- Malware Evolution
- Corporate Threats
- Overall Statistics for 2013
Having begun many years ago with the Gpcode Trojan, malicious ransomware has developed into two main types – Trojans that block the computer’s operation and demand money to unblock it, and Trojans that encrypt the data on the computer and require even bigger sums to decrypt it.
In 2014, we can expect cybercriminals to take another logical step in the development of these types of Trojan programs and turn their attention to mobile devices. Android-based devices will no doubt be the first to be targeted. Encryption of user data on smartphones – photos, contacts, correspondence – is easy if the Trojan has administrator rights, and distributing such programs (including via official stores like Google Play) is not difficult either.
It seems that the trend of making malicious programs even more complicated in 2013 will continue next year. As before, the fraudsters will try to get at users’ money with the help of mobile Trojans. Tools developed to access bank accounts of mobile device owners (mobile phishing, banking Trojans) will be further improved. Mobile botnets will be sold and bought and will also be used to distribute malicious attachments on behalf of third parties. Vulnerabilities in the Android OS will be exploited to infect mobile devices; it’s unlikely they will be involved in drive-by attacks on smartphones.
Attacks on Bitcoin
Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year.
Attacks on stock exchanges will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cybercriminals huge profits and complete anonymity.
The problems of protecting privacy
People want to hide their private life from intelligence agencies around the world. It is impossible to ensure user data is protected without popular Internet services – social networking sites, mail and cloud services – taking appropriate measures. However, the current protection methods are not enough. A number of these services have already announced the implementation of additional measures to protect user data, for example, encryption of all data transmitted between their own servers. Implementing more sophisticated protection measures will continue, and is likely to become a key factor when users choose between rival web services.
End users also face problems as they try to protect the information stored on their computers and devices, while also ensuring their online behavior remains confidential. This will lead to greater popularity for VPN services and Tor-anonymizers as well as increased demand for local encryption tools.
Attacks on cloud storage facilities
‘Clouds’ are facing tough times. First, trust in cloud storage has been hit hard by Snowden’s leaks and the newly discovered facts of data collection by various state-sponsored intelligence services. At the same time, the types of data being stored in these facilities are becoming ever more attractive to cybercriminals. Three years ago we assumed that in due course it would be easier for a fraudster to hack a cloud storage provider and steal company data from there, rather than hacking the company itself. It looks like that time is almost upon us. Hackers are targeting cloud service employees, seeing them as the weakest link in the security chain. A successful attack here could hand cybercriminals the keys to huge volumes of data. In addition to data theft attackers may be interested in deleting or modifying information, which in some cases may be even more valuable for those who commission the attacks.
Attacks on software developers
Something related to the problem mentioned above is the likely rise in attacks on software developers. In 2013, we uncovered a series of attacks staged by the Winnti cybercriminal gang. The victims of these attacks were gaming companies that had had their online games server sources stolen. Adobe was yet another victim – its Adobe Acrobat and Cold Fusion sources fell prey to the attackers. There are also earlier examples of successful attacks by the fraudsters: in 2011, they targeted RSA and managed to get hold of Secure ID source code which they used in a subsequent attack on Lockheed Martin.
The theft of popular product sources gives attackers an excellent opportunity to find vulnerabilities in the products and then to use them for their own fraudulent purposes. Additionally, if cybercriminals have access to the victim’s repositories, they can modify the program source code and embed backdoors to them.
This again puts at risk the developers of mobile applications, which are created in their thousands and distributed to hundreds of millions of devices.
Snowden’s leaks have demonstrated that one of the goals of cyber espionage between states is to provide economic aid to “friendly” companies. This factor has broken down ethical barriers which initially restrained business from using radical methods to compete with their rivals. In the new realities of cyberspace, businesses are facing the possibility of conducting this kind of activity for themselves.
The companies will have to resort to business cyber-espionage as a means of remaining competitive because their rivals are already spying in order to get a competitive advantage. Some companies may even spy on government structures as well as on their employees, partners and suppliers.
This will only be possible if companies employ cyber-mercenaries, organized groups of qualified hackers who can offer bespoke cyber-espionage services. Most probably, these hackers will describe themselves as cyber-detectives.
In summer 2013 Kaspersky Lab detected commercial activity by the Icefog cyber-mercenary gang.
Fragmentation of the Internet
Amazing things have happened to the Internet. Many experts, including Eugene Kaspersky, are talking about the need to create some kind of parallel “safe Internet” which won’t allow anonymous users to roam, with potentially criminal intent. Meanwhile, cybercriminals have created their own Darknet based on Tor and I2P technologies allowing anonymous cybercriminal activity, commercial activity and communication.
At the same time, the Internet has begun to break up into national segments. Until recently this only really applied to the Great Firewall of China. But the People’s Republic is no longer alone in its efforts to separate and manage their own Internet resources. Several countries, including Russia, have adopted or are planning to adopt legislation prohibiting the use of foreign services. Snowden’s revelations have intensified the demand for these rules. In November, Germany announced that all communications between the German authorities would be fully locked within the country. Brazil has announced its plans to build an alternative Internet channel so as not to use the one that goes through Florida (USA).
The World Wide Web has begun to break up into pieces. Individual countries are no longer willing to let a single byte of information out of their networks. These aspirations will grow ever stronger and legislative restrictions will inevitably transform into technical prohibitions. The next step will most likely be attempts to limit foreign access to data inside a country.
As this trend develops further it will soon lead to the collapse of the current Internet, which will break into dozens of national networks. It is possible that some of them will prove unable to communicate with each other at all. The shadowy Darknet will be the only truly world-wide web.
The pyramid of cyber-threats
The easiest way to describe the anticipated events and trends of 2014 is to do it graphically in the form of the pyramid of cyber-threats which we presented a year ago.
This pyramid consists of three levels. The threats used in attacks on ordinary users by regular cybercriminals driven solely by the prospect of financial gain are at the bottom of the pyramid. The middle level hosts the threats used in targeted corporate cyber-espionage attacks as well as so-called police spyware exploited by states to spy on their citizens and companies. The top of the pyramid is for the threats created by states to conduct cyber-attacks on other nations.
Most of these cyber-threat developments belong to the middle layer of threats. Therefore, in 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage.
There will be an increase in such attacks as the cybercriminals currently attacking ordinary users transform into cyber-mercenaries and cyber-detectives. Furthermore, it is highly likely that cyber-mercenary services will be provided by IT specialists who have never before been engaged in criminal activity. The halo of legitimacy that comes with working for reputable companies will contribute to the development of this trend.
Kaspersky Security Bulletin 2013. Forecasts