On July 5, the Italian surveillance company, Hacking Team, got hacked. Reportedly, hackers stole and made public 400 GB of data, including a number of spying/surveillance tools and vulnerability exploits. By July 8, one of these vulnerabilities, a Flash Player zero-day, was already being used by other malware actors to deliver Cryptolocker ransomware. Four days later, it was reported that at least another Adobe Flash vulnerability was being exploited. Needless to say, Adobe was in for some serious patching.
This just goes to show how quickly malware actors can get hold of and turn a disclosed vulnerability into a weapon, and how they’re always on the lookout for new ways to attack organizations. The Hacking Team’s detailed documentation of the vulnerability may have accelerated the process, but one thing’s for sure: Malware-as-a-service (MaaS) never sleeps, and this fact allows for constant evolution.
In the context of this constant evolution, if we look at virtual currencies, mobile developments and the internet of things, these emerging trends seem to open up a whole new world of possibilities for malware actors.
How will they influence the MaaS phenomenon?
And how can we mitigate emerging risks?
So far we’ve covered the specifics of this new business model, market roles and responsibilities, and tools of the trade. In this last piece of the MaaS series, we’ll try to answer the questions above. Let’s look at each of the three mentioned emerging trends and how they contribute to the MaaS evolution.
Virtual currencies are virtually driving MaaS innovation
In our recent webinar, Understanding Malware as a Service, Bogdan Botezatu, Bitdefender Senior Threat Analyst, explained how cybercriminals cash-out their investments:
“Virtual currencies such as Bitcoin, web money or anonymous cash transfers combined with a solid network of money mules and local operators, are the preferred payment mechanisms in the cybercrime world. The payment method varies in accordance with the type of fraud […].
Crypto-ransomware attacks – Cryptolocker, Crypto wall, Tor Locker etc.: all these schemes rely on pre-paid vouchers and Bitcoin. Bitcoin is particularly used with Crypto-ransomware because cybercriminals can monitor payments in real time, and take the appropriate measures like locking/unlocking a device based on whether or not a payment [by a ransomware victim] has been made.
For mobile malware attacks, the exploitation scheme relies on direct cash-out via companies that provide premium rate number services.
For credit card and e-banking fraud, the situation is a bit different because it involves money mule networks combined with anonymous cash-transfer services.”
So in any fraud case, cybercriminals can get hold of the stolen money, regardless of their location, in a matter of days, at most. Noteworthy here is the use of virtual currencies like Bitcoin that not only enable them to get hold of their illicit financial gains faster, but also, have more control over victims, and ultimately, innovate their products. For example, driven by the need to differentiate their offerings from competitors’, malware writers added virtual money cash-out functionalities to ransomware pieces, thus innovating their offerings.
With the evolution of virtual money, we may even see the number of money mules – some of them, even oblivious, innocent people – decrease, but we may also see an increase in innovative malware kits sold on black markets.
The mobile revolution is driving the MaaS mobile evolution
According to Gartner, Android alone surpassed a billion shipments of devices in 2014, and will continue to grow at a double-digit pace in 2015; it’s forecasted to surpass the 1.5 billion by 2016. And this fast mobile adoption around the world provides cybercriminals with a larger attack surface, which means, they’ll focus more of their efforts on this segment, especially on Android, the most widely-used platform. The fact that the Android platform is open to app developers, and the distribution of mobile apps relies on an uncontrolled system doesn’t help either. In the webinar Android malware, as disruptive as mobile trends?, George Yunaev, Senior Software Engineer explains why Android malware is so widely spread, the security limitation of the Android platform, and the many attack vectors it provides.
Not surprisingly, around 5.3 Million mobile malware variations have surfaced since Android has been created. And Android malware is becoming more frequent and sophisticated, like the mobile ransomware unveiled by Bitdefender researchers just a few months ago. In terms of evolution, this mobile ransomware case also shows how malware writers can “repurpose” PC malware for attacks on other (increasingly) popular devices. Needless to say, Android malware is prone to become a highly sought-after commodity, triggering a development frenzy among MaaS actors.
