Top security threats in 2013: Mobile attacks
Mobile worms that buy malware from app stores, ransomware
By Thor Olavsrud | CIO US | Published: 16:05, 11 January 2013
Last year, the tech world saw a large number of high-profile attacks and data breaches, and security experts say threats will evolve and escalate in the coming year. BYOD, cloud and advanced persistent threats (APTs) remain top of mind for many, and experts agree that those threats will continue to play a significant role in the threat landscape in 2013. But will this finally be the year that mobile malware leaves its mark? What other new threats lay on the horizon?
For years, security experts have predicted the rise of mobile malware, and this year is no exception. Many experts expect mobile threats to escalate in 2013.
"We will see the first major malware on a mobile platform," Seth Goldhammer, director of product management at LogRhythm, provider of a security information and event management (SIEM) IT platform. "There has already been malware that has made it into the Android Play Store and even Apple's App Store. Given that the large majority of mobile devices run without any type of malware detection, it is inevitable that we are prone for a major, disruptive malware possibly posing as an update for a popular application."
Related Articles on Techworld
"The BYOD phenomenon - that tablets and smartphones outpace laptops in sales - means it is very likely these devices are participating on corporate networks even though IT may have put up safety guards to prevent their use," Goldhammer adds.
"For enterprises, this means that IT needs greater visibility into how these devices are interacting with the environment and the specific behavior of these devices to recognise when communications alter," Goldhammer says. "A significant deviation in communication patterns may reflect malware spread. If these devices are participating inside the corporate network, this could prove to be very disruptive, not only due to the increase in network activity but malware moving from mobile to standard operating systems."
The popular Android mobile operating system, with its open ecosystem, may prove an especially attractive target to cybercriminals. Trend Micro predicts that the number of malicious and high-risk Android apps will increase three-fold from about 350,000 in 2012 to more than 1 million in 2013, broadly in line with the predicted growth of the OS itself.
"In terms of market share, Android may be on its way to dominating the mobile space the same way that Windows dominated the desktop/laptop arena," Trend Micro notes in its Security Threats to Business, the Digital Lifestyle and the Cloud: Trend Micro Predictions for 2013 and Beyond report. "Malicious and high-risk Android apps are becoming more sophisticated. An "arms race" between Android attackers and security providers is likely to occur in the coming year, much as one occurred a decade or more ago over Microsoft Windows."
One particular area of concern is malware that buys apps from an app store without user permission. McAfee points to the Android/Marketpay. A Trojan, which already exists, and predicts we'll see criminals add it as a payload to a mobile worm in 2013.
"Buying apps developed by malware authors puts money in their pockets," McAfee Labs suggests in its 2013 Threats Predictions report. "A mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps; attackers will no longer need victims to install a piece of malware. If user interaction isn't needed, there will be nothing to prevent a mobile worm from going on a shopping spree."
McAfee also has concerns about the near-field communications (NFC) capabilities that are appearing on an increasing number of mobile devices.
"As users are able to make "tap and pay" purchases in more locations, they'll carry their digital wallets everywhere," McAfee Labs says. "That flexibility will, unfortunately, also be a boon to thieves. Attackers will create mobile worms with NFC capabilities to propagate (via the "bump and infect" method) and to steal money. Malware writers will thrive in areas with dense populations (airports, malls, theme parks, etc.). An NFC-enabled worm could run rampant through a large crowd, infecting victims and potentially stealing from their wallet accounts."
McAfee also reports that malware that blocks mobile devices from receiving security updates is likely to appear in 2013.
Ransomware - in which criminals hijack a user's capability to access data, communicate or use the system at all and then forces the user to pay a ransom to regain access-spiked in 2012 and is likely to keep growing in 2013, says McAfee.
"Ransomware on Windows PCs has more than tripled during the past year," McAfee Labs reports. "Attackers have proven that this 'business model' works and are scaling up their attacks to increase profits."
McAfee Labs says it expects to see both Android and Apple's OS X as targets of ransomware in 2013 as ransomware kits, similar to the malware kits currently available in the underground market, proliferate.
