The aggressive incorporation of social engineering techniques in the malicious document attachment campaigns that have dominated the threat landscape of 2015 highlights the central place of ‘the human factor’ in the attack chain. In 2016, people are the targets: from email and web to social media and mobile apps, attackers will build on the successes of 2015 by developing campaigns and vectors that leverage the human factor to bypass increasingly sophisticated automated detection and response capabilities.
Threat actors trade custom malware for commodity tools
Custom malware has typically been associated with targeted attacks by sophisticated actors, whether cybercriminals or state-sponsored actors. Now, however, automation and a robust underground cybercrime economy have driven a process of mass customization that makes malware payloads with the qualities of custom malware – undetectable by signature- and reputation-based defenses, resistant to analysis, stealthy data exfiltration, self-deletion, and the ability to download additional payloads and support lateral movement within the target organization – available in malware created using off-the-shelf, ‘commodity’ tools. As a result, broad-based campaigns regularly employ delivery techniques, infection chains, and payloads that easily evade traditional defenses and remain undetected in the compromised organization for months or even years.
The other side of this trend, observed by Proofpoint researchers, is that sophisticated actors are turning to commodity tools with increasing frequency. For example, in the summer of 2015, Proofpoint researchers analyzed a highly targeted, most likely state-sponsored attack that dropped the PlugX (aka Korplug) Trojan and variants in order to collect information from the infected client and create a basis for expanding through the targeted organization.[i]
Proofpoint predicts that this trend will accelerate in 2016, with the use of malware payloads and delivery techniques produced by commodity tools becoming the norm for all but the most highly-targeted attacks, with serious consequences for most current approaches to actor identification. Rather than relying on the use of a particular malware family, infection chain or delivery technique to identify the threat actor – and by extension determine the severity of the attack and the appropriate response – organizations will have to integrate better threat intelligence from a wider range of sources. In addition, reducing the attack surface – identifying and limiting privileged accounts, automating endpoint maintenance, creating and monitoring traffic between internal security zones – in order to minimize opportunities for lateral movement will become essential to mitigating the impact of these threats.
Advanced threats cast a wider net
The advanced threats of 2015 generally spread by one of two main vectors: as email attachments, usually malicious Microsoft Office document formats with embedded macros to download banking Trojan payloads; or dropped by exploit kits on users visiting sites with infected ad streams (aka, malvertising), distributing ransomware, among a variety of other payloads. The motive for ransomware infections is straightforward, and for the banking Trojans too the objectives and targeting appeared relatively obvious: namely, to steal money by targeting user interactions with online banking sites, targeting customers of banks in North America, Europe, and Brazil.
In 2016, we will see a move to more broadly targeted advanced threat campaigns, building on a trend that began the second half of 2015, such as when Proofpoint researchers observed attackers changing the Dyre banking Trojan to target credentials of shipping and distribution companies, rather than their traditional financial and banking targets. Threat actors will expand their attack surfaces by using distribution techniques that reach victims in a wider range of countries, dropping multiple payloads to target a variety of platforms, and attempting to steal data for accounts and services from a greater variety of industries. While high-volume campaigns will continue to contribute to the ‘noise’ of low-value threats, the more indiscriminate distribution of higher-value payloads such as ransomware via malvertising will cede to a focus on strategic web compromises, infecting sites relevant to specific industries and regions, with greater use of TDS and other filtering to select payloads for a specific region, as when Proofpoint observed a malvertising site pulling in RIG and Angler exploit kits to drop, respectively, Dridex on clients from the US, and Shifu on clients visiting from Japanese IP addresses.[ii]
Looking beyond PCs and other end-user systems, attackers will broaden their attacks on high-value financial infrastructure to attack ATMs, point of sale terminals, new EMV card readers, and payment portals. All of these changes will reflect a shift to increasingly targeted attacks on people behind the devices.
Malicious document campaigns retire by summer
Email campaigns using malicious document attachments to spread Dridex, Shifu, and other payloads have dominated the threat landscape in 2015.[iii] Originally targeting recipients in the U.S. and employing simple document lures and malicious macros, over the course of the year these campaigns grew in both scope and sophistication, targeting recipients around the world with localized lures that incorporate social engineering and a variety of techniques to heighten the effectiveness of their macros. The payloads also began to vary, adding Shifu, Vawtrak and others, and expanding the types of logins targeted for theft in their configurations, adding shipping and distribution and other sectors to their traditional targets in banking and financial services.
Coupled with a massive surge in the volume of their campaigns in the latter months of 2015, this increased variety of both payloads and targets suggests that these campaigns are reaching the limits of their effectiveness and are ripe for replacement. Proofpoint research has demonstrated that the shift from URL-based campaigns to document attachment campaigns occurred virtually overnight, with attachment campaigns supplanting and exceeding the URL-based campaigns in the space of less than two months. It is likely that shift to the next type of dominant campaign will occur with equal rapidity.
Proofpoint predicts that by mid-2016 these campaigns will have disappeared almost entirely in the major markets (U.S., U.K., Europe) and been replaced by a new type of high-volume campaign that combines effectiveness and scalability to target users. While it is too early to say with confidence what the new technique will be, recent trends suggest that it will include a return to some form of URL-based vector, with TDS and exploit kits providing robust filtering and delivery of payloads capable of resisting analysis.
