This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Craig Schmugar, Ryan Sherstobitoff, and Klaus Majewski.
End users have more computing choices than ever before, from phones to tablets, desktops to laptops, but servers are a common hub for all these devices. Servers are also critical assets for corporations, governments, and even social circles. If attackers can penetrate these common cores of communication, they can reach many users’ systems and their data. Exploitation may come via a poorly configured system, weak credentials, or service or application vulnerabilities. Once a foothold has been established, criminals can use further advanced tactics to conceal their tracks and evade many forensics analysis techniques. In the year ahead we anticipate a heightened focus on this avenue of attack.
Traditional malware installs on a victim’s machine to allow it to execute each time the system boots. Rootkits subvert the operating system to conceal and or resist the detection and removal of the threat. Next year we will see a shift away from this model in several ways.
- Self-deleting malware will cover its tracks by removing all traces of payload files from the operating system, leaving code to execute in memory. Most of the time this is sufficient for a threat to do its damage, whether stealing user credentials, encrypting data files, or a host of other nefarious activity.
- Memory-only attacks don’t need initial executable code to hit the disk, but rather exploit applications already running to perform the same types of functions.
These two methods may be fueled by the increasing popularity of Connected Standby hardware and software, namely Intel Haswell processors and Windows 8, which encourage users to shut down their systems less often due to power consumption optimizations. Plus, servers are rarely rebooted, making them a prime target for such techniques. We anticipate an increase in two further threats:
- Using “off-box” persistence, attackers can maintain a stronghold on a victim’s machine without leaving traces for traditional file antivirus products to discover.
- Parasitic Trojans infect an existing host file, which is more likely to remain unnoticed.
Advanced persistent threats burrow into government or organizational networks and remain dormant, sometimes stealing data but also waiting for the right moment to attack. In 2014 these attacks will become more targeted in nature and will focus more on individuals to gain access to networks. We will also see the weaponization of malware and an increase in destructive cyberterrorism and government-on-government cyberwarfare. Adversaries will use a number of evasion techniques to become more effective in penetrating their targets with a mix of zero-day vulnerabilities customized to their victims’ environments. We will see greater innovation used by attackers as the security industry reveals their techniques and tactics.
Advanced evasion techniques
Cyberattackers use various evasion techniques to manipulate network traffic so that network defenses such as firewalls, intrusion prevention systems, and breach detection systems do not detect exploits that are part of the traffic. The technique was in play by 1998, and evasions still work extremely well. From a hacker’s point of view, an evasion is a transport mechanism that can silently pass any kind of exploit through a network’s defenses without raising an alarm. Advanced evasion techniques combine single evasions with complex combinations. We have discovered more than 450 single evasions, and the number of combinations is at least as high as there are different kinds of computer viruses in the world.
Advanced evasion techniques are one of the biggest unsolved problems in the network security industry. Customers and vendors downplay their importance because they either do not believe in them or they do not have a way to remediate them. (To learn more about AETs, download McAfee Evader, an automated evasion testing tool, and read the report that SANS did with the Evader.)
We predict that in 2014 hackers will use advanced evasions especially to exploit old vulnerabilities. How is that possible? Haven’t old vulnerabilities been patched? They have been by most consumers and organizations that use automatic or regularly scheduled updates, but we still find old machines that cannot be patched in industrial control systems and factory environments. Many of these control systems can be patched only once a year during an annual maintenance break; others run operating systems so old, such as Windows NT, that there are no more patches for them. Security administrators routinely use network protection devices to shield those systems against exploits, but advanced evasion techniques silently bypass those devices. Industrial control systems are used in all manufacturing sites, in energy production, and in critical infrastructure. We expect to see more activity against these sites in the coming year.