For Cybercrime, Innovation is the Land of Opportunity

The first day here at Black Hat is over. On the expo floor, a number of vendors are promoting that they now provide critical threat intelligence along with the other technologies they provide. Of course, in general, this is a good thing. The biggest challenge organizations have historically faced has been a lack of visibility into their networks, especially cloud and virtualized environments.

The challenge, however, is how are organizations supposed to consume, correlate, and make use of all of this information? Dozens of intelligence feeds from a variety of vendors, likely filled with redundant data if not outright false positives, makes analysis harder not easier. Especially when devices can’t interoperate or correlate information.

A lot of this intelligence is focused on defending the network by detecting zero day attacks. But that’s not the issue being discussed in many of the technical sessions. For example, I attended a session on the affects of holding modern windmills for ransom. The loss of a windmill can cost upwards of $30,000 a day. If an attacker is able to infiltrate and shut enough of these down, the targeted energy provider is likely to fork over a huge ransom to get them back online. Attacks like these – that target critical infrastructure based on new, interconnected technologies – are likely to grow as part of the next generation of ransom-based attacks.

But cybercriminals aren’t breaking into these systems using zero day attacks. They are simply exploiting known or discovered vulnerabilities. Sitting in that session, I realized that cybercriminals are spending most of their resources on making their exploits more difficult to detect, and more effective by introducing worm capabilities to spread infection, multi-vector capabilities in order to run on more systems, and compound malware that provides a lot of options for stealing data or compromising systems.

What they’re not doing is spending a lot of time coming up with new creative ways to break into systems. That’s because the organizations and systems they are targeting are doing that for them. Here are a couple of recent examples.

WannaCry and NotPetya caught the attention of the press and security professionals around the world. They were remarkable for how fast they spread and for their ability to target a wide range of infrastructures and industries. But the dirty little secret about these attacks that few people talk about is that they could have been entirely prevented if IT folks simply practiced good network hygiene. These attacks targeted a vulnerability for which a critical patch had been issued months earlier. Organizations who were spared from these attacks tended to have one of two things in common: they had either deployed security tools that had been updated to detect attacks targeting this vulnerability, and/or they had simply applied the patch when it became available.

Here at Fortinet we have been referring to these attacks as “hot exploits.” Rather than spending huge resources on discovering new ways to bypass security systems, criminals are developing sophisticated tools and then simply waiting to exploit an announced vulnerability with large enough implications. They know from experience that many organizations simply don’t have the time, resources, or initiative to patch vulnerable systems. WannaCry proved that. NotPetya proved that even after a large attack managed to exploit a well-known vulnerability, far too many organizations are still unlikely to patch their systems.

Our FortiGuard Labs team sees this all the time. Nearly every week we record several attacks successfully targeting vulnerabilities for which patches have been available for month, and sometimes years. In fact, our latest quarterly threat report shows that the average age of a known vulnerability that is successfully targeted by an exploit is five years. Seriously.

The other place the cybercriminals are increasingly focused on is technical innovation. For them, innovation is the land of opportunity. A perfect case study for this approach is the Mirai botnet that shut down huge segments of the Internet last summer. As an attack, it was a pretty straightforward denial of service exploit. What made it unique is that it targeted IoT devices that had been built and deployed with virtually no thought given to security. Insecure communications protocols, junk code, hardcoded passwords, passing text in the clear, vulnerability to simple attacks are all things we now commonly see in IoT devices. And since manufacturers commonly use and share code from a single source, these vulnerabilities crop up across a wide variety of tools from a single manufacturer, across multiple brands from manufacturing conglomerates, and even across devices produced by completely separate manufacturers.

But Mirai was just a shot across the bow. Newer iterations of IoT-focused attacks, like Hajime and Devil’s Ivy, not only use the same sort of mechanism to attack IoT devices, but have added sophisticated toolsets that allow them to identify devices, select appropriate passwords or exploit known vulnerabilities, compromise a device, and then spread to others. The potential for using multi-vector worms to create massive IoT botnets that span across multiple technologies is very real. And because these attacks can be done at scale, the ability to impose ransomware on thousands of victims simultaneously, rather than targeting a single large network, is now a possibility. How much would you be willing to pay to turn your entertainment system back on? $50? Now multiply that by millions of users and you get an idea of why cybercriminals are very motivated to invest in building these sorts of exploits.

And now, as critical infrastructure becomes more interconnected and begins to adopt new, cutting edge technologies, the risk is compounded. Windmills are just the tip of the iceberg.

For the cybercriminal community, the best part is that they don’t have to figure out how to bypass security or crack open a hardened operating system. The rush to push out new technologies to enterprises and consumers and even critical infrastructure systems has done that job for them. And from a threat intelligence perspective, for a variety of reasons ranging from using known passwords to sophisticated obfuscation techniques, meaningful information about these threats isn’t usually collected until after a device has been compromised. And by then, the damage has been done.