WatchGuard Technologies has revealed its 2019 security predictions.
The predictions made by the WatchGuard Threat Lab are based on the latest and most impactful trends in the market and feature some bold ideas about what new threats are around the corner.
Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies, said: “Cybercriminals are continuing to reshape the threat landscape as they update their tactics and escalate their attacks against businesses, governments and even the infrastructure of the Internet itself.
“The Threat Lab’s 2019 predictions span from highly likely to audacious, but consistent across all eight is that there’s hope for preventing them. Organisations of all sizes need to look ahead at what new threats might be around the corner, prepare for evolving attacks and ensure they’re equipped with layered security defences to meet them head-on.”
1) Prediction: AI-driven chatbots go rogue
Description:
In 2019, cybercriminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information.
As Artificial Intelligence and Machine Learning technologies have improved over the past few years, automated chat robots have become increasingly common. Chatbots are now a useful first layer of customer support and engagement that allow actual human support representatives to address more complex issues.
But life-like AI chatbots also offer new attack vectors for hackers. A hijacked chatbot could misdirect victims to nefarious links rather than legitimate ones. Attackers could also leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one.
For example, an attacker could force a fake chatbot to pop up while a victim is viewing a banking website, asking if they need help finding something. The chatbot might then recommend that the victim click on malicious links to fake bank resources rather than real ones. Those links could allow the attacker to do anything from installing malware to hijacking the bank’s site connection.
In short, next year attackers will start to experiment with malicious chatbots to socially engineer victims. They will start with basic text-based bots, but in the future, they could use human speech bots like Google Duplex to socially engineer victims over the phone or other voice connections.
2) Prediction: Utilities and industrial control systems targeted with ransomware
Description:
Next year, targeted ransomware campaigns will focus on utilities and industrial control systems (ICSs). The average payment demand will increase by 6,500%, from an average of US$300 to US$20,000 per payment. These attacks will result in real-world consequences like blackouts and loss of access to public utilities.
Ransomware has plagued the Internet over the past five years, starting with CryptoLocker, the first really successful cryptoransomware, and culminating with WannaCry, the first fast-spreading ransomworm. During these past years, cybercriminals have blasted out broad ransomware campaigns at everyone, looking to infect as many victims as possible while asking each for a relatively meagre ransom.
However, over the past year, hackers have shifted to targeted attacks that come with bigger payouts. Launching ransomware against organisations that offer critical services increases the odds that the ransom will be paid. A total of 45% of all ransomware attacks in 2017 targeted healthcare organisations, like the NHS in the UK. In 2016, the Hollywood Presbyterian Medicare Center paid a US$17,000 ransom to regain control of its computer systems and other major ransomware attacks hit MedStar Health and Alvarado Hospital Medical Center, among dozens of others. Many US cities were also hit with ransomware in 2017 and 2018, including Baltimore and Atlanta.
In 2019, cybercriminals will target public utilities and ICSs. These are vital services that have not yet been targeted by widespread ransomware attacks and therefore may not be as prepared for this type of attack. Cybercriminals know that any ransomware that can cause downtime to these services will get swift attention, allowing them to ask for considerably more money in return.
This has the potential to cause blackouts and gaps in water and power services if these attacks are successful. To summarise, expect to see fewer ransomware attacks next year but more focused attacks – specifically targeted towards utilities and ICS – with ransom demands increasing by 6,500%.
3) Prediction: The United Nations proposes a cybersecurity treaty
Description:
In 2019, the United Nations will address the issue of state-sponsored cyberattacks by enacting a multinational Cyber Security Treaty.
There are many examples of alleged and confirmed cyberattacks launched by nation-states. These alleged attacks cost billions in damages and put supply chains responsible for 90% of computing devices at risk, showing that cyberattacks often cause enormous economic damage outside of their intended targets.
The growing number of civilian victims impacted by these attacks will cause the UN to more aggressively pursue a multinational cybersecurity treaty that establishes rules of engagement and impactful consequences around nation-state cybercampaigns. They have talked and argued about this topic in the past but the most recent incidents – as well as new ones sure to surface in 2019 – will finally force the UN to come to some consensus.
4) Prediction: A nation-state launches a ‘fire sale’ attack
Description:
You may remember the fictional concept of a ‘fire sale’ attack from the fourth Die Hard movie, in which a terrorist group planned a coordinated cyberattack against US transportation, financial and public utilities and communication systems. The terrorists meant to use the fear and confusion caused by the attack to siphon off huge sums of money and disappear without a trace. In 2019, we will see a version of this fictional attack become a reality.
As unlikely as this attack might have seemed in the late 2000s, many modern cybersecurity incidents suggest that nation-states and terrorists have developed these capabilities. Cybercriminals and nation-states have launched huge distributed denial-of-service (DDoS) attacks that can take down entire countries’ infrastructure and could certainly hamper communications systems. The US government claims foreign actors have already been targeting and probing the defences of public utility and energy systems. We’ve seen these nation-sponsored attacks targeting financial systems like SWIFT to steal millions. Nation-states have also used social media and other communication systems to poison public perception with fake news.
In summary, each of these individual types of attack are already possible. It’s just a matter of time before some country combines many attacks as a smoke screen for a larger operation.
