2018: The year in cyber attacks
Although devoid of the headline-grabbing cyber attacks of 2017, this year has been no less impactful
‘WannaCry’ and ‘NotPetya’ of 2017 gave way to ‘Leafminer’ and ‘Cambridge Analytica’ in 2018. The latter made fewer headlines but were as deadly to victims.
Simply put, cybercriminals picked up from where they left off the year before.
Symantec’s recent Internet Security Threat Report revealed as much. Symantec researchers unmasked several region-focused attack groups, including Leafminer, Gallmaker and Chafer. Chafer is an Iran-based targeted attack group, attacking organisations in the Middle East and beyond, and deploying several new tools. The group staged a number of ambitious new attacks last year, including the compromise of a major telecoms services provider in the region. There is also evidence that it attempted to attack a major international travel reservations firm, says Gordon Love, vice president, EMEA Emerging Region, Symantec.
The attack group Leafminer targeted a broad list of government organisations and business verticals in various regions in the Middle East since at least early 2017. The group tends to adopt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits. Gallmaker, on the other hand, eschews custom malware and uses Living off the Land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group takes a number of steps to gain access to a victim’s device and then deploys several different attack tools and we saw they attempted to infiltrate targets in the Middle East.
This year had an underlying privacy preservation and data protection theme. Privacy concerns were pushed into the limelight following several key moments in 2018 that had a global impact. Cambridge Analytica’s use of private customer data provided by Facebook will likely be remembered as the event that thrust privacy and data protection into the public consciousness. Facebook was fined for “serious breaches of data protection law” and a “failure to sufficiently protect the privacy of its users.”
Indeed, in a 2018 survey of Forcepoint customers, “Concerns over privacy” ranked as the top security issue, notes Mahmoud-Samy Ibrahim, area vice president at Forcepoint, EMEA Emerging Markets.
When it comes to malware, despite the fact that ransomware attacks during 2018 were less in number, they have been more targeted, says Dimitris Raekos, general manager at ESET Middle East. “We have recorded a lot of attacks especially on government and healthcare sectors mainly via RDP brute force attacks or via social engineering,” he adds.
There was a dramatic increase in the volume, sophistication, and severity of security events within the Middle East in 2018—even beyond the overall explosion in global attacks, says Amit Roy, executive vice president and regional head for EMEA at Paladion. Apart from the much talked about data leaks and phishing attacks, there were targeted attacks on government organisations and insurance companies in Qatar, sophisticated attacks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt and Afghanistan from ‘Leafminer’, and a new threat actor group called ‘DarkHydrus’ targeting Middle East governments.
“There’s one reason for this: organisations in the Middle East face many more politically-motivated attacks than organisations anywhere else,” Roy observes.
It is not all doom and gloom. Cybersecurity vendors made remarkable progress in halting attackers that have menaced businesses for years.
Take UEFI rootkits, for instance, a set of extremely dangerous tools for implementing cyberattacks, hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. No UEFI rootkit has ever been detected in the wild – until ESET researchers discovered a campaign of Russian SEDNIT APT Group that successfully deployed a malicious UEFI module on a victim’s system.
The discovery of the first in-the-wild UEFI rootkit is notable for two reasons, says Raekos. “First, it shows that UEFI rootkits are a real threat and not merely an attractive conference topic. And second, it serves as a heads-up, especially to all those who might be in the crosshairs of SEDNIT group,” he adds.
Recent research found that the average organisation in the Middle East has an average dwell time of up to 2.5 months. This is just not fast enough when compared to other regions, Roy observes. “But, we are seeing organisations embrace near-real-time detection and response services like AI-driven Managed Detection and Response (MDR) to keep up with attackers,” he adds.
From a data protection standpoint, the European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union.
While we’re almost certain to see an uptick in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful, warns Love
“For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others,” he adds.
AI and ML
Automation and machine learning was a major underlying theme for security solutions launched and updated this year.
Forcepoint launched its Risk-Adaptive Protection (RAP) solution called Dynamic Data Protection. Built to address the barrage of complex and sophisticated threats facing organisations, Forcepoint’s RAP continuously assesses risk and automatically provides proportional enforcement that can be dialled up or down. This capability is enabled through human-centric behaviour analytics that understands interactions with data across users, machines and accounts. “Intelligent context speeds decision-making and security controls specific to changing risk in enterprise networks. With the industry’s first automated enforcement capability that dynamically adapts, security analysts are now freed to focus on high-value activities and eliminate the backlog of alerts from traditional security tools,” says Ibrahim.
ESET’s latest endpoint protection version now includes ESET Dynamic Threat Defence, an off-premise cloud-based sandbox powered by three machine learning engines and human expertise. The Dynamic Threat Defence not only provides rapid analysis of zero-day and ransomware threats before reaching the network, but it is also less costly as doesn’t require any additional hardware or software agent and works as well for roaming users, says Raekos.
Paladion launched its AI-driven Managed Detection & Response (MDR) service this year. The service integrates proprietary AI and machine learning into every stage of cyber defence.
“Now, our clients can finally process—in real time—the hundreds of terabytes of organisational data and global threat intelligence produced by both digital infrastructures and modern cybercriminals—dramatically increasing their security posture’s speed and efficiency,” Roy says.
Symantec, on the other hand, launched the Advanced Threat Protection (ATP) 3.1 with Targeted Attacks Analytics. The company’s Targeted Attack Analytics (TAA) technology enables ATP customers to leverage advanced machine learning to automate the discovery of targeted attacks – the most dangerous intrusions in corporate networks, says Love.
“The TAA technology implements machine learning to analyse a broad range of data, including system and network telemetry from Symantec’s global customer base which forms one of the largest threat data lakes in the world. Symantec’s cloud-based approach to this technology also enables the frequent re-training and updating of analytics to adapt to new attack methods without the need for product updates,” Love explains.
Advancing technology is a double-edged sword though.
Even as AI-based solutions helpfully automate manual tasks and enhance decision making and other human activities, they also emerge as promising attack targets, as many AI systems are home to massive amounts of data, Love observes.
In addition, researchers have grown increasingly concerned about the susceptibility of these systems to malicious input that can corrupt their logic and affect their operations. The fragility of some AI technologies will become a growing concern in 2019, Love warns.
Attackers won’t just target AI systems, they will enlist AI techniques themselves to supercharge their own criminal activities.
“Automated systems powered by AI could probe networks and systems searching for undiscovered vulnerabilities, including “ghost” code such as old Excel macros and other software remnants that exist on many computers and can be exploited for some attacks. AI could also be used to make phishing and other social engineering attacks even more sophisticated by creating extremely realistic video and audio or well-crafted emails designed to fool targeted individuals,” Love says.
Cloud will continue to open up massive security vulnerabilities, while also enabling cybersecurity firms to offer cost-effective comprehensive security services, says Roy. AI, on the other hand, will supercharge both cyber attacks and cyber defences – especially in detection and response. And while blockchain’s impact on cyberattack and cyberdefence remains too early to accurately predict, it is doubtful it will be the security saviour some are touting it to be. “There’s no magic bullet to security, only constant evolution,” Roy asserts.
Attribution will become more difficult to prove due to sophisticated subversion techniques, and new attack methodologies will cripple organisations who are unprepared for the ever-changing cyber landscape, says Forcepoint’s Ibrahim.
“Attackers will continue to use ML and available AI tools to spotlight security gaps and steal valuable data. Artificial attackers are formidable opponents, and we will see the arms race around AI and machine learning continue to build,” Ibrahim adds.
That said, the AI security story does have a bright side. Threat identification systems already use machine learning techniques to identify entirely new threats. And, it isn’t just attackers that can use AI systems to probe for open vulnerabilities. Defenders can use AI to better harden their environments from attacks, Love observes. For example, AI-powered systems could launch a series of simulated attacks on an enterprise network over time in the hope that an attack iteration will stumble across a vulnerability that can be closed before it’s discovered by attackers.
Closer to home, AI and other technologies are also likely to start helping individuals better protect their own digital security and privacy. AI could be embedded into mobile phones to help warn users if certain actions are risky. For example, when you set up a new email account, your phone might automatically warn you to set up two-factor authentication. “Over time, such security-based AI could also help people better understand the trade-offs involved when they give up personal information in exchange for the use of an application or other ancillary benefits,” Love says.
The year ahead
Though it is hard to predict what Blackhats have in their plans for 2019, we can expect more targeted cyber attacks in private sector along with sophisticated cyber warfare targeting organisations with critical infrastructure and important data, says Raekos.
“Without a doubt, there will be many more data breaches despite the newly applied regulations like GDPR. On top these, the constant increase of IoT devices both on company networks and homes along with the vulnerabilities that do exist in most of them will spark the interest of attackers,” he adds.
SMEs are also increasingly on the crosshairs of sophisticated attackers. In the past, advanced attacks took substantial effort to orchestrate, which made enterprises the only targets worth investing in attempting to breach, Roy of Paladion observes. However, automation has reduced the effort required to deploy sophisticated attacks, and enterprises have invested heavily in their internal defence, making them much harder targets, he adds.
In 2019, attackers will break into industrial IoT devices by attacking the underlying cloud infrastructure.
This is much more desirable for an attacker since it represents a much bigger payday once access is obtained to the underlying systems of these multi-tenanted, multi-customer environments, warns Ibrahim.
“There are three issues at play here: the increasing network connectivity to edge computing; the difficulty in securing these devices as more compute moves out to the edge, as they do in remote facilities and IoT devices; and the exponential number of devices connecting to the cloud for updates and maintenance,” he adds.
Trust will be a common theme for 2019. For all the damage cyber-attacks are capable of—the undermining of physical systems, digital disruption, and the loss of valuable data and intellectual property (IP)—nothing is more detrimental to society than the cost of severed trust, says Forcepoint’s Ibrahim. “Trust is the difference between innovation and IP loss, between an organisation’s long-term success or failure,” he adds.
2018 was a precursor to how technology can be used for and against defence. The coming year will be a true war of wits as both threat actors and security teams battle for the control of corporate assets.