Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Allan Liska, Senior Solutions Architect at Recorded Future
The Return of Ransomware, Nation-State Crypto-Mining and Apache Struts
Last year was an unprecedented year for the cyber community. At
the start of 2018, cryptocurrency was experiencing a bull market; Cambridge
Analytica was just beginning to unspool issues of third-party data sharing and
misinformation amongst social media platforms; and organizations were still
dealing with the long-tail effects of late 2017's WannaCry ransomware and
Equifax breach as GDPR kicked in. As we enter 2019, ironically, not much has changed
besides the public's awareness around the issues we face and the price of
bitcoin -- hopefully you didn't buy at the top of the market.
Looking ahead, here are three of my
expectations for 2019:
1. Ransomware Returns
Among criminal actors, expect crypto-mining to fall off and
ransomware to return; crypto-mining has not been as profitable for many
cybercriminals as originally intended. Unless an attacker can infect tens or
hundreds of thousands of devices it is difficult to make even close to the
money that can be made from a successful ransomware campaign. On the other
hand, ransomware actors behind the SamSam, BitPaymer and CrySIS ransomware
campaigns have created a blueprint for a new generation of ransomware attacks.
By using open RDP servers as a method of entry vice more traditional phishing
or web exploitation campaigns these actors have seen a lot of success with
their ransomware attacks. SamSam, for example, has made almost $6 million from
ransomware attacks using this tactic. We are already starting to see new
ransomware variants copy this model and we expect to see a new crop of
ransomware families continue to expand on this method of attack.
2. Nation-State Crypto-Mining
There will be more heavily sanctioned nation-state actors engaging
in crypto-mining attacks. North Korea has used crypto-mining as a successful
strategy to raise money for the state, despite being heavily sanctioned. This
strategy appears to be replicated by the Houthi forces in Yemen and there have
been rumors of the same type of activity in Venezuela and Iran. More nations
that are sanctioned or otherwise have limited access to funds will turn to
cryptocurrency mining as a strategy to raise funds to replace depleted funds.
3. Apache Struts Exploit
There will be a major breach announced that originated with an
Apache Struts vulnerability. In 2018 we saw the release of two critical Apache
Struts vulnerabilities, CVE-2018-1327 and CVE-2018-11776, which are both
remotely executable and there are already a number of botnets scanning for
these vulnerabilities. Apache Struts presents a unique challenge because it is
baked into so many other programs that are designed to be internet facing,
which means that a traditional vulnerability scanner may not detect Apache
Struts, but the botnets scanning for the vulnerabilities will pick it up.
##
About the Author
Allan
Liska is an intelligence analyst at Recorded Future. Allan has more than 15
years' experience in information security and has worked as both a blue teamer
and a red teamer for the intelligence community and the private sector. Allan
has helped countless organizations improve their security posture using more
effective and integrated intelligence. Allan is also one of the organizers of
BSides Bordeaux and has presented at security conferences around the world on a
variety of topics. He is the author of The Practice of Network Security,
Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart
Guide and the co-author of DNS Security: Defending the Domain Name System and
Ransomware: Defending Against Digital Extortion.