Guest editorial by Costin Raiu
At the end of last year, I wrote the The Top 10 Security Stories of 2011, an article that summarized 2011 in one word: "explosive." Back then, the biggest challenge was how to narrow down all the incidents, stories, facts, new trends and intriguing actors into just 10 top stories.
Based on the events and the actors who defined the top security stories of 2011, I made a number of predictions regarding 2012:
- The continued rise of hacktivist groups.
- The growth of Advanced Persistent Threat (APT) incidents
- The dawn of cyber-warfare and more powerful nation states jostling for dominance through cyber-espionage campaigns.
- Attacks on software and gaming developers such as Adobe, Microsoft, Oracle and Sony.
- More aggressive actions from law enforcement agencies against traditional cybercriminals.
- An explosion of Android threats.
- Attacks on Apple’s Mac OS X platform.
How did these predictions work out? Let’s take a look at the top 10 security incidents that shaped 2012...
1. Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake appeared in late 2011, it wasn't until April 2012 that it became really popular. At its peak, Flashback infected more than 700,000 Macs, easily the biggest known MacOS X infection to date. How was this possible? Two main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.
Flashback continues to be relevant because it demolished the myth of invulnerability surrounding the Mac and because it confirmed that massive outbreaks can indeed affect non-Windows platforms. Back in 2011, we predicted that we would see more Mac malware attacks. We just never expected it would be this dramatic.
2. Flame and Gauss: nation-state cyber-espionage campaigns
In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. The malware responsible for the attacks, named “Wiper”, was never found – although several pointers indicated a resemblance to Duqu and Stuxnet. During the investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.
Flame is arguably one of the most sophisticated pieces of malware ever created. When fully deployed onto a system, it has more than 20 MB of modules which perform a wide array of functions such as audio interception, bluetooth device scanning, document theft and the making of screenshots from the infected machine. The most impressive part was the use of a fake Microsoft certificate to perform a man-in-the-middle attack against Windows Updates, which allowed it to infect fully patched Windows 7 PCs at the blink of an eye. The complexity of this operation left no doubt that this was backed by a nation-state. Actually, a strong connection to Stuxnet was discovered by Kaspersky researchers, which indicate the Flame developers worked together with Stuxnet developers, perhaps during the same operation.
Flame is important because it showed that highly complex malware can exist undetected for many years. It is estimated that the Flame project could be at least five years old. It also redefined the whole idea of “zero-days”, through its “God mode” man-in-the-middle propagation technique.
Of course, when Flame was discovered, people wondered how many other campaigns like this were being mounted. And it wasn’t long before others surfaced. The discovery of Gauss, another highly sophisticated Trojan that was widely deployed in the Middle East, added a new dimension to nation-state cyber campaigns. Gauss is remarkable for a variety of things, some of which remain a mystery to this day. The use of a custom font named “Palida Narrow” or its encrypted payload which targets a computer disconnected from the Internet are among the many unknowns. It is also the first government-sponsored banking Trojan with the ability to hijack online banking credentials from victims, primarily in Lebanon.
With Flame and Gauss, a new dimension was injected into the Middle East battleground: cyber-war and cyber-warfare. It appears there is a strong cyber component to the existing geopolitical tensions – perhaps bigger than anyone expected.
3. The explosion of Android threats
During 2011, we witnessed an explosion in the number of malicious threats targeting the Android platform. We predicted that the number of threats for Android will continue to grow at an alarming rate. The chart below clearly confirms this:
The number of samples continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs. Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011. That’s also about five times more than all the malicious Android samples we received since 2005 altogether!
The reason for the huge growth of Android can be explained by two factors: economic and platform related. First of all, the Android platform itself has become incredibly popular, becoming the most widespread OS for new phones, with over 70% market share. Secondly, the open nature of the operating system, the ease with which apps can be created and the wide variety of (unofficial) application markets have combined to shine a negative spotlight on the security posture of the Android platform.
Looking forward, there is no doubt this trend will continue, just like it did with Windows malware many years ago. We are therefore expecting 2013 to be filled with targeted attacks against Android users, zero-days and data leaks.