"One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs than on tablets or phones," McAfee Labs says. "But this trend may not last; the convenience of portable browsers will likely lead more people to do their business on the go. Attackers have already developed ransomware for mobile devices. What if the ransom demand included threats to distribute recorded calls and pictures taken with the phone? We anticipate considerably more activity in this area during 2013."
AlienVault, provider of a unified security management solution, agrees, "We will see new ransomware tactics in 2013 as a result of the poor economy and the success of this type of attack (reportedly, cybercriminals raked in $5 million using ransomware tactics in 2012)."
Windows still a target
On the Windows front, Trend Micro reports that Windows 8 will offer consumers key security improvements-especially the Secure Boot and Early Launch Anti-Malware (ELAM) features—. However, enterprises are unlikely to see these benefits in the coming year. Analysts from research firm Gartner believe most enterprises won't begin to roll out Windows 8 in large numbers until 2014 at the earliest.
McAfee suggests that attackers targeting Windows of all varieties will expand their use of sophisticated and devastating below-the-kernel attacks.
"The evolution of computer security software and other defenses on client endpoints is driving threats into different areas of the operating system stack, especially for covert and persistent attackers," McAfee Labs says.
"The frequency of threats attacking Microsoft Windows below the kernel are increasing. Some of the critical assets targeted include the BIOS, master boot record (MBR), volume boot record (VBR), GUID Partition Table (GPT) and NTLoader," McAfee Labs says. "Although the volume of these threats is unlikely to approach that of simpler attacks on Windows and applications, the impact of these complex attacks can be far more devastating. We expect to see more threats in this area during 2013."
HTML5 creates a greater attack surface
This year will see continuing adoption of HTML5. McAfee notes that it provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options and powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication and more. While HTML5 offers a number of security improvements-McAfee believes there will be a reduction in exploits focused on plug-ins as browsers provide that functionality through their new media capabilities and APIs-it also suggests the additional functionality will create a larger attack surface.
"One of the primary separations between a native application and an HTML application has been the ability of the former to perform arbitrary network connections on the client," McAfee Labs says. "HTML5 increases the attack surface for every user, as its features do not require extensive policy or access controls. Thus they allow a page served from the Internet to exploit WebSocket functionality and poke around the user's local network."
"In the past," McAfee reports, "this opportunity for attackers was limited because any malicious use was thwarted by the same-origin policy, which has been a cornerstone of security in HTML-based products. With HTML5, however, Cross Origin Resource Sharing will let scripts from one domain make network requests, post data, and access data from the target domain, thereby allowing HTML pages to perform reconnaissance and limited operations on the user's network."
Experts also expect a rise in destructive attacks in 2013 by hacktivists and state actors.
"In 2013, we will see further destructive attacks (cybersabotage and cyberweaponry) on utilities and critical infrastructure systems," says Harry Sverdlove, CTO of security firm Bit9. "We saw Shamoon wipe out the systems of a major oil company in the Middle East, and that company's cybersecurity was no more lax than comparable companies in the United States or Europe. We know the bad guys have the ability to disrupt these systems, all they need is motive."
LogRythm's Goldhammer agrees: "We should also expect to see an increase in nation state attacks and hacktivism. It might be hard for some people to believe that we'll see an increase in 2013 after so many well-documented and publicised attacks, but I expect we'll see hacktivists take much more aggressive measures."
While earlier attacks may have just embarrassed a country or company via website defacement or exposing their databases publicly, Goldhammer says he expects that to change: "I can see splinter cells of hackers take more aggressive means to cripple networks or corrupt data, or use ransom tactics, in order to financially punish or tactically weaken. In 2012, more and more evidence shows nation states using malware or using exploits to gain information or to attack infrastructure. In 2013, I expect to see headlines talking about a growing number of nation states building exploits against each other, both for data retrieval, data corruption and damage to infrastructure."
McAfee and Trend Micro both concur.
"Destructive payloads in malware have become rare because attackers prefer to take control of their victims' computers for financial gain or to steal intellectual property," McAfee Labs says. "Recently, however, we have seen several attacks-some apparently targeted, others implemented as worms-in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013."
"Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks," McAfee adds. "As with distributed denial of service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating."