As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. And thanks to an emerging class of mobile malware, the security landscape is about to get a lot more complicated.
Those are just a few of the predictions of the FireEye engineering and labs team, which assembled a forecast for the coming year.
We set out to get 10 predictions — but got 15. Nostradamus would be proud. (Predictions after the break…)
- Sophisticated threat actors will continue to hide behind traditional mass-market crimeware tools to make identification and attribution hard for network defenders. Prediction by Darien Kindlund.
- More attack binaries will use stolen or valid code signatures. These signatures allow malware to spoof as legitimate executables and bypass traditional anti-virus looking for those characteristics. Prediction by Amanda Stewart.
- Mobile malware will further complicate the threat landscape. We’ll see blended threat between desktop and mobile gaining access to mobile-based authentication (such as SMS confirmation numbers). Because cybercriminals go where the clicks are, expect to see a continued focus on attacking these devices. Prediction by Yogi Chandiramani and Tim Stahl.
- Java zero-day exploits may be less prevalent. Despite the comparative ease of Java exploit development, the frequent release of new Java zero-day exploits stopped after February 2013. The reason is unclear, but may be due in part to security warning pop-ups in Java 1.7 or increased attention from white-hat security researchers. Another possibility: too few people are using vulnerable versions of Java, giving exploit authors little incentive to continue finding more bugs. Prediction by Yichong Lin.
- Browser-based vulnerabilities may be more common. Attackers are becoming increasingly adept at bypassing ASLR (Address Space Layout Randomization) in the browser. And in contrast to the slowing pace of newly found Java and classic input-parsing vulnerabilities, those involving browser zero-day vulnerabilities continue apace. Prediction by Dan Caselden.
- Malware authors will adopt stealthier techniques for command-and-control (CnC) communications. They will tunnel communications over legitimate protocols and abuse legitimate Internet services to relay traffic and evade detection. This shift reflects the logical escalation by attackers who are increasingly hindered by network defenses. Prediction by Thoufique Haq.
- Watering-hole attacks and social media targeting will increasingly supplant spear-phishing emails. Watering holes and social-media networks provide a neutral zone where targets let their guard down. The trust factor is not a big obstacle, and minimal effort is required to lure the target in to a trap. Prediction by Thoufique Haq.
- More malware will fill the supply chain. Expect more malicious code in BIOS and firmware updates. Prediction by Bryce Boland.
- New heap-spray techniques will emerge because of Adobe Flash’s “click to play” mitigation (requiring user interaction to execute potentially malicious Flash content). In recent months we saw Flash being used to spray the heap during exploitation. But since Adobe implemented the “click-to-play” feature inside Microsoft Word documents, this approach no longer works. The most recent zero-day docx/tiff exploit, for instance, didn’t use Flash for this reason. Prediction by Alex Lanstein.
- Attackers will find more ways to defeat automated (sandbox) analysis systems, such as triggering on reboots, mouse clicks, applications closing and so on. A prime example: malware triggering at a specific time, similar to what we have seen in Japan and Korea. Attackers are focusing on evading sandbox systems, betting that this effort will make their malware dramatically more powerful. Prediction by Alex Lanstein.
- More crimeware will destroy the operating systems (OSs) of targeted systems as a last step of an attack. Lately, European authorities have been more successful in catching cyber gangs. A new feature in Zeus that wipes the OS could help cybercriminals clean up any evidence and avoid arrest. Prediction by Jason Steer.
- More “digital quartermasters” behind targeted attack campaigns. In other words, Sunshop DQ is only the beginning. More threat actors will centralize their development and logistics operations to create an economy of scale and industrialize malware. Prediction by Darien Kindlund and Bryce Boland.
- With increasing collaboration between targeted organizations around the globe, we will see cybercrime gangs identified and shut down, thanks to clues that tie separate attacks to common campaigns and threat actors. Prediction by Greg Day.
- Cybercrime gets personal. Criminals will increasingly recognize that specific information is more valuable than generic data. As a result, we will see more attackers shifting their focus to high-value data. Prediction by Greg Day.
- Detecting advanced malware will take even longer than it does now. Depending on whom you believe (Verizon Data Breach Investigations Report, Ponemon Institute, and others), detecting a breach can take 80 to 100 days, and remediating it can take 120 to 150 days. We expect those detection times to increase in 2014. More alarmingly, remediation times will accelerate even faster as threat actors grow more sophisticated in their ability to embed themselves within targeted organizations for extended periods. Prediction by Rudolph Araujo.