Cybercrime and malware, 2019 predictions

It has now become a tradition among cyber-security firms to issue a series of predictions for the upcoming year. While some companies have their malware analysts or their CEOs put out small lists of predictions, others go completely overboard with podcasts and 100-page reports that are just a few pages short of a full book.

ZDNet's Zero Day security blog has taken a look over most of these reports, has even reached out to some selected researchers, and has compiled a list of predictions we also agree are most likely to happen next year.If users would like to take a deeper dive into these predictions, here's a list of the reports we've pooled for this gallery: McAfee, Forrester, RiskIQ, Kaspersky Lab [1, 2, 3], WatchGuard, Nuvias, FireEye, CyberArk, Forcepoint, Sophos, and Symantec.

Also, we have skipped APT, cyber-espionage, and cyberwar predictions, as we have dedicated a special article for those.

"The concept of in-browser mining was almost shattered overnight by ill-intended threat actors taking advantage of Coinhive and other similar services," Jérôme Segura, malware analyst for Malwarebytes told ZDNet in an interview this week.

"While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices (i.e. MikroTik exploits)," he said.

"As it stands, the profits generated from in-browser mining are not what they used to be, due to the decline in the value of cryptocurrencies. Our telemetry shows a sharp decrease in Coinhive related traffic, although one of its competitors, CoinIMP, has gained traction during the past few months.

"For 2019, we can expect to see fewer campaigns where Content Management Systems are injected with coin miners but instead see other web threats become more prevalent, in particular web skimmers."

Web skimmers, also known as Magecart attacks, have been 2018's most dangerous threat. This threat isn't going anywhere in 2019, according to Yonathan Klijnsma, Head Threat Researcher at RiskIQ, and the author of an expansive report on Magecart groups and their past activities.

"I'm expecting new variants in web skimming attacks," Klijnsma said. "While payment data is currently in focus, because web skimming can skim any information entered into a website, Magecart groups will expand to skimming more than just credit card data to login credentials and other sensitive information."

Botnets can stand to mean many things, but we're solely referring here to botnets made of routers and Internet of Things (IoT) devices, which are currently being used for DDoS attacks, primarily, and lately, also for proxying bad traffic. This latter trend is expected to intensify, according to Ankit Anubhav, Principal Security Researcher at IoT security firm NewSky Security.

"IoT threats in 2019 are expected to further move in different directions like cryptojacking or proxy changers," Anubhav told ZDNet. "However Mirai and it's variants, used for DDoS attacks, are not going to go away anytime soon, as they have their relevance and market among script kiddies."

The researcher also told ZDNet that these botnets will move away from infecting devices via Telnet and SSH password-guessing attacks, as the router and IoT scene has reached a saturation point. Instead, the expert sees most botnets being built using vulnerability exploits.

"An exploit which can infect IoT devices will be used as soon as it becomes public," Anubhav told us. "Furthermore, attackers are now also facing increased attention from a number of whitehats tracking IoT botnets. So I expet to see more techniques for honeypot evasion or payload encryption next year."

Despite DDoS attacks being a pretty ancient threat, companies are still having a hard time protecting their online resources against them.

"New protocols being abused to conduct DDoS attacks," Troy Mursch of Bad Packets LLC told ZDNet when asked about where he sees the DDoS landscape going in 2019. "This kind of stuff is the 'frontier' of DDoS attacks," he added.

Mursch pointed ZDNet to the CoAP protocol as the next big thing on the DDoS scene. More on this procotol in a dedicated article, here.

Ahh, ransomware, our old foe. After being everyone's favorite "prediction" for the past few years, ransomware appears to be slowly declining, or at least the major mass-distribution campaigns.

In an email from Chester Wisniewski, principal research scientist, at Sophos, the expert he sees ransomware becoming more targeted, and attackers only focusing on major targets, like businesses and government agencies, the ones most likely to pay ransom demands.

"The authors of opportunistic ransomware operate similar to a penetration tester in the way they scope out the network, looking for vulnerabilities and weak entry points. However, unlike penetration testers, cybercriminals then act on their findings in a methodical way to inflict maximum damage. They stake out victims, move laterally throughout the network, manipulate internal controls, and more," the expert told ZDNet.