Social media takes a darker turn
The value of social media to attackers as a research tool is well-known. In 2015, Proofpoint observed examples of attackers beginning to also embrace social media as a targeting and delivery vector. Two major trends emerged, and Proofpoint predicts that these will dominate the social media security and management landscape in 2016:
Support account impersonation
Proofpoint Nexgate researchers increasingly see hackers, scammers and pranksters use fraudulent customer care accounts to phish credentials, steal personally identifiable information (PII) and compromise brand reputations.[iv] Bank account credential phishing is just the tip of the iceberg when it comes to fraudulent accounts: Proofpoint Nexgate researchers have detected thousands of fraudulent social media accounts that support malware distribution, knock-off product sales, pirated software, and even brand pranks, and in 2016 expect this threat to spread and target customers of businesses in any vertical that makes use of customer accounts, be it to reinforce loyalty or provide services.
Known primarily in the form of the phenomenon ‘Twitter shaming,’[v] in 2016 social mobs became a challenge for organizations of all sizes. Proofpoint Nexgate researchers are seeing companies of all types targeted with “social mob” attacks. These can be politically motivated, but they are as frequently simply protesting an action or position that the company has taken. Moreover, these attacks are carried out across all social media, from Facebook and Twitter to even Instagram. As a result of social mob action, a company can receive overnight 25,000 or more negative or unrelated comments on social media, often simply copied and pasted from a central ringleader.
In 2016, attackers will continue to make increasing use of social media to target individuals, whether for a “cause” or to steal their personal and financial data. Social mobs will become a genuine risk for organizations, aggressively hijacking conversations in order to advance a short-lived cause, to the detriment of the organization’s brand. The good news for organizations is that the strength of social media is also its weakness: that is, the ability to reach a large number of potential victims through a single social media account also makes it easier for organizations to mitigate – with the assistance of purpose-built solutions for social media security and compliance – the threat of social mobs and Support account impersonation through the use of countermeasures ranging from user controls and conversation management to account verification and even takedowns.
Mobile apps choose riskware over malware… mostly
2015 witnessed several watershed moments in mobile app security, chief among them the disclosure of XcodeGhost[vi] for iOS and the Stagefright vulnerability for Android.[vii] These disclosures should have put to bed any remaining doubts about the feasibility and effectiveness of infecting smartphones and tablets, whether via remote exploits or corrupted libraries built into legitimate apps. Moreover, improved techniques for large-scale scanning revealed that many more apps inhabit the grey area of ‘riskware’: legitimate apps that, while not malware in the strict sense, nonetheless communicate personal user data to servers in remote countries. Combined with the continued growth of mobile ransomware such as Simplocker (2014) and LockerPIN[viii], and the increased popularity of third-party app stores, mobile threats in 2015 demonstrated a leap beyond the fake update malware and root/jailbreak-dependent varieties of previous years.
Proofpoint mobile security researchers predict that in 2016, more malware will be discovered on official app stores. 2015 saw thousands of apps for iOS discovered that contained XcodeGhost, iBackDoor and YiSpecter malicious code, and thousands of malicious apps were discovered for Android devices. Malware will be increasingly targeted at enterprises, where malicious behavior will only activate once inside targeted enterprises, and will not trigger when run by consumers or app store vetting mechanisms.
More worryingly, attacks will take advantage of the grey area around app behavior and the lack of policing on third-party app marketplaces to drive a proliferation of ‘riskware’ on the major app stores and genuinely malicious apps on third-party marketplaces. These apps will target users, aiming to steal user information and user funds, both directly as riskware and ransomware, and indirectly by sniffing and exfiltrating user logins and banking credentials, audio and video captures, and SMS interception. As the major app stores monitor more aggressively for infected libraries and methods, attackers will attempt to leverage lower-level stages in the production chain to infect apps and proliferate on third-party app stores, for example by infecting compilers and the IDE’s used to create the apps.
Businesses are squeezed between the demands of data privacy and law enforcement
In recent years, national and regional authorities have enacted a wide range of regulations designed to further safeguard the privacy of individuals. Enhanced breach notification and privacy requirements around the world and the recent legal dismissal of the U.S.-E.U. Safe Harbor framework are just examples of the rapidly evolving regulatory landscape. The revelations of Eric Snowden have given organizations in E.U. member countries a basis for challenging law enforcement requests for data, especially when these cross international borders. At the same time, certain governments demand access to otherwise private or encrypted messages for intelligence and law enforcement purposes.
Driven in large part by heightened concerns over terrorist attacks, the tension between individual rights to data privacy and law enforcement and intelligence agency access to data will only be heightened in 2016, with organizations increasingly caught between their need to demonstrate compliance with the demands of data privacy regulations while at the same time obliging law enforcement requests. In an increasingly scrutinized environment with competing demands for privacy and access, organizations will demand solutions that enable them to take reasonable measures to secure data, effectively track incidents and remediate incidents, and report out on compliance status.