Fortinet Mid-year 2017 Predictions Update
Our 2017 Security Predictions article was titled The Year of Accountability. In it, I reviewed the security trends of 2016 and wrote, “If something isn’t done, there is a real risk of disrupting the emerging Digital Economy. The need for accountability at multiple levels is urgent and real.”
Smart to Smarter
The first half of 2017 has shown that this is more of a concern than ever. New attacks, built on the technology foundations and successes established over the past couple of years, are now smarter and more sophisticated than ever. Let’s take a look at a few of those that we had highlighted in our 2017 predictions report.
Last summer we saw the launch of the largest DDoS attack in history, using an IoT-based shadownet, which is a term we use to describe IoT botnets that can’t be seen or measured using conventional tools. The Mirai shadownet was built using millions of vulnerable IoT devices, and was used to bring down a large chunk of the Internet. Interestingly, while its biggest surge was during the summer of 2016, we have continued to see the Mirai exploit continue to target vulnerable systems ever since.
While its effects were unprecedented, we predicted that Mirai was not an end in itself, but was primarily launched to test its capabilities, and that we would see an increasingly sophisticated use of these swarms of compromised devices. And we were right. The Hajime ransomworm is the successor to Mirai. While it has the same basic foundation, it is significantly more sophisticated. Unlike Mirai, which was basically a blunt instrument, Hajime has a lot of sophisticated cybertools built in. Like Mirai, it is also IoT focused, but it is also cross-platform. Hajime currently supports five different platforms, includes a toolkit with automated tasks, and maintains a dynamic password lists that is remotely updatable. It can also download other code, like brickerbot.
The holy grail of network development is to achieve 99% automation. Unfortunately, this is also the goal of the bad guys. And Hajime includes a lot of automated tools. To evade detection, for example, Hajime is designed to be less noisy in order to stay under the detections radar by using things like traffic and behavior thresholds to mimic human behavior.
One of its most alarming features is an embedded tool designed to remove rules. For example, it attempts to remove firewall rules used to detect this kind of malware. It also targets ISPs and MSSPs by identifying CPE devices and the CPE LAN Management Protocol and attempting to remove the rules that allow the CPE device to talk to the service provider. Imagine a service provider with millions of devices that all go dark, and with no heartbeat to see, control, or manage these devices. This is a nightmare scenario that can not only deny services, but can also trigger parallel issues, like flooding help desks with calls from frustrated customers.
Hajime has primarily targeted Taiwan and the US, with over a million hits recorded
And unlike Mirai, which only had a single C&C server that made it rather easy to shut down Hajime uses a P2P command and control system that allows it to be really resilient. The challenge, of course, is that the more platforms, code, and binaries you support, the more difficult it is to maintain a tool like this. But once you solve that problem, your reach expands exponentially.
Another IoT botnet to recently emerge is called Persirai that targets Internet IP cameras. This latest development comes on the heels of Mirai and Hajime. Persirai uses a password stealing vulnerability to start performing authenticated commands. This is another example of a “hot exploit” because once an IP camera has been infected it begins to attack other IP Cameras by exploiting a zero-day vulnerability that was made public only a few months ago. While the number of incidents is still relatively low, its automated infection behavior has allowed it to target a wide range of industries.
The point is, in the IoT world we are seeing the evolution of exploit techniques (from smart to smarter) — including password stealing, and then leveraging these passwords to hack additional systems. It’s a process that human attackers would typically use that has now been automated.
Of course, automation means that attacks not only come at us faster, they also reduce the time between breach and impact, and can learn how to avoid detection. We can no longer afford to hand correlate threat data to detect threats or respond at anything less than machine speeds. In the ongoing cyberwar, enterprises today need to be able to fight automation with automation, which means they need to deploy integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across the distributed network ecosystem, from IoT to the cloud.
Like IoT-based shadownets, ransomware is also getting smarter. Fortinet’s recent Threat landscape report documented an increase in DVR signatures in its attack trends section. And more concerning, the two attack strategies are beginning to converge in order to deny access to, and ransom, services. Scalability has previously been a limiting factor in this sort of attack, but Hajime automates the process to build an automated smart infrastructure to deliver this threat.
While healthcare remains in the crosshairs for ransomware based attacks, we are seeing ransom-based attacks evolve. Healthcare is not the only vulnerable target. We are beginning to see the ransoming of high-value services, and not just the encrypting of data. To stay ahead of the curve on this, organizations need to start now by identifying and documenting digital assets, including services. The question that needs to be asked is if these services go off line, how much will it cost you?
Once the process is automated, attackers won’t be limited to targeting specific industries. While some may think that WannaCry was a targeted ransomware attack, it was more like wildfire, destroying everything in its path. But like Mirai, Wannacry was a beta version. Petya, which followed right on its heels, may have had minimal impact, but it was a much more sophisticated variant of WannaCry’s original ransomworm.
