In 2018, the world witnessed many significant breaches and new types of fast-moving, sophisticated endpoint security threats ranging from the use of Powershell through fileless malware attacks to hardware compromised within the supply chain. Here’s a look back at the year that was and our predictions for what to expect in 2019.
2018 THREAT TRENDS - HIGHLY STEALTHY ATTACKS WITH IMPROVED EVASION TECHNIQUES AND MULTIPLE PAYLOADS
Our researches published several blog posts which highlight emerging stealthy capabilities and evasion techniques including Anti-AV and Anti-VM methods for evading detection.
- In Turning (Page) Tables, we unveiled a new exploitation technique in which an attacker can subvert popular operating systems’ latest, built-in kernel security safeguards by carefully manipulating page tables, the data structures operating systems use to map virtual memory address to physical memory addresses and escalate privileges.
- In Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protections, we demonstrate how attackers can bypass Windows kernel protections and expose kernel-mode functions to interception by malicious actors and potentially allow malware to act undetected by third-party security products that rely on user-mode hooks to monitor the OS.
- In Enter the DarkGate, we analyzed malware which employs a user-mode hooks bypass technique to evade identification by various endpoint protection platforms for an extended period and can deploy multiple payloads including crypto miners and ransomware.
- In L0rdix Multipurpose Attack Tool, we discovered a new attack tool aimed at infecting Windows-based machines. L0rdix combines stealing and cryptocurrency mining methods, can avoid malware analysis tools and is designed to be a universal "go-to" tool for attackers.
Finally, fileless malware attacks occurred throughout the year. These attacks use advanced techniques to execute in memory, bypass endpoint protection platforms and strike undetected. To show just how effective these attacks are, we produced a video showing how using a fileless attack can bypass Windows Defender, execute ransomware and encrypt an endpoint in thirty seconds.
PREDICTION #1: THE ATTACK SURFACE WILL CONTINUE TO EXPAND BEYOND THE OPERATING SYSTEM AND INTO HARDWARE, FIRMWARE AND HYPERVISORS
The Supermicro “spy chip” incident was a watershed moment in the evolution of the attack surface. It exposed an area of risk in the IT supply chain other than in operating system software, in which “spy chips” were added to motherboards during the manufacturing process. The Supermicro incident was not the first instance of a compromised supply chain. LoJax and Superfish are two examples of malware implanted in the supply chain involving firmware and pre-loaded software.
The attack surface is also expanding due to vulnerabilities in hypervisors. Hypervisors are present not only in servers that power cloud computing platforms but also in new versions of Microsoft Windows. Cloud computing drives substantial economic growth and business benefits, and that means more data and resources are available in the cloud to attack. Cloud adoption is occurring at different rates around the world. According to Forrester, “Nearly 60 percent of North American enterprises now rely on public cloud platforms, five times the percentage that did just five years ago”. enSilo demonstrated during the 2018 BlackHat USA conference a new exploitation technique against the Windows operating system even in the presence of hypervisor-level protection. Therefore, the method still works if Virtualization Based Security (VBS) is enabled.
Each of these discoveries serves as real-world examples of how the attack surface has expanded down the stack from the operating system, through firmware, and into hardware.
PREDICTION #2: THE SECURITY LABOR SHORTAGE WILL CONTINUE WHILE THE GROWTH IN IOT DEVICES WILL PUSH THE BOUNDARIES OF HUMAN-DRIVEN SECURITY ANALYSIS
Today's most-coveted SOC skill involves human eyes darting between screens and deciding what to do first when attempting to make sense of statistical indicators and anomalies. Right now, the talent pool with the unique skills and training to respond to cyber threats is unfortunately all too limited and the way we are making use of this scarce resource is neither scalable nor effective in addressing the rapid evolution of cyber-attacks.
IoT devices and networked peripherals will compound the amount of noise and the challenge of finding in real-time the right signals to help prevent a breach in real-time. According to Gartner, the number of IoT devices worldwide is estimated to be 20.4 billion by 2020. This challenge will be further complicated by growth in the labor shortage which is expected to reach 3.5 million unfilled cybersecurity jobs by 2021.
While human-powered analysis is mostly a reactive exercise performed after a breach, the shortage of people with the right skills makes them costly to hire and retain. And because it's nearly impossible to predict the number of analysts needed to analyze the increasing volume of cyber-attacks and the corresponding indicators, operational expenditures (OpEx) related to salary costs are continual wild cards.
PREDICTION #3: CRYPTOMINING WILL BECOME BIG BUSINE$$
While cryptomining requires large amounts of computing power, typically achieved through scale, its big selling point is that miners often run undetected for long periods, generating vast profits for their masters. According to media reports, the Petya ransomware attack grossed $132,000 in six weeks. While that’s not a small amount of money, another report indicated that a single attacker could generate $100 Million in revenue from cryptomining in one year - or $2 Million per week. As malware continues to improve its stealth and detection evasion capabilities, we foresee a shift to cryptomining in favor of its silent-running and bigger profits.
In summary, while our predictions highlight potential threat trends in 2019, they also serve to underscore the importance of preventing advanced threats in real-time, orchestrating automated incident response actions without risking further infection, data loss or loss of productivity while also dramatically increasing IT security efficiency with the enSilo Endpoint Security Platform.