Anomali Labs 2017 predictions

The past year has been a whirlwind tour of challenges and changes. Targeted threat activity took on a new emphasis by focusing on both disinformation and weaponised confidential information. Ransomware activity continued to grow and jumped to the OS X platform with the KeRanger malware. Also world policies have shifted towards protectionist strategies throughout the world. Based upon this current environment, I predict the following for the upcoming year and near term future.

The rise of mobile or IoT ransomware

Next year there is likely to be a continued evolution in ransomware. The ease with which IoT compromises can be automated has already been demonstrated by the Mirai malware. It is only a matter of time before some enterprising ransomware authors decide that the hordes of non-managed, non-backed up webcams, routers and refrigerators can be held to ransom for a cheap price, or else they will flash the eprom (erasable programmable read-only memory) bricking the devices. Many people store their most cherished personal data on their mobile, and we also expect to see ransomware to start targeting these devices.

Cloud services vulnerabilities and compromise

In 2017, we expect to see the leading security organisations begin to identify and catch malicious actors breaching their cloud management infrastructure. Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon this past year. In addition, we would expect to see malware purpose-built to capture cloud services credentials, similar to the banking Trojans that are able to intercept two-factor authentication input. After the malicious actors gain access to cloud infrastructure, we expect to see new methods of persistence established via the cloud management profiles. This activity will present a significant challenge for understanding intrusion timelines.

The compromise of cloud vendors

None of the large cloud storage/infrastructure companies have detailed a breach so far, since the Aurora attacks that Google did in 2009. This is occurring in an environment where 89 per cent of healthcare organisations experienced a data breach in 2015, yet the companies that host these industries data and systems haven’t contributed to the conversation. Next year, we expect that a major cloud vendor will be in the news for a significant security breach.

Protection of mail spools

In 2016, we saw a large amount of mail spools (email headers and message body) dumped after they had been compromised. This activity has been used many times over the years, including in February 2011 when LulzSec hackers dumped HBGary Federal’s email spool. The recent mail dumps had mild impacts, while that mail spool dump ultimately resulted in crippling the entire company. Leading organisations will likely renew emphasis on protecting the confidentiality of their data, particularly mail sensitive spools. 

The fragmentation of the internet

Many countries are focusing inward rather than on open-border and free-trade strategies. This includes recent advances in tax-policy, where previous approaches to multi-national corporate governance has come under the microscope of the world’s treasurers. 

Further initiatives are expanding in the Internet realms, with new operating system initiatives being pursued to remove dependency upon foreign software, and foreign hosted SaaS offerings being excluded from other countries as demonstrated by the Russian LinkedIn Ban. Additionally, multiple governments are enhancing their surveillance initiatives, such as the Russian requirement to hold all cryptography keys to decrypt Internet traffic. 

This will likely continue, resulting in an even more balkanised and separated Internet. Governments are likely to require that their countries data stay within their own law enforcements reach, rather than relying upon Mutual Legal Assistance Treaties (MLATs) for data access.

The global collections threat

As the Nation states balkanise the Internet, border collections systems will be enhanced. This will take forms similar to the Great Dam in China or the border initiatives in other countries. Russia has publicly announced efforts that can only be realised through these types of systems. Corporations and activists will become even more sensitive to the implications of bulk traffic interception, decryption, and collection. Confidentiality concerns will become a mainstay threat to both corporations and threat actors alike. Threat actors will subsequently encrypt more C2 channels by default.

The emergence of a shadow adversary 

Despite over 60 countries having intelligence based cyber initiatives, very few of those operations have been publicly detailed. In Western countries the focus has most recently been on Russian and US operations, as Chinese APT operations have fallen out of the news. Chinese security companies have recently been exposing suspected US operations in actor reports. In 2017, we believe a previously un-exposed country’s operations will be discovered and exposed. After this revelation many security companies will dig into their data repositories to create a long timeline of that group’s activity.   

We all know that the bad guys share Intelligence on how to break into a network all the time - we (as good guys) need to start doing the same, to share Intelligence between ourselves in real time about who the attackers are, where they live, and what techniques they typically use in order to stay one step ahead and combat threats such as the above.  

Aaron Shelmire, Senior Threat Researcher, Anomali
Image source: Shutterstock/violetkaipa