"This human-centered approach has proved successful, with the authors of SamSam ransomware collecting $6.7m over the course of almost three years. Other cybercriminals have taken note, and in 2019 we will see more and more copycat attacks. In particular, Matrix, which appears to be constantly approved upon with new versions, and Ryuk, which is geared toward enterprises and large organizations that have the funds to pay up, will be strains to watch out for," the expert told us.

For the financial crime sector, which refers to cyberattacks on the banking sector, were going to massively quote Kaspersky's "Cyberthreats to financial institutions 2019" report, which is, in our opinion, a must read, and the one that presented the most believable and sensible predictions. The accuracy of this report might have something to do with the fact that the company is often called upon to investigate these types of bank cyber-heists, some of which have gotten really wild in the past two years.

• The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7.
• Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world.
• The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe. Until now, groups have focused mainly on the former Soviet space and Latin America.
• Traditional cybercrime groups that have focused on PoS malware in the past will shift towards web skimmers, as collecting payment card data from web stores is much easier than creating and infecting victims with PoS malware.
• Attacks on mobile banking for business users.
• Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires. Attackers will be using data from publicly leaked data breaches.

Cloud servers are in big trouble in 2019. Cloud servers have slowly become the favorite target of cryptocurrency mining trojans ever since the start of 2018, but attacks are expected to explode in 2019, according to predictions made in almost all the reports we've read. The reason is cryptocurrency mining, which will remain profitable for crooks despite cryptocurrency exchange rates going down. When you have so many free (other people's) resources at your disposal, it doesn't really matter if Monero's price is slashed in half.

With the first major security flaw being discovered in Kubernetes this month, attacks at scale have already started and are expected to intensify. Attackers won't focus on Kubernetes only, but also Docker instances, MongoDB servers, ElasticSearch, AWS, Azure, and any other cloud-capable system that isn't properly secured.

In an email to ZDNet, Tim Jefferson, VP of Public Cloud at Barracuda Networks, said that cloud providers have seen the writing on the wall already, hence the reason why some cloud providers have started adding security features to their respective services. But the Barracuda exec says that attackers will adapt too, in 2019.

"Cyber criminals will also get more clever at using compromised accounts in ways that will be difficult to detect. Instead of using a massive amount of new resources for cryptomining, which causes a noticeable spike in usage, they're starting to use already-approved resources and stealing some cycles from those instead, which is easier to hide. I expect to see more attacks like that in 2019," the exec told us.

But just because it's a new year, this doesn't mean attackers will stop using old techniques. Email spam will remain a daily occurrence. Nobody sees email spam exploding or declining, mainly because email spam numbers have been at the same levels for years.

But what experts do see is an increase in email social engineering attacks, also known as BECs, or Business Email Compromises.

"We will see all sorts of phishing and spear phishing tactics being leveraged in targeted attacks, but more specifically, we expect to see more cases of CEO fraud, or business email compromise (BEC)," said FireEye in its predictions report. "BEC is expected to spike significantly, so employees should be extra vigilant when it comes to emails from key individuals in their organizations."

"In 2019, we expect to see less-skilled actors gain access to better social engineering, better tools, and broader targets," FireEye said in its predictions report.

The company's assessment comes after more and more hacking tools are becoming available with each day, released either by crooks trying to sabotage other gangs or released by security researchers, as penetration testing tools.

These tools have been massively adopted in 2018, and very few criminal operations still rely on custom-made malware. Even nation-state groups have started shifting towards open source hacking tools in the past two years, and in 2019 experts expect to see low-skilled, expert hackers, and nation-state hackers all use the same advanced tools, making attack attribution nearly impossible.

As for the Dark Web, things are murky here, but it's the Dark Web, and they've always been murky.

Over the past few years, authorities have started to have success in cracking down on Dark Web actors, regardless if they were involved in child abuse, drugs trading, weapons sales, or your regular cybercrime operations like data selling, ransomware, and hacking forums.

