do whatever might make the most financial sense at the time - lump sum and run (ransomware), or money that trickles in over long periods of time but might net more overall.

Another trend we’ve seen recently is a fresh new wave of CryptoMining worms that have hit data centers and caused the disruption of business services. Worms are leveraging the same RDP vulnerabilities that SamSam has, whether via brute force, credential reuse, or RDP exploits. They are leveraging living-off-the-land TTP’s like using PowerShell to spread to network shares, etc.  

Additionally, bot networks are being converted to crypto-mining operations, deploying Monero miner software, etc. As cryptocurrencies reach new lows, it is an ideal time to mine currency and store for the predicted rise over the next several years.

Another advantage criminals benefit from by mining coins vs. encrypting and ransoming in exchange for crypto payments, is that of persistence. A simple BOTNET of just 2000 hosts can make $500/day worth of Monero - $180k/year. Why burn that persistence by announcing your presence demanding ransom, if you can persist and make more money? Smart criminals won’t throttle servers to 100% CPU - one way that enterprises can detect presence of miners.”

          ~ Scott Scheferman – Senior Director of Global Services
 

“We are starting to see malware traditionally designed for the endpoint being adapted for embedded systems. Attacks that were not feasible or economically viable are becoming a reality. Some examples are ransomware attacks against medical devices and possibly even automobiles.

These systems are growing in functionality and attack surface and are increasingly more Internet connected, often through cloud infrastructure that allows for over the air update functionality and even the execution of commands remotely, in some cases.

This infrastructure, combined with the homogenous nature of this systems and their increasingly full featured operating systems, will provide fertile ground for ransomware type attacks and the critical nature of these systems will ensure the attacker’s will be paid.

We have already seen ransomware attacks against Windows-based medical devices in numerous healthcare facilities (WannaCry and NotPetya) and would expect to see this attack focus expand to embedded medical devices and other critical, homogenous, Internet or network connected systems. Attackers have learned that hospitals will easily pay $50,000 to avoid being locked out of a large number of their critical systems with the only alternative being to evacuate patients to other hospitals. That is significant leverage.

I can see this affecting the automotive sector in the same way, but perhaps not quite as soon. While a medical device is (most often) a single system, a vehicle is a network of interconnected systems. Thus, a compromise via (for instance) the telematics cellular link will most likely not immediately affect the safety critical systems.

However, as additional driving assistance and autonomous driving capabilities are introduced, the attack surface will grow accordingly and any design flaws in separating Internet connected systems, such as telematics or infotainment from the ECUs that control vehicle operations could have dire affects.

Imagine: you attempt to start your vehicle and it informs you that it has been locked and you must pay $500 in BTC to unlock it. What choice do you have? Even if you chose not to pay, the mechanic bill would likely be the same price or more. Which makes better sense from the consumer perspective?”

          ~ Robert Portvliet - Cylance Technical Fellow and Embedded Device Expert
 

Closing Note

If you think the discussion amongst our experts is depressing, it may just be in the nature of security analysts to see the dark lining. As former acting head of the CIA John McLaughlin once put it, intelligence officers are people who notice the beautiful scent of lilies - and immediately look for the coffin.

Indeed, when our blog came full circle and Jon Gross saw the comments offered by Robert Portvliet, he pointed out that he had already started seeing the development of ransomware for Android, and pointed out that this development did not bode well for mobile phone users.

Portvliet agreed, but added that the Android platform was in use not just in phones, but in medical devices, alarm systems, Point-of-Sale (POS) credit card payment systems, and more.

No doubt about it, some key trends that have been emerging in 2018 will definitely have significant impact as we roll in to the new year – stay vigilant!


Read the first post in the ‘Around the Watercooler’ series here.

EDITOR’S NOTE: This blog is for informational and entertainment purposes only. The views, thoughts and opinions expressed in this blog post represent the opinions of the authors/named parties only, and do not represent the views or opinions of Cylance, Inc. or its partners or affiliates. Any and all liability for the content of this blog post or any omissions, including any inaccuracies, errors, or misstatements in such data or information is expressly disclaimed.