The denial of access to critical services is not just the Achilles heel of the healthcare industry. Industrial systems, such as modern windmills, are now being attacked for ransom. The loss of a windmill can cost upwards of $30,000 a day. If an attacker is able to infiltrate and shut enough of these down, the targeted energy provider is likely to pay out a huge ransom to get them back online. Critical equipment related to modern farming likewise generates significant revenue, and we are already starting to see cases in that industry of the ransom of services (IOT/ICS). Attacks like these – that target critical infrastructure based on new, interconnected technologies – are likely to grow as part of the next generation of ransom-based attacks.
In addition to attacks targeting industries with huge social ramifications, we are also seeing the rise in micro attacks, made possible now because of smarter, automated attacks. How much would you pay to regain access to your laptop, or even your Smart TV or home security system? Or to turn your refrigerator back on?
The ransomware model is effective, and we will continue to see more of these as attack and evasion techniques are improved and refined. The key takeaway is that once the bugs get worked out of these new sorts of attacks, any industry that gets targeted will experience devastating consequences.
An interesting common denominator to a lot of the attacks we have seen the past six months has been that hackers are spending less time on developing new ways to break into a system, and more on the delivery and stealth mechanisms for their attack. That’s because they are still seeing a lot of success in using hot exploits for their attack vector, which is the act of targeting a vulnerability that hasn’t had enough time to be broadly patched or updated. The WannaCry ransomworm, for example, targeted a vulnerability that had only had a patch available for a couple of months.
For whatever reason, one of the primary causes of the success of hackers is poor security hygiene. Networks are expanding and evolving rapidly, crossing over different domains and environments. Speed and efficiency are business critical, which means that there is zero tolerance for ay device downtime. As a result, vulnerable devices are not being tracked, updated, or replaced.
But because networks are now highly meshed and hyperconnected environments, vulnerable devices now represent even more potential risk. Take the emergence of smart cities for an example. An unsecured and unpatched server may become a conduit for attacks that shut down things like traffic control systems or emergency services. And as critical infrastructure networks mesh with smart city scenarios, the potential for trouble increases exponentially.
IoT Manufacturer Accountability
IoT devices and infrastructure simply complicate the problem. They introduce more platforms into an already crowded network. Because they tend to be highly mobile, they also create a new management nightmare when it comes to patching them. And because so many IoT devices have software and communications protocols hard-coded into them, there are actually few patches to apply to vulnerable systems because many simply can’t be patched.
Not only are IoT manufacturers notorious for connecting millions of mass produced-devices to the internet using poorly written and highly vulnerable code, but this code is also shared freely between manufacturers. Which means a single vulnerability can be compounded across hundreds of different devices from dozens of different manufacturers.
Which makes new exploits like Devils’ Ivy even more dangerous. Devil’s Ivy is an exploit that targets a vulnerability found in a piece of code called gSOAP that is used in physical security devices such as cameras and card readers. At least 34 different companies who manufacture IoT devices use this code in literally thousands of different device models, representing millions of deployed devices.
Unfortunately, when it comes to IoT, this sort of embedded and widely distributed vulnerability is far from unique. And as hot exploits continue to be combined with effective distribution mechanisms, such as fast-spreading worms, we could be looking at one cyber-wildfire after another spreading across the globe.
Of course, these challenges are not going unnoticed. Right now, manufacturers are in the early stages of addressing this problem, which means they are flooding the market with proposals for standards. Confusion and competition makes it difficult to even properly label IoT devices regarding levels of security or how consumers can best protect themselves, their devices, and their data. The clock is ticking, however. Because the next step is to hold manufacturers accountable for selling solutions that can be easily exploited.
Recently, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the ‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017.’ This bill prescribes that devices purchased by the U.S. government must meet minimum security requirements, and that vendors who supply the U.S. government with IoT devices have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, are free of known security vulnerabilities, as well as other basic security requirements.
And California Senate Bill 327 mandates that all IoT devices have built-in security features appropriate to the device and information collected, and allows consumers and agencies to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. This law has teeth, and because California is such a massive economy, its passage could significantly impact the entire IoT industry.
This is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The alternative is to continue to feed the growing cybercriminal economy. If simply designing safe and secure products isn’t enough incentive for some organizations, the thinking goes, the threat of fines and lawsuits will.
Technology is making our lives easier. We have access to unprecedented levels of information, resources, social media, and entertainment at our fingertips, 24 hours a day. Much of our reliance on this technology has become invisible, from traffic control systems to medical devices to applications that allow us to make and monitor financial transactions. While new classes of connected devices provide valuable services, they are being woven into an increasingly complex ecosystem of data, devices, applications, and services that we are becoming more dependent on every day.
Which is why we are also seeing a rise in the number and sophistication of attacks that are designed to target and exploit this phenomenon. Beta versions of new classes of exploits are now being regularly released into the wild. And we are seeing second and third generations of these attacks; with much more sophisticated tools and automated exploits being launched within weeks of the initial beta launch.
The process required for addressing these challenges needs to escalate. Threats are compounding at digital speeds, while resolutions, like manufacturers building security safeguards into their products, are proceeding at a snail’s pace. We need to start building security into tools and systems on day zero. We need alignment on ways to effectively see and combat new cybercrime. And we need to adopt integrated, collaborative, and automated procedures and technologies end to end to help us see and protect valuable resources moving across the expanded digital network.