Top 5 Cybersecurity Predictions in 2018

It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.

Here are the top 5 cybersecurity predictions for 2018:

1. Cryptocurrency Mining

The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.

“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.

The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.

Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.

Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.

“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”

2. Business Disruption

In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.

Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.

“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.

Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.

According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).

3. Breach by Insiders

The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.

According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”

4. Artificial Intelligence (AI) as a Double-Edged Sword

In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.

“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”

5. GDPR

In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.

GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.

“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.

Happy 2018, and Stay Safe!

Here is how to instantly spot a phishing email

DDoS Threat Landscape in 3^rd Quarter of 2017

They're getting more powerful and persistent. This is how Imperva Incapsula described the global distributed denial-of-service (DDoS) threat landscape in the 3rd quarter of 2017.

In its Global DDoS Threat Landscape Q3 2017, Imperva Incapsula defined DDoS attack as a “persistent, distributed denial of service event” against a particular IP address or domain. Imperva Incapsula considers a DDoS attack as a single attack when it’s conducted at least 60 minutes, held prior to an attack-free period and followed by another attack-free period of the same duration or longer.

“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.”

Imperva Incapsula identifies two types of DDoS attacks: network layer attack and application layer attack.

Network layer attack is defined as a DDoS attack that causes network saturation by consuming much of the available bandwidth. Attack under this type is measured in million packets per second (Mpps) and gigabits per second (Gbps) – referring to the amount of bandwidth it can consume per second.

Application layer attack, meanwhile, is defined as a DDoS attack for the purpose of bringing down a server by exhausting its processing resources – CPU or RAM – with a high number of requests. Attack under this type is measured in requests per second (RPS) – referring to the number of processing tasks initiated per second.

Network Layer DDoS Attacks

In terms of network layer attacks, 90.2% were under 10 Mpps, 4.8% between 10-50 Mpps, 2.1% between 50-100 Mpps and 2.9% above 100 Mpps. The largest network layer attack recorded last quarter reached 299 Gbps.

According to Imperva Incapsula, attacks under 10 Mpps were mostly the result of DDoS-for-hire activities.

On average, each network layer attack target suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.

Top Attacked Industries

The Imperva Incapsula report showed that online gambling is the number one industry targeted by network layer DDoS attackers (34.5%), followed by gaming (14.4%), internet services (10.8%), financials (10.1%), retail (5.8%), IT and software (5.8%), media and publishing (5.8%), cryptocurrency or bitcoin platforms (3.6%), transportation (2.2%) and telecom (1.4%).

The following reasons were put forward why over a third of the network layer DDoS attacks were targeted on gambling sites and related services:

• Reliance on web structure for operation which in return exposes this industry to DDoS extortion attempts
• Highly competitive and are commonly targeted by rival companies
• Originate from users either trying to influence the outcome of a game or just trying to vent their frustrations

The report also found that 3 out of 4 of bitcoin sites were attacked in the last quarter. The relatively high number of DDoS attacks on cryptocurrency exchanges and services observed in the 3^rd quarter of 2017 was attributed to the recent staggering spike in the price of bitcoin, which more than doubled in the period of the quarter.

Top Attacked Countries

Hong Kong was the most targeted with 31% of the total global network layer DDoS attack, followed by the US (19%), Germany (12.8%), Philippines (7.6%), China (7.2%), Taiwan (7.1%), Singapore (4.4%), Malaysia (3.9%), Japan (0.8%) and Canada (0.8%).

Almost a third of the network layer DDoS attacks last quarter went to Hong Kong as a result of a large-scale campaign against a Hong Kong-based hosting service provider. Taiwan and the Philippines also made it to the top 10 list as a result of large campaigns targeting gambling websites in these countries.

Application Layer DDoS Attacks

In terms of application layer DDoS attacks, on average, each victim suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.

The US ranked as the most targeted country in terms of application layer DDoS attack (53.3%), followed by Netherlands (8.8%), Singapore (6.3%), Belgium (5%), Italy (4.4%), Germany (3.9%), Russia (3.1%), Japan (3.1%), Hong Kong (1.8%) and Australia (1.5%).

DDoS BOTNET

Imperva Incapsula’s global DDoS threat report for the 3^rd quarter of 2017 showed that attackers use botnet – a group of malware-infected IoT devices – in carrying out DDoS attacks. These malware-infected IoT devices are remotely controlled by attackers and device owners have no knowledge that their devices are used for DDoS attacks.

In terms of attack requests, 16.9% came from China, 7.6% from Vietnam, 7.2% from Turkey, 5.7% from the US and 4% from India. Meanwhile, in terms of the number of attacking devices, 42.5% came from China, 11.1% from the US, 5.4% from Vietnam, 2.9% from India and 2.2% from Turkey.

DDoS Mitigating Measures

The main distinction between network layer DDoS attack and application layer DDoS attack is that they target different resources. A network layer DDoS attack tries to clog the network, for instance, consuming much of the available bandwidth, while application DDoS layer attempts to drain resources like CPU and memory.

As these 2 types of DDoS attacks target different resources, the attacks are also executed differently. Considering that these 2 types of DDoS attacks target different resources and are executed differently, mitigating each of these DDoS threats needs a substantially different set of security methods.

It’s also important to take into consideration the difference between Gbps and Mpps for mitigation purposes.

Gbps is defined as the measure of the total load placed on a network, also known as throughput, while Mpps is defined as a measure of the rate at which packets are delivered, also known as forwarding rate.

For instance, if your organization’s DDoS mitigation solution has the capability to handle 100 Gbps and process packets at a rate of 20 Mpps, a 50 Gbps DDoS attack at a rate of 40 Mpps can still bring down your organization’s network.

Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware

Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.

As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.

Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.

Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.

In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.

Cryptocurrency-Themed Malware

Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.

Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.

Adylkuzz Cryptocurrency Malware

Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.

The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.

Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.

Cryptojacking

Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.

Coinhive is a software that enables cryptocurrency miners to install Monero cryptocurrency mining code on a website using JavaScript. Coinhive operates on the premise that cryptocurrency mining can be a means for website owners to earn revenue, in lieu of advertising.

Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.

There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.

Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.

The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.

In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.

Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.

Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:

1. Once a user visits a compromised website, the crypto mining code is then silently loaded.
2. CPU power of the site visitor is used for cryptocurrency mining activity.
3. Even when the user leaves the site and closes the Chrome browser, the CPU activity of the user still remains higher than normal as crypto mining continues.

Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.

“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”

Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”

How to Prevent Cryptocurrency Mining Attacks

Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.

Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.

Here are some tips on how to prevent cryptocurrency mining attacks:

Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.

To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.