2015 Predictions Paper
Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs
December 31, 2014
Table
1: Stutzman’s 2015 Predictions
Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs
December 31, 2014
I started writing the papers in 2011. My earlier papers are all available on this blog. Surprisingly enough, even with some being a total stretch, many came true. This year is a little different. Where I'd looked at tech exploitation in previous years, my fear is that this year, technical exploitation will take a backseat to "we're already in and this is what we want". So watch out for objectives on target. This, in my opinion, is what's going to be the big message for 2015.
2015 will bring massive change.
Ransomware will become highly targeted, significantly more efficient and far more damaging
In October, Wapack Labs responded to a call from help from a local company. The company had fallen victim to ransomware. While Wapack Labs doesn’t normally undertake incident response, the request came in from a friend, and we felt compelled to assist. In this case, the CEO paid the ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his personal computer. The corporate drives however, were a different story. The company’s IT staff had been forced to restore the entire company from backup taken 24 hours earlier. Our analysis resulted in sink-holing the command and control channels, revealing nearly 1500 other victims - within the first hour!
Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.[2] Ransomware often times uses scare tactics to coerce the owner of the victim computer into paying money to unlock or unencrypt files or the computer that will be held until the ransom is paid. In many cases, users are even walked through the process of paying the ransom. It is a non-discriminating attack. Nearly anyone can fall victim. Figure 2 shows the screen presented to an earlier victim at Scotland Yard.[3]
The idea that ransomware has become a big deal should come as no surprise. But when you combine it with underground currency (thereby removing controls imposed by the banking and finance system) and couple it with highly efficient delivery mechanisms (see the next prediction), the use of ransomeware could, and likely will, become a very real and significant threat.
Malware delivery will become
highly efficient, utilizing traffic delivery systems to increase the
probability of successful intrusions.
Imagine
walking into a massive grocery store to buy a carton of milk. You’ve never been to this store before. You can run through every isle looking for
the dairy case, or you ask a clerk to walk you to it. Now imagine that the clerk knows the exact
kind of milk you like, and hands it to you before you even ask him/her for
directions to the dairy case. Traffic
distribution systems (TDS) work the same way in cyber space. They know the configuration of the computers,
and push specific legitimate content only to computers who actually want it, or
in the case of malware delivery, the TDS knows the configuration of specific
computer systems, and delivers malware only to those computers who will actually
be able to execute the payload. By
knowing which computers have specific vulnerabilities, and delivering malware
only to those computers, the likelihood of a successful exploitation increases dramatically,
thereby increasing the attacker’s return on his hacking investment with very
little additional effort.
For example, Wapack Labs witnessed and reported on
(November 2014) hackers abusing a Traffic Distribution Service (TDS) called
Sutra.
The Sutra
TDS is designed with the intention of managing (and capturing) legitimate analytic
data from a web server’s traffic. In
design, Sutra systems are designed to manage affiliate advertisements and
maximize referral monetization through advanced management. However, malicious actors have found a way
to abuse this technology.[4]
This occurs by the system
understanding not only the IP or MAC address of the system to which content
should be delivered, but also the operating system, patch status,
vulnerabilities and port openings. The
system acts as a traffic cop delivering malware to only those systems
vulnerable to a specific attack.
We believe this will only
grow in 2015.
OEM trojaning activities will become the norm.
In August 2014, Wapack Labs received malware specimens that were reported as targeting a Russian commercial bank. Analysis of the malware uncovered a wide criminal infrastructure as well as a targeted malware component designed for attacking a specific application used in many financial institutions. While the activity appeared to be targeted in nature, the associated infrastructure had also been linked to a number of other generic cybercrime activities. The interesting thing was that all of the malware, after triggered remotely, communicated back to the software developer that built and sold the application to the banks. While this may suggest the OEM wrote the backdoor into the code, it may also suggest that the OEM had been exploited. We are not clear on which option may have been true, but the fact that the command and control channels called home to the developer suggested at a minimum, some involvement.
We’ve heard of other cases of suspected OEM poisoning, but this, although unproven, suggests, at least to us, a leading indicator. OEM poisoning through companies with distribution channels for software, hardware, and services should consider themselves prime targets for exploitation for hackers who look for the early foothold.
Companies will (if not already) will grow tired of being victimized. Top companies (the “one-percenters”) will begin to shoot back. The Sony case is famous.
