In 2016, we saw what happens when IoT device security is an afterthought and attackers discover that ransomware is an easy and quick way to make a profit. With attackers always ahead of the defenders, no one can predict with certainty what information security threats companies will face in 2017. But some of the threats we saw in 2016 are likely to continue proving troublesome in the new year. We asked Cybereason’s security researchers to name 2017’s top threats and attack trends. In this post, we’ll look at two of their five predictions.
Ransomware becomes an even more potent threat
Ransomware can rightfully be crowned 2016’s top threat. Last year the malware made headlines after it infected hospitals, public transportation systems, government offices and average citizens. Given the predominance of these attacks, the FBI predicted that ransomware was on track to become a $1 billion business in 2016.
Don’t expect ransomware attacks to decrease any time soon, said Cybereason lead researcher Uri Sternfeld. “Ransomware is here to stay. It’s really an excellent business plan," he said. For proof, he pointed to Cybereason research that showed ransomware was 17 percent of exploit payloads in December 2015 and climbed to 61 percent of exploit payloads in May 2016.
Spam campaigns are nearly irrelevant for attackers while stolen credit and debit card information requires a real-world criminal infrastructure to convert them into something tangible, he said. With ransomware, attackers can earn a significant payout without doing much work and using minimal resources.
“Ransomware lets a small team for criminals quickly and effortlessly make a lot of money using bitcoin,” Sternfeld said.
“Ransomware is an industry, and as an industry, it has a lot of resources that can drive a full-scale and rapid evolution,” he said. In 2016, ransomware evolved to include a fileless variant called Powerware that’s difficult for antivirus software to catch since there are no files to detect as well as a cross-platform variant called RAA that’s written in JavaScript and can run in a browser.
“No kind of education will stop ransomware infections because it’s so lucrative. [Attackers] will find a way to get in and aren’t going to go away,” he said.
IoT devices will remain a weak spot
Poorly skilled programmers will continue to team up with executives whose only objective is to bring the latest smart device to the market, leading to lax or nonexistent security in IoT products.
“Don’t expect IoT security to improve. Programmers will continue to use vulnerable code to program IoT devices. They’ll treat C like it’s a basic scripting language. And when it comes time to dream up the next connected device, product security won’t be included in the initial conversations since this would impede deadlines and, ultimately, sales,” said Amit Serper, Cybereason principal security researcher.
DDoS attacks launched by massive IoT botnets comprised of DVRs, IP cameras, home routers and other consumer devices could occur more frequently in 2017. The best example of this is the Mirai botnet, which was used last October to take down Internet traffic management company Dyn, preventing thousands from accessing sites including Netflix, Twitter and CNN. But instead of taking nonessential website offline, future IoT botnet attacks could take out critical infrastructure providers and cut off electric or water supplies for thousands of people.
“Your smart whatever is still a computer, regardless of it’s size. It has a processor, software and hardware and is vulnerable to malware just like a laptop or desktop,” Serper said. “Whether the device records The Walking Dead or lets you stream House of Cards, attackers can overtake it. The sooner manufacturers and consumers realize this, the less frequently we’ll see massive DDoS attacks carried out by IoT devices.”
Beyond providing attackers with an easy way to carry out DDoS attacks, poor IoT device security threaten an individual’s privacy or a business’ security, a topic Serper researched last year. “If attackers own your IoT device, the potential consequences can impact both consumers and enterprises,” he said.
For example, Serper’s research revealed that some IP cameras are vulnerable to two zero-day exploits that allow attackers to view what the camera is viewing. In theory, these flaws could also be used to tap into the computer that the IP camera is connected to, giving the bad guys access to a person or company’s data. Serper’s research noted that consumers aren’t the only ones who purchase IP cameras. Some businesses use them to monitor supply closets or an office’s entrance.
If IoT security is expected to improve in 2017, the research community should encourage IoT hacking instead of dismissing this work and calling it junk hacking.
“That isn’t the right approach if researchers hope to prevent future Mirai botnet attacks,” Serper said.