5) Prediction: Fileless, self-propagating ‘vaporworms’ attack
Description:
In 2019, a new breed of fileless malware will emerge, with worm-like properties that allow it to self-propagate through vulnerable systems and avoid detection.
It has been over 15 years since the Code Red computer worm spread through hundreds of thousands of vulnerable Microsoft IIS web servers in an early example of a fileless worm. Since then, both worms and fileless malware have impacted networks worldwide individually, but rarely as a combined attack.
Fileless malware, which runs entirely in memory without ever dropping a file onto the infected system, continues to grow in popularity. Sophisticated attackers prefer this method because without a malicious file to scan, traditional endpoint antivirus controls have a hard time detecting and blocking fileless threats. This results in higher infection rates. Pair this with systems running unpatched and vulnerable software that’s ripe for worm exploitation and you have a recipe for disaster.
Last year, a hacker group known as the Shadow Brokers caused significant damage by releasing several zero day vulnerabilities in Microsoft Windows. It only took a month for attackers to add these vulnerabilities to ransomware, leading to two of the most damaging cyberattacks to date in WannaCry and NotPetya. This isn’t the first time that new zero day vulnerabilities in Windows fuelled the proliferation of a worm and it won’t be the last. Next year, ‘vaporworms’ will emerge; fileless malware that self-propagates by exploiting vulnerabilities.
6) Prediction: WPA3 circumvented by a Layer 2 threat vector
Description:
In 2019, one of the six Wi-Fi threat categories as defined by the Trusted Wireless Environment Framework will be used to compromise a WPA3 Wi-Fi network despite the enhancements in the new WPA3 encryption standard. Unless more comprehensive security is built into Wi-Fi infrastructure, users will be fed a false sense of security with WPA3, while remaining susceptible to threats like evil twin APs.
WPA3 is the next evolution of the Wi-Fi encryption protocol. It has undergone significant improvements over WPA2, but it still does not provide protection from the six known Wi-Fi threat categories. These threats operate primarily at Layer 2 and include rogue APs, rogue clients, evil twin APs, neighbour APs, ad-hoc networks and misconfigured APs.
The evil twin AP, for example, is very likely to be used in enhanced open Wi-Fi networks as opportunistic wireless encryption (OWE) can still take place between a victim client and an attacker’s evil twin AP that is broadcasting the same SSID and possibly the same BSSID as a legitimate AP nearby. Although OWE would keep the session safe from eavesdropping, the victim’s Wi-Fi traffic would flow through the evil twin AP and into the hands of a man-in-the-middle (MitM) that can intercept credentials and plant malware and remote backdoors.
It’s highly likely that we’ll see at least one of the threat categories utilised to compromise a WPA3 network in 2019 and our money is on the evil twin AP.
7) Prediction: Biometrics as single-factor authentication exploited by attackers
Description:
As biometric logins become more common, hackers will take advantage of their use as a single-factor method of authentication to pull off a major attack in 2019.
Biometric login methods such as face and fingerprint readers on consumer devices like smartphones and gaming consoles present a tempting target for hackers. While biometrics are more convenient than remembering many complex passwords, and they are more secure than poor passwords, they are still just a single method of authentication. If people don’t add a second form of authentication, cybercriminals that successfully hack biometrics can easily gain access to their personal and financial data.
But aren’t biometrics much harder to crack? Well, a researcher fooled a fingerprint scanner with gummy bears in 2002 and a hobbyist hacking group defeated the iPhone’s TouchID in 2013. In 2017, a Vietnamese security group claims to have created a mask that can fool Apple’s FaceID. It’s only a matter of time before hackers perfect these methods and exploit the growing trend of biometrics as the sole form of authentication. Of course, users can prevent these hacks by using multi-factor authentication. We believe that enough of the public will continue using single-factor biometric authentication in 2019 that hackers will take advantage of their naivete and pull off a major biometric hack.
8) Prediction: Attackers hold the Internet hostage
Description:
Next year, a hacktivist organisation or nation-state will launch a coordinated attack against the infrastructure of the Internet.
The industry already saw the impact of an attack against a critical piece of internet infrastructure when a DDoS attack against DNS hosting provider, Dyn, took down many popular websites including Twitter, Reddit and Amazon.com. Around the same time, security expert Bruce Schneier noted that attackers were probing several unnamed companies that provide similar critical Internet services for potential weaknesses.
A DDoS attack of this magnitude against a major registrar like Verisign could take down an entire top-level domains (TLD) worth of websites. Imagine the impact if every single .com address was no longer resolvable.
Even the protocol that drives the Internet itself, Border Gateway Protocol (BGP) operates largely on the honour system. Only 0.1% of the Internet’s autonomous system numbers (ASNs, collections of IP address routes under control of an organisation) have deployed Route Origin Validation, meaning the other 99.9% are wide open for hostile takeover from route hijacking.
The bottom line, the Internet itself is ripe for the taking by someone with the resources to DDoS multiple critical points on the Internet or abuse the underlying protocols themselves. With nation-state and hacktivism attacks ramping up recently, we could see cyberattackers actually take down the Internet in 2019.