According to one media report, Sony Pictures is alleged to have conducted a retaliatory DDoS attack against websites currently holding its leaked information for public download. The unconfirmed strike-back follows the two weeks of relentless attacks on Sony networks, punctuated by extortion demands, and the theft and release of personal information, emails and other business documents, all supposedly by the hacker collective the "Guardians of Peace".[5] I’ve heard this before. Sony isn’t the only one. . Over ten years ago while working onsite at a bank, the CISO talked openly about hiring an offshore company to attack servers that were used to spam bank customers and the servers hosting the fake banking sites they linked to.
During our first year with Red Sky Alliance, we visited a non-member defense contractor who’d fallen victim several times to determined adversaries who were believed to be state sponsored, and who were stealing intellectual property being developed by them for the US Department of Defense. The company spoke openly about having taken the offensive during attacks where sensitive technologies were believed targeted and being stolen.
So is this real? Absolutely. Is it likely? Absolutely. Widespread? Probably not yet but it should come as no surprise that cyber activities are popping up in some unlikely locations around the world –possibly those locations that do not yet have strict cyber laws –and my belief is they will be used for proactive offensive, retaliatory, and active defensive operations.
The continued growth of government-sponsored operations will dramatically alter the cyber landscape.
In 2013 Wapack Labs analysts began tracking the growth in numbers of countries building their own ‘Cyber Command’. At the time, we found evidence of six versions of government sponsored cyber organizations. In February ’14 when we mapped it out, there were 22, and today, not even a year later, there are believed to be over 100 in various stages of maturity.
What does this mean? I use a term that I heard David Awksmith use at a conference in Colorado a few years ago. He used an economics term –disintermediation, to describe removing the middleman (middleman being the military) in cyber space. Why? Old-school military leaders won’t give up their bullets, but the younger generation of officers are believers that cyber is a viable weapon, and non-kinetic, non-blood yielding options can have as good or better effects on many fronts than kinetic weapons. We’ve seen the removal of the military middleman play out already in several cases, and even in those countries with strong national level computer emergency response teams, non-governmental victims who are attacked can suffer significant damage.
According to one source, Smart TVs were hacked during the Ukrainian parliamentary election. Local channels were blocked and ‘aggressor’ (according to our source, Russian) messaging was played instead. The Ukrainian military was not targeted, rather the population in an attempt to sway voting.
In another, Privatbank, Ukraine’s largest commercial bank was hacked repeatedly because the owner of the bank spoke out against Putin and personally funded much of the Ukrainian resistance.
Voter election, tampering and monitoring of the telephone systems, use of traffic cameras and security webcams to collect intelligence, the ability manipulate through cyber connections to just about any controller, media outlet, and telephone system offer significant advantages. Cyber activities do not carry the same “Washington Post effect” --generate public outcry and influence US leadership through media reporting, as physical bombings and killings of people, are far less expensive to carry out by an adversary, and offer significant plausible deniability -but on the targeted victim(s), can be devastating.
So yes, future cyber, in my opinion, will remove the middleman and companies will be targeted directly by state sponsored (or at a minimum, state condoned) activities. This will become the norm. Need other examples?
The leader of the Syrian Electronic Army is actually President Assad’s cousin. The SEA was created in as a result of, and for retribution for the assets of the Assad regime being frozen. We’ve seen heavy SEA activity over the last twelve months, and from our perspective, we should expect to see more.
North Korea’s unit 121 is reported by the FBI to be the actor behind the Sony breaches. Regardless of heavy public speculation on attribution, the activity certainly cost Sony –both hard and soft dollars, and the fight, if the FBI is correct, was military-on-private corporation, not military-on-military.
China has long believed to be using government sponsored cyber espionage units to target and exploit intellectual property residing in corporations outside of China. State sponsorship (or, at a minimum, state countenance) of activities against global corporations suggests governments are targeting non-government victims when that non-government entity has something in their collection requirements.
The US Cyber Command nearly doubled its budget heading into 2015. There should be no doubt that others will follow, if only to protect themselves against future cyber, SIGINT, and espionage activities.
Life in cyber is not all that bad
There are some very strong
positives.
First, the intelligence space
is maturing nicely. Not only are CISO’s
becoming aware of the need for intelligence (even though risk models called for
it years ago!), the idea that effort
and spend can be prioritized by having great intelligence is a good thing. In
fact, not only is it maturing, verticals are forming!
