The number of individuals affected by data breaches and cyberattacks in 2018 is definitely in the billions, and organizations are not far behind, either.
One data breach alone,Marriott’s, affected 500 million individuals! More specifically, Starwood subsidiary’s guest reservation network somehow exposed its entire database consisting of 500 million guest bookings recorded in the course of four years, and plenty of highly sensitive information was laid open.
And that’s just one example – 2018 witnessed the resurgence of older banking malware, the addition of new players on the malware and ransomware scene, plenty of phishing scams, and the overall evolution of cybercriminal intentions and capabilities. So, considering the already vulnerable state of security and the evolving scene of cybercrime, what should we expect in 2019?
According to Max Heinemeyer, the director of threat hunting at Darktrace, “narrow artificial intelligence is going to supercharge malware in the next couple of years”. Darktrace is an international artificial intelligence company that identifies cyberattacks and provides defensive mechanisms. Up until now, humans were always involved in manual intrusions but if AI is utilized, attacks can happen at machine speed, localized to every environment, the expert points out.
What if ransomware worms or other attacks can intelligently choose, tailored to the environment, which way to move around is best?
In short, artificial intelligence and machine learning are altering the landscape of security risks for citizens, organizations, and states, another security report recently said. The report is a collaborative effort of the Future of Humanity Institute, the University of Oxford, the University of Cambridge, OpenAI, and it analyzes the question of “what the long-term equilibrium between attackers and defenders will be”.
There’s the real threat of AI used in malicious scenarios, and it could threaten digital security in multiple ways. For instance, criminals can train machines to hack or socially engineer victims at human or superhuman levels of performance. Physical security is also at stake, as well as political safety, where surveillance becomes more extremely evolved, and automated fake news campaigns are shaping the way we think.
The malicious use of AI will impact how we construct and manage our digital infrastructure as well as how we design and distribute AI systems, and will likely require policy and other institutional responses, the report noted.
Comcast is one company that isadopting AI for security purposes. The company recently made an important announcement about a new AI-powered service that will monitor, block and inform customers about online threats connected to home networks. The service is called xFinity xFi Advanced Security, and its main purpose is to protect users from malware attacks and intruders.
Comcast has pointed out that there will be more than 13 connected devices per person in North America only, as estimated by Cisco researchers. The issue is that the majority of users neither have the knowledge nor the tools to secure their devices, especially in cases when these devices don’t have keyboards or screens.
There are already a number of dangerous attacks targeting IoT devices and enslaving them in botnet operations. Let’s take theBCMUPnP_Hunter botnet which is specifically targeted against IoT devices. The botnet exploits a five-year old vulnerability which appears to be left unpatched by many devices and vendors. The botnet has infected about 100,000 IoT devices since its launch.
AI could also supercharge phishing, say security researchers. AI could be adopted by scammers in creating phishing messages that humans can’t identify.
Another thing with evolved phishing attacks is their ability to bypass two-factor authentication.A new open-source tool called Modlishka has made headlines by demonstrating how it can bypass two-factor authentication sites and services. This is not done by launching exploits but rather by a phishing campaign. The approach has proven to be very effective especially against a larger number of targets.
In December,Google and Yahoo were also targeted in sophisticated phishing attacks that were able to bypass 2FA. The phishing email distributed in this campaign used a specially crafted “security alert” that tricked targets into visiting malicious domains that were made to look like Google and Yahoo. What stands out in this phishing operation is the method used to bypass 2FA, and the registration of domains which strikingly resemble the original, legitimate services.
In 2019, we will continue to witness new, trickier approaches to phishing.
Open Source Attacks
In November last year, a hacker successfully sneaked a backdoor into a widely used open source code library with the purpose of stealing funds stored in Bitcoin wallets.
Another curious attack vector would involve becoming an admin of an open-source project, security researcher Bruce Scheneir pointed out:
Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.
The described scenario is a scary social-engineering vector for malware distribution, where a threat actor volunteers to help maintain the project. That person would only need to make some small, positive contributions, and get commit access to the project. Then a malicious patch is released, and voila, millions of users and apps get infected.
It’s also worth mentioning that the EU issponsoring bug bounty programs for vulnerabilities in 14 popular open-source software projects. Interested researchers and bounty hunters will be invited to submit their discoveries using the HackerOne and Deloitte’s Intigriti crowdsourced security platforms.