Large cyber-crime marketplaces have died down in recent years, especially after European and US authorities cracked down on the three biggest Dark Web marketplaces last year.

In 2019, we'll see a continuation of what happened in 2018, with cybercrime operations hiding in closed and tightly guarded communities. Hackers have always hidden their forums and marketplaces, but after the AlphaBay, Hansa, and RAMP takedowns, the secrecy and paranoia surrounding these portals have gone up considerably.

Most cyber-criminal operations moved to Telegram, Jabber/XMPP, and other encryption-capable clients in late 2017, and because of law enforcement's continued focus on the Dark Web, they'll continue to remain there, with little cyber-criminal activity still being carried out via Dark Web sites.

As Ankit Anubhav pointed out a few slides back, evasion techniques are all in rage right now.

Predicting that malware authors will add "evasion techniques" to malware source code is... kind of lazy... but we're not the experts here.When NewSky Security, McAfee, RiskIQ, and FireEye all predict that "evasion techniques" will be popular in 2019, they're not just mailing a prediction in. Making malware invisible to antivirus has always been a main preoccupation for malware authors, but now, more than ever, cyber-criminals appear to be interested in these techniques.

Over the past years, these "evasion techniques" have been small malware components that make a few clever checks to detect sandbox environments. But in 2019, cyber-security firms see "evasion techniques" go to another level.

"Think the counter-AV industry is pervasive now? This is just the beginning," McAfee said in its predictions report. "We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence."

The same thing is also echoed in FireEye's predictions report, and in RiskIQ's report, where CTO Adam Hunt says that "threat actors will be using machine learning" too, and not just the cyber-security industry.

These predictions are not a surprise, as machine-learning-based security products have been popping up left and right. It's no stretch of the imagination to hear that malware authors are also exploring machine learning and AI in search of methods of evading their competition.

Exploit kits are web-based applications that redirect users to malicious sites where they attempt to exploit a browser vulnerability to infect the user with malware. Exploit kits have been on their death bed since 2015-2016, but have continued to drag along, albeit making far fewer victims in the past few years. The reason is that browsers have become much harder to hack, due to browser makers investing in bug bounty programs, but also because the market share of older, more vulnerable browsers has almost died out.

In 2019, a security researcher tells ZDNet that he sees cyber-crime groups giving up on exploit kits altogether. The researcher says that the infrastructure behind these exploits kits, the servers which redirect traffic through countless of internet domains will continue to live on as separate services. Former exploit kit developers will focus their main energy on improving this infrastructure and renting it to other crooks.

Unless someone --white, grey, or black hat-- dumps a free exploit on the market, the researcher doesn't see exploit kit developers working on coming up with new exploits, but rather sees these threat actors focusing on hacking legitimate sites to steal traffic from them or to host malicious redirection scripts (as part of their traffic distribution systems).

"Malvertising will continue to gain sophistication in 2019," Jerome Dangu, Confiant co-founder and CTO, told ZDNet in an email, "heavily focusing on evasion/obfuscation to hit a large user base, with techniques like steganography and leveraging protocols like WebRTC and WebSocket."

"The ad industry has a clear plan to curb 'forced redirects' but its deployment has been harder than anticipated. Expect attackers to continue to innovate."

Data breaches and data leaks are gonna happen. It's not a matter of when, but how.

In the past three-four years, data leaks have happened mainly due to companies leaving MongoDB or AWS servers exposed on the Internet without a password. But in the past years, companies have been learning from their mistakes and the number of exposed servers has gone down, slightly, albeit not to zero.

But according to conversations ZDNet had with experts from Hacken Proof and Risk Based Security over the course of the last year, ElasticSearch will be the technology at the heart of most data leaks in the coming year.

While some data breaches will occur after orchestrated hacks, a large number will also occur because someone forgot to set up a password for a server. No, we're not joking. This is actually a real problem, as stupid as it sounds. Servers, accidentally or intentionally, left exposed on the Internet without a password will plague 2019 just like they did 2018, 2017, and all the prior years.