Will the Internet of (vulnerable) Things enable new MaaS commodities?
Gartner predicts that in 2020, 25 billion connected "things" will be in use, while BI Intelligence estimates that 40% of the total number will be used by enterprises – wearables, smartphones, tablets etc. What’s concerning is that security researchers are constantly reporting vulnerabilities in IoT devices and systems. What’s even more concerning is that manufacturers do not seem too eager to take responsibility for them – the recent examples of car hacks performed by researchers on Jeep Cherokee and BMW car systems stand as proof. And not even enterprise IT leaders can pinpoint whose responsibility it is to mitigate these IoT risks – is it theirs, the employees’ (as owners of these devices), the manufacturers’?
As Alex Balan, Bitdefender Chief Security Researcher explains:
Traditionally, the attack surface used by a hacker refers to: any device that can be used to “pivot” into a network, the human factor (social engineering) and any physical security holes that can be exploited. While the human factor and physical security are on a predictable trend, the IoT explosion widens the attack surface tremendously.
In the simplest of terms, think of any device connected (wirelessly or otherwise) to a network. And think of that connection as a potential backdoor providing access to the rest of the network. Tie that with the many standards, great variety of devices and software running on them, and the almost complete lack of scrutiny when it comes to their security. Now you’re probably feeling like double checking those internal network access control appliances and BYOD policies.
For the sake of a conference presentation, a hacker group broke into 14, supposedly secure, IoT devices, and this is just one IoT hack example. Every device or piece of software has vulnerabilities exposed at some point in time. Manufacturers find out about it, patch it, people update (in the happy scenarios) and life goes on. But the fact remains that everything can get hacked and the huge (and increasing) number of smart devices will make everybody’s life significantly harder in the future, if preemptive measures are not taken early. Standards regarding how devices communicate, and what software runs on them have to be set. And these standards have to be significantly smaller in number, and easier to maintain and control.
With so many vulnerabilities in IoT devices and systems, we cannot help but wonder: how long before IoT device vulnerabilities will become malware actors’ new sought-after commodity?
In short, new tech developments come with wealth of benefits for everybody, including malware actors. They drive innovations in the cybercrime ecosystem, which lead to a rapid evolution of the MaaS model, and translate into increasing numbers of malware created and launched upon internet and mobile users. So how can the good guys mitigate the risks of this rapid MaaS evolution? Mitigation can take several forms, including, but not limited to:
- Consumers need to be educated with regard to the risks associated with these new IoT devices. And this education should lead to a consumer demand for security technology integrated within IoT devices.
- The IT industry – device manufacturers (mobile of IoT), mobile app developers, app stores, etc. – need to change their security mindset from a reactive to a proactive one. Check out the new security mindset emerging from this year’s RSA Conference.
- As in the case of cybercrime, security innovation is key. Antimalware technologies need not only to keep up with, but also be one step ahead of malware actors and their creations. However, antimalware technology innovations should not overlook the basics: you need to protect, and that protection needs to be competent in performance, detection and accuracy. Keeping in mind these three criteria for effective technology, you can start to innovate upon them.
The new Bitdefender 2016 successfully introduces the security-centric artificial intelligence technology – or machine learning algorithms – we’ve been developing since 2009. Over six years we perfected and “cooked” these algorithms to correctly identify unknown threats with over 99.99% accuracy, said Liviu Arsene, Bitdefender Security Researcher, when describing Bitdefender’s 2016 product line that relies on the innovative, ‘Security meets artificial intelligence’ technology.
And building artificial intelligence – machine-learning algorithms – into security technologies is just one example of security innovation. Good news is that you can avoid spending years on developing such technologies by licensing existing ones. Thus you can start contributing to security innovation yourself.
If you’re interested in licensing – rebranding, integrating or bundling – innovative security technologies, Bitdefender has a wide range of OEM solutions and service you an choose from.