Looking back on 2011, FortiGuard Labs saw a number of landmark developments in the world of network security. Huge botnets such as DNS Changer and Coreflood were permanently taken off line, 64-bit rootkits advanced (TDSS), source code was leaked for the Zeus and SpyEye botnets, and Anonymous hacktivists raised their profile by taking down major banks offline and threatening to go after a critical infrastructure.
2012 promises to be even more worrisome. After gazing into FortiCrystalball this month, FortiGuard Labs saw eight network security trends that could happen in the coming year.
1. Ransomware to take mobile devices hostage
Over the past few years, FortiGuard Labs has witnessed the evolution and success of “ransomware” (an infection that holds a device “hostage” until a “ransom” payment is delivered) on the PC. Mobile malware that utilize exploits have also been observed, along with social engineering tricks that lead to root access on the infected device. With root access comes more control and elevated privileges, suitable for the likes of ransomware. FortiGuard predicts the team will see the first instances of ransomware on a mobile device in the coming year.
2. Worming into Android
Worms have by and large remained absent from the Android operating system, but FortiGuard Labs believes that will change in 2012. Unlike Cabir, the first Symbian worm discovered in 2004, Android malware developers most likely won’t be using Bluetooth or computer sync to spread out because of their limited ranges. Instead, the team believes the threat will come from either poisoned SMS messages that include a link that contains the worm or through infected links on social networks, such as Facebook and Twitter.
3. Polymorphism want a cracker?
There’s no denying that Android-based malware has gotten more diverse and complex. In the last year: FortiGuard Labs has seen Android malware use encryption, embed exploits, detect emulators and implement botnets. But what they haven’t seen yet is an example of polymorphism in action. Polymorphism is malware that is capable of automatically mutating, making it extremely difficult to identify and thus destroy. The team has previously encountered polymorphism on Windows Mobile phones and believes it’s only a matter of time before the malware appears on Android devices.
4. Clampdown on network-based money laundering
Money mules, which typically consist of third party individuals electronically transferring money from one person or service to another and illegitimate payment processors, are critical components to a successful money laundering and fraud operation. Using anonymous fund transferring services, human networks and payment processor safe havens, cybercriminal syndicates have pretty much operated with impunity for years.
How do you catch someone when you don’t even know where they’re located? FortiGuard believes that will change in 2012 [By this, are you saying in 2012 we expect to be able to catch these people?]. The recent arrest of ChronoPay CEO Pavel Vrublevsky’s on the grounds of hacking Aerfolot’s Website and preventing visitors from buying tickets, is a good example of the type of takedowns the team expects to see in the coming year.
5. Public-private relationships in security
Last year FortiGuard Labs predicted they’d see an increase in global collaborative botnet takedowns. And they were right not only with botnet takedowns, but global collaboration period. Among globally-supported botnet takedowns were Rustock and DNS Changer while other international efforts helped take a massive scareware operation offline that siphoned $72 million in bank funds.
Meanwhile, arrests were made against international members of Anonymous and LulzSec hacktivist groups. This crackdown will continue in 2012, and the team believes that much of it will be aided by Defense Advanced Research Projects Agency’s (DARPA’s) public defense initiative. DARPA was recently granted $188 million budget and plans to use part of the money on initiatives to build a cyber defense team in the private sector. With recent movement, it seems likely that in 2012 we will start to see similar relationships formed worldwide.
6. SCADA under the scope
For over a decade, Supervisory Control and Data Acquisition- (SCADA) based threats have been a concern, because they are often connected to critical infrastructure such as power and water grids that would have serious consequences if they were ever breached. This last year FortiGuard saw two examples of this in the form of Stuxnet, which compromised Iran’s nuclear program and Duqu, a Stuxnet-like virus that used similar attack methods and stolen certificates. While Iranian officials confirmed the latter had infected systems in the region, no hostile industrial code has been found to date. However, it’s clear the building blocks are now in place.
The reality today is that critical infrastructure systems are not always operating on a closed circuit. New human machine interface (HMI) devices that interact with these systems are being developed by a number of different software and hardware manufacturers, and many have Web interfaces for logging in. And the FortiGuard team has seen historically that Web-based interfaces that interact with back end systems can many times be circumvented.
Even more concerning is the migration to cloud-based SCADA services. This allows data storage and potential control of critical systems on a public cloud server – hence the security concern. Groups like Anonymous have already found an assortment of Web-based vulnerabilities simply by picking targets and scouring code. In 2012, FortiGuard predicts a number of SCADA vulnerabilities will be discovered and exploited with potentially devastating consequences.
7. Sponsored attacks
The FortiGuard team often talks about Crime as a Service (CaaS), which is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks. If you’ve got the money, there’s a good chance you can find a CaaS provider to help you out.
What FortiGuard sees evolving in 2012, is that instead of hiring a CaaS outfit for blanket attacks, they’re going to see more strategic and targeted attacks on companies and individuals. This scope would include state or corporate sponsorship. Admittedly, this prediction will be tough to monitor because without “freedom of information” legislation in place, many of these discovered cases will be settled out of court with verdicts not being released publicly. For example, Russian payment processor ChronoPay allegedly hired a hacker to attack a direct competitor (Assist) in 2011.
8. Hacking a good cause
While Anonymous has been alive and kicking in one capacity or another since its formation on 4Chan.org in 2003, only in the last year have the loosely organized anarchists started using their power to attack large, high profile targets such as Sony. More hacktivist groups were formed in 2011 (most notably LulzSec), and more will likely rise in 2012.
What FortiGuard found interesting about Anonymous towards the end of the year, was how the group started to use their power for “good.” Case in point, they’ve recently threatened to unmask Mexican drug cartel members and they recently helped authorities break up a child porn ring. FortiGuard expects to see more examples of “hacktivist” justice meted out throughout 2012 along with a mix of attacks that border or cross the line of justice.