As I look back over the cyberthreat landscape in 2014, I'm amazed by the volume of activity handled by our community this year. From Heartbleed to WireLurker, we certainly had our hands full.
Sophisticated, targeted attacks will be the new normal in 2015 and I expect to see at least one new report each week. Here are some other trends from 2014 and predictions for the coming year that I think are significant.
Longstanding vulnerabilities revealed
In 2014 we learned about multiple major vulnerabilities in code, which in some cases had been in place for more than a decade. Heartbleed, ShellShock, POODLE and SChannel all existed in source code for years, but weren't publicly disclosed until 2014. It's possible that these vulnerabilities had been independently discovered by attackers who exploited them unnoticed for years.
The discovery of these vulnerabilities started reviews of major open source repositories the community had assumed were rock solid. Those reviews are likely to bear fruit in 2015, resulting in the disclosure of more long-standing vulnerabilities.
Continued success of ransomware
Ransomware, a class of malware that extorts users into paying an attacker, has existed in various forms for years, but 2014 was when the “Locker” malware really took off. Lockers work by infecting a system, quickly finding important files on the hard drive, encrypting them and telling the user they can recover the files if they pay a ransom, normally a few hundred dollars. Lockers are distributed through many mechanisms (spam email, for example) and are often installed by other botnets as secondary payloads.
The best-known locker variant, “CryptoLocker,” was detected in late 2013. One of the reasons for this malware's success was that its operators actually decrypted files once the ransom was paid. If word got out that victims who paid the ransom never recovered their files, nobody would pay up. But infected users trusted CryptoLocker and were willing to pay the ransom to retrieve their stolen files. Other variants of lockers discovered in 2014 included CryptoWall and CryptoDefense.
The massive success of these in 2014 impacted companies large and small and the revenue streams generated by ransom payments are unlikely to be disrupted any time soon.
Ongoing PoS attacks
Starting at the end of 2013, organizations began reporting a series of attacks on retail point-of-sale (POS) systems, which impacted tens of millions of users. These attacks used malware that infected Windows systems attached to credit card readers, and searched those systems' memory for credit card data.
In August, the U.S. Secret Service released an advisory about one of those malware tools, known as BackOff. The advisory estimated that more than one thousand businesses were affected by BackOff. While many organizations reported PoS breaches this year, the total of publicly announced breaches was well under a thousand, indicating that many breaches may have gone unreported.
The U.S. credit card payment system is moving away from legacy magnetic stripe technologies toward chip-and- PIN systems, which are less vulnerable to these attacks. Apple released its own payment system (ApplePay) in October, which uses near field communication (NFC) for contactless payments, in part to help make in-store payments more secure.
POS attacks and new malware are likely to extend well into 2015 and beyond – depending on how quickly new security measures are adopted.
Mobile is a valuable target
In 2014 we saw multiple new attacks on Android and iOS devices, most significantly WireLurker, which attacked non-jailbroken iOS devices. As more data moves onto these devices they are becoming a valuable target for all types of attackers.
Mobile devices are ripe for attack for many reasons: They often hold user credentials for applications and websites, they're used for out-of-band authentication, they are almost constantly connected to the internet and they have audio and video recording capabilities
For high-profile targets, these devices are a treasure-trove of information. Mobile platforms often do not receive the same level of monitoring (anti-virus, IPS, etc.) that desktop systems do. An infected phone could go unnoticed for months or longer while monitoring the user and stealing their data.