Editor’s note: Shlomi Boutnaru is the CTO and co-founder of predictive cyber-security startup CyActive.
If 2014 did anything good for cybersecurity, it showed us just how exposed major corporations, governments and militaries are to cyber attacks. From vulnerabilities in our power grids to our cash registers, cyber attacks have become the $400 billion problem. And while the attacks differ in motive and method, there are four consistent perpetrators charging at us at full speed – and we need to rein them in.
These “Four Horsemen” point us to the components we can expect to see used by hackers in 2015: exploits in unpatchable systems; recycled malware hidden imperceptibly; and human error. Studying these harbingers could very well save us from a potential cyber catastrophe.
Unpatched and Unpatchable Systems
Heartbleed. What happens when you discover your safety net has gaping holes? The Heartbleed vulnerability was discovered in Open SSL, a data encryption software that is supposed to protect sensitive information. Heartbleed sent shockwaves through the IT world when it was discovered back in April because of the widespread use of OpenSSL in many sites and the easily available exploits that can be used against it. These exploits allow attackers to reach large amounts of sensitive information, such as passwords and usernames, through holes in software that is supposed to protect that information.
Heartbleed has widespread and long-term implications. Though a patched version of the software has been issued, many of the systems that were developed to use OpenSSL are not updated because their hardware is not built for updates. As long as these critical systems are operating, they are wide open to exploitation.
This danger is not theoretical. Between April and June 2014, 4.5 million patient credentials were stolen from non-updated systems of the Community Health Systems (CHS) hospital network, which operates 206 hospitals across the US. The initial breach of the network was carried out by exploiting the Heartbleed vulnerability in a wireless network device used in the hospitals that was not yet updated.
Shellshock. Like Heartbleed, Shellshock is a vulnerability, but a much more problematic one because it exists in the basic command line of the Unix operating system rather than in the software used by some sites. Unix is found across an extremely broad array of applications, including routers and web servers (some 64 percent of servers, including OSX and Linux, are Unix-based), industrial SCADA, and 747s.
Like Heartbleed, Shellshock shocked the world of IT and cyber since it blasted an easily exploitable hole in the base of one of the most widely used operating systems. Since a patch is available, the main threat posed by Shellshock stems not from its existence, but like Heartbleed, from the fact that many systems developed with Unix cannot be patched in the long term.
In many Unix systems, continual operation is crucial and patching requires shutting down the machines to reboot them. What this means for all of us is that a very basic vulnerability that is still being widely exploited (September saw 1.5 million attack attempts per day) isn’t going away anytime soon. From routers to airplanes, Shellshock will be with us in systems used in our daily lives for years to come.
Human Error and Malware Reuse Join Forces
BlackPoS. BlackPoS exposed a massive multi-level and inter-organizational failure in cyber-security. Organizations did not protect against already known malware, and human error added to an already calamitous situation.
Two variants of BlackPoS, a malware known since 2013 that was developed to steal credit card information from Point-of-Sale (PoS) systems, were used in two major retail breaches in 2014. And while it cost the retail giants hundreds of millions of dollars in damage, hackers could purchase it online for as little as $1,800. Only four months after the massive data breach at the Target retail chain, Home Depot was breached by a variant of the same exact malware, using the same methods of attack, techniques that could have been noticed in the network and endpoint systems had they been looked for and studied.
Moreover, in both attacks the hackers exploited holes in the security of third-party vendors giving them access to the retailers’ network and to the PoS devices. For instance, in the Target attack, there is evidence showing that the software first exploited in the breach was that of BMC, the company that developed the IT management software used in Target. And this is where human error kicks in. Easy-to-guess passwords and network connections that were not monitored made Target an attacker’s paradise.
The main problem that arises from these attacks is that organizations did not thoroughly study and pay attention to the ways in which similar organizations were breached. In addition to the organizations themselves, the cyber defense world needs to develop better techniques in dealing with variants of known malware as hackers reuse and recycle them.
When Hackers Use Cheap Malware to the Maximum Effect
Dragonfly. Dragonfly (aka Energetic Bear) is an example of capable attackers using cheap, basic and well-known malicious tools to the best effect against supposedly well-protected targets. Using two Exploit Kits with widely known exploits in Java and Internet Explorer, plus variants of the known SysMain and Karagany RAT Trojan malware, the deployers of Dragonfly managed to gain access to very sensitive targets, including U.S. and Canadian Aviation and Defense industries, U.S. and European energy grid operators, major electricity generation firms, petroleum pipeline operators, and Industrial Control System (ICS) equipment manufacturers.
Though the operation’s main motive appears to have been cyber espionage, the potential for sabotage in these targets should be our wake-up call. It appears that though billions of dollars are put into cyber defense in these types of organizations, they are having a hard time dealing with basic threats that are operated by competent attackers.
A Game Plan
Though details are still emerging, the latest attack on Sony demonstrates a dangerous mix of human errors and undetected recycled malware. Initial reports indicate that the attackers used at least six reused components, including two data-erasing malware, Shamoon and Darkseoul, which can both be downloaded online for free. While the headlines have been dominated by the human error that preceded the breach, the right form of malware detection could have flagged these well-known components in time to prevent the attack.
While Sony is just the latest example, the cyber attacks of 2014 made headlines with a series of discoveries and events that should push us to reshape the way we approach cyber defense. Luckily, we have averted a cyber apocalypse so far. I’m not saying the sky is falling, but when our military and government organizations, industrial complexes, and financial institutions are at risk, it is time to sound an alarm in order to push vulnerable organizations (and most organizations are vulnerable) to step up their efforts a notch.
Since you can’t spread your resources everywhere, we distilled it down to four “horsemen” that we believe are creating dangers that must be addressed immediately. Studying these harbingers could very well save us from a potential cyber catastrophe.
This is a call to action for both organizations and the cyber security world — unpatchable systems and reused malware are going to be the root cause of cyber attacks in the coming years and the next potential cyber disaster. Both of these issues are far from simple to solve and can only be addressed by combining the knowledge, resources and increased awareness of enterprises and cyber experts.
These open issues require a sense of urgency for the proactive measures needed (in patching, artificial intelligence and elsewhere), if we are to be successful in our efforts to deal with them.