Second, nearly every company
that I wander into today either has a CISO or understands the need. That’s not
to say they’ll all run out and hire one, but the awareness is there. I see this
as a positive.
The ISO 27001 business is
booming. ISO isn’t going to stop
determined adversaries, but it marks progress.
Again, I see this as a strong positive.
[3]
http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg
[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf
[5]
http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/
Stutzman's
2015 Predictions
|
Type
of risk
|
To
whom
|
Risk
|
Probability
|
Impact
if successful
|
Stage
of maturation
|
Leading
indicators present?
|
Overall
risk score
|
Ransomware will
become highly targeted and significantly more efficient
|
Tech
exploitation and ransom
|
All
|
5
|
5
|
5
|
3
|
Yes
|
4.5
|
Malware delivery
will move from broad phishing delivery through content aware (traffic cop)
systems
|
Tech
exploitation
|
All
|
5
|
5
|
3
|
3
|
Yes
|
4
|
Previously
unpublished activities surrounding OEM integrated trojaning activities will
become more public
|
OEM
exploitation
|
All
|
4
|
3
|
5
|
3
|
Yes
|
3.75
|
Companies will grow
tired, and begin shooting back
|
Policy
and Legal
|
Top
1 percenters
|
5
|
5
|
1
|
1
|
Yes
|
3
|
The continued
growth of government sponsored cyber operations will drastically alter the
landscape.
|
GEOPOL
|
Targeted
companies
|
4
|
5
|
3
|
2
|
Yes
|
3.5
|
Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack
Labs
December 29, 2014
I started writing these
prediction papers in 2011, and while many people author prediction papers, one
of the differences in the way I write mine is that I like to look back and see
how many of mine actually came true. The old ones are published earlier in this blog. Please feel free to check them out.
In
October, Wapack Labs responded to a call from help from a local company. The
company had fallen victim to ransomware. While Wapack Labs doesn’t normally undertake
incident response, the request came in from a friend, and we felt compelled to
assist. In this case, the CEO paid the
ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his
personal computer. The corporate drives
however, were a different story. The
company’s IT staff had been forced to restore the entire company from backup taken
24 hours earlier. Our analysis resulted
in sink-holing the command and control channels, revealing nearly 1500 other
victims - within the first hour!
The idea that ransomware
has become a big deal should come as no surprise, but when you combine it with
underground currency; thereby removing security controls imposed by the
banking/finance system; and couple it with a highly efficient delivery
mechanism (see the next prediction), the use of ransomware could, and likely
will, become a very real, and significant threat.
Imagine walking into a massive grocery store to buy a carton of milk. You’ve never been to this store before. You can run through every isle looking for the dairy case, or you ask a clerk to walk you to it. Now imagine that the clerk knows the exact kind of milk you like, and hands it to you before you even ask him/her for directions to the dairy case. Traffic distribution systems (TDS) work the same way in cyber space. They know the configuration of the computers, and push specific legitimate content only to computers who actually want it, or in the case of malware delivery, the TDS knows the configuration of specific computer systems, and delivers malware only to those computers who will actually be able to execute the payload. By knowing which computers have specific vulnerabilities, and delivering malware only to those computers, the likelihood of a successful exploitation increases dramatically, thereby increasing the attacker’s return on his hacking investment with very little additional effort.
For example, Wapack Labs
witnessed and reported on (November 2014) hackers abusing a Traffic
Distribution Service (TDS) called Sutra. The Sutra TDS is
designed with the intention of managing (and capturing) legitimate analytic
data from a web server’s traffic. In
design, Sutra systems are designed to manage affiliate advertisements and
maximize referral monetization through advanced management. However, malicious actors have found a way
to abuse this technology. This occurs by the system
understanding not only the IP or MAC address of the system to which content
should be delivered, but also the operating system, patch status,
vulnerabilities and port openings. The
system acts as a traffic cop delivering malware to only those systems
vulnerable to a specific attack.
We believe this will only
grow in 2015.
In August
2014, Wapack Labs received malware specimens that were reported as targeting a
Russian commercial bank. Analysis of the
malware uncovered a wide criminal infrastructure as well as a targeted malware
component designed for attacking a specific application used in many financial
institutions. While the activity
appeared to be targeted in nature, the associated infrastructure had also been
linked to a number of other generic cybercrime activities. The interesting thing was that all of the
malware, after triggered remotely, communicated back to the software developer
that built and sold the application to the banks. While this may suggest the OEM wrote the
backdoor into the code, it may also suggest that the OEM had been
exploited. We are not clear on which
option may have been true, but the fact that the command and control channels
called home to the developer suggested at a minimum, some involvement.
We’ve heard
of other cases of suspected OEM poisoning, but this, although unproven,
suggests, at least to us, a leading indicator.
OEM poisoning through companies with distribution channels for software,
hardware, and services should consider themselves prime targets for
exploitation for hackers who look for the early foothold.
During our first year with
Red Sky Alliance, we visited a non-member defense contractor who’d fallen
victim several times to determined adversaries who were believed to be state
sponsored, and who were stealing intellectual property being developed by them
for the US Department of Defense. The
company spoke openly about having taken the offensive during attacks where
sensitive technologies were believed targeted and being stolen.
So is this real? Absolutely.
Is it likely? Absolutely. Widespread? Probably not yet but it should come as no
surprise that cyber activities are popping up in some unlikely locations around
the world –possibly those locations that do not yet have strict cyber laws –and
my belief is they will be used for proactive offensive, retaliatory, and active
defensive operations.
What does this mean? I use a term that I heard David Awksmith use
at a conference in Colorado a few years ago.
He used an economics term –disintermediation, to describe removing the middleman
(middleman being the military) in cyber space. Why? Old-school military leaders won’t give up
their bullets, but the younger generation of officers are believers that cyber
is a viable weapon, and non-kinetic, non-blood yielding options can have as
good or better effects on many fronts than kinetic weapons. We’ve
seen the removal of the military middleman play out already in several cases,
and even in those countries with strong national level computer emergency
response teams, non-governmental victims who are attacked can suffer
significant damage.
· In another, Privatbank, Ukraine’s largest commercial
bank was hacked repeatedly because the owner of the bank spoke out against
Putin and personally funded much of the Ukrainian resistance.
· Voter election, tampering and monitoring of the
telephone systems, use of traffic cameras and security webcams to collect
intelligence, the ability manipulate through cyber connections to just about
any controller, media outlet, and telephone system offer significant
advantages.
· The leader of the Syrian Electronic Army is actually
President Assad’s cousin. The SEA was created in as a result of, and for
retribution for the assets of the Assad regime being frozen. We’ve seen heavy SEA activity over the last
twelve months, and from our perspective, we should expect to see more.
· North Korea’s unit 121 is reported by the FBI to be
the actor behind the Sony breaches. Regardless
of heavy public speculation on attribution, the activity certainly cost Sony
–both hard and soft dollars, and the fight, if the FBI is correct, was
military-on-private corporation, not military-on-military.
· China has long believed to be using government
sponsored cyber espionage units to target and exploit intellectual property
residing in corporations outside of China. State sponsorship (or, at a minimum, state countenance)
of activities against global corporations suggests governments are targeting
non-government victims when that non-government entity has something in their
collection requirements.
· The US Cyber Command nearly doubled its budget heading
into 2015. There should be no doubt
that others will follow, if only to protect themselves against future cyber,
SIGINT, and espionage activities.
There are some very strong
positives.
First, the intelligence space
is maturing nicely. Not only are CISO’s
becoming aware of the need for intelligence (even though risk models called for
it years ago!), the idea that effort
and spend can be prioritized by having great intelligence is a good thing. In
fact, not only is it maturing, verticals are forming!
Second, nearly every company
that I wander into today either has a CISO or understands the need. That’s not
to say they’ll all run out and hire one, but the awareness is there. I see this
as a positive. The ISO 27001 business is
booming. ISO isn’t going to stop
determined adversaries, but it marks progress.
Again, I see this as a strong positive.
Risk scoring is qualitative, from 1-5 with one being low and
5 high. The model is simple. Overall risk scores are a simple un-weighted
average of Risk, Probability, Impact, and Estimated Stage of Maturity. Leading
indicators are Yes or No.
[1] Henrybasset.blogspot.com
[2]
http://en.wikipedia.org/wiki/Ransomware
[3]
http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg
[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf
[5]
http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/