Presagers of doom in the IT industry have sometimes got it horribly wrong. One need only look back 14 years to the millennium bug, which was supposed to bring down the world’s critical systems. The year 2000 came and went with no digital cataclysm in sight.

Even the smartest people make grand claims about imminent threats. Robert Metcalfe, who co-invented Ethernet, claimed in 1995 that the internet was on the brink of a “catastrophic collapse”.

He literally ate his own words in 1997, chowing down on a printed copy of the column in which he had made the preposterous prediction.

In the security industry, much is made of fear, uncertainty and doubt, or FUD. Many claim security companies throw FUD around to sell products, making threats seem bigger than they are.

Nevertheless, many of the buzzwords that have been buzzing around in recent years have related to genuine emerging threats that security teams would be wise to address.

“All threat vectors continue to develop, many of them at a startling rate,” says Tony Lock, an analyst at Freeform Dynamics.

“Drive-by infections from legitimate websites, especially those using third-party content such as adverts, are increasingly being used to deliver malware. But all vectors, including phishing emails and infected USB and SD drives, remain and continue to evolve.

“The means of targeting high-value individuals or people who could open a way into an organisation are now being commercialised. These threats may escalate in number.”

Real and present danger

The advanced persistent threat, which many simply call a prolonged targeted attack, is a fine example of hype becoming reality.

Criminal hackers used to cast their malware nets far and wide to try to ensnare as many random computers as possible, and many still do. Many crooks have shifted to focusing on specific companies and specific individuals within them.

Thanks to increasing trust in social networks, from Facebook to Linkedin, it is easy to glean valuable information about employees from the public internet. That can then be used to craft phishing emails that trick workers into handing over useful data, such as an application login, or to have them open files that launch executables and infect the machine.

It is then simply a case of escalating privileges and spreading across the network to set up a surreptitious surveillance operation.

“Targeted attacks have definitely arrived,” says Javvad Malik, an analyst at 451 Research.

“There was some shoulder-shrugging and chin-rubbing when targeted attacks were first introduced to the mainstream and initially many assumed it would affect only the largest of enterprises with the biggest payloads.

“But this has come downstream and even consumers are affected. One could almost say that everything is targeted these days. We’ve seen increased sophistication in phishing as well as reports of an exponential rise in ransomware.”

Attackers are developing and using zero-day vulnerabilities to target high-level organisations, from governments to energy companies. This has been evidenced numerous times in 2014.

A recent Microsoft Word zero-day was used in attacks on Taiwanese government bodies in May, while the Elderwood gang has been identified as a zero-day provider for multiple groups, including the Hidden Lynx team connected to targeted attacks on Google and Bit9.

Targeted attacks are a global problem too. The Verizon Data Breach Investigations report from April uncovered 511 incidents of cyber espionage in 2013. Almost half of those were thought to have emanated from east Asia, while a fifth came from eastern Europe.

Et tu, router

Hackers are also turning their attentions to hit various levels of the network. Over the last year, there has been an explosion in router and modem attacks, causing something of a panic in security circles.

“A couple of years ago we published an article about insecurities in small network devices, such as DSL modems and Wi-Fi routers, and the emerging threats that had already started to exploit these vulnerabilities,” says Marta Janus, security researcher at Kaspersky Lab.

“We were aware of a limited number of real-life cases and just a handful of malware samples related to this kind of attack. Having noticed that this approach may prove fruitful for cyber criminals, we predicted it would become a serious issue.”

In March, things reached a head when security-focused non-profit Team Cymru released a report detailing a network of 300,000 hacked routers.

Weak authentication and various vulnerabilities in the firmware used by the routers were exploited by a hacker crew to redirect users to certain websites. Devices from some of the best known manufacturers, including TP-Link, D-Link, Micronet and Tenda, were hacked.

Various kinds of malware specifically target routers, including families such as Darlioz and Moon, while some Windows viruses use routers to re-infect machines, as with a malware variant known as Sality.

“When we look at the widely publicised cyber threat stories from the past year or so, we see attacks on home network devices are now widely used to steal online banking credentials,” says Janus.

Hang on to your Bitcoins

Janus is also unsurprised by the growing range and quality of attacks on crypto-currencies and the organisations dealing in them.

Consumers and businesses using the likes of Bitcoin now have to fear a deluge of malware trying to pilfer wallets. The attacks are cross-platform too, putting any system in danger.

“Another trend that is currently maturing is attacks against the crypto-currencies. In addition to the growing number of Bitcoin-mining Trojans, this year we also discovered Windows and Mac OS X malware designed to steal Bitcoins, in addition to Android SMS-Trojans capable of stealing money from wallets.”

The Bitcoin exchanges are taking a battering too. Mt. Gox suffered the worst, effectively shutting down following a breach that robbed the Bitcoin exchange of $460m.

“I think we can expect more attacks on Bitcoin stock exchanges as this can be very profitable for cyber criminals,” says Janus.

Android in the frame

Mobile threats have been on the horizon for some time, and malware targeting Google’s Android operating system has shown clear signs of maturity in recent months.

“These have been theoretical for some time and there has been a growing number of malicious apps in various stores cropping up but we have yet to see mobile being used as a wholesale attack vector,” says Malik.

“The access mobile devices can provide to an attacker is definitely something businesses should be planning for."

Google Play has seen some nasty pieces of mobile malware hit the market this year. Even Remote Access Trojans, surreptitious surveillance tools, were spotted on the store in March, disguised as a parental control application.

The toolkits used to make such malware, such as Dendroid, have been proliferating on underground forums too, as data-hungry digital crooks seek to profit from mobile victims.

Yet most of the threats are SMS Trojans, which send messages to premium-rate numbers controlled by the criminals. Indeed, F-Secure data shows 83 per cent of mobile malware carries out this nefarious activity.

Smartphone attacks are multiplying partly because of the immaturity of protections against them.

Google came away red-faced in April when an app called Virus Shield landed on the marketplace, only to be uncovered as a dud.

It proved Google’s app-vetting policies weren’t keeping out even basic threats

It is believed the software, which did nothing other than change its icon from a shield with an ‘X’ to one with a tick mark, was put up for sale accidentally. Yet it still sold more than 30,000 copies and made plenty of money for its creators.

Google eventually decided to refund users who had paid for the app. It proved Google’s app-vetting policies weren’t keeping out even basic threats.

Meanwhile, one of the world’s most prolific malware gangs, the Reveton group responsible for some of the most prevalent ransomware types, was seen making a move into Android in May.

Their latest creation, Android.Trojan.Koler.A, is being served up from malicious pornographic sites. As users visit those sites, an application that claims to be a video player for premium porno viewing is downloaded, if users agree.

It then tells users they have been locked out of their phone for trying to view such prurient material and asks for $300 to unlock it. It is a mean trick and a sign that cyber crooks are taking smartphones seriously, knowing there is money to be made from Android users.

At the same time, other kinds of attacks on mobiles are known to have been enacted. The Edward Snowden revelations proved snoops were exploiting data leakage vulnerabilities in mobile apps, including popular titles such as Angry Birds.

By monitoring open Wi-Fi networks, attackers can easily pick up useful data, especially as many modern mobile apps fail to do proper end-to-end encryption.

In some cases they do no encryption at all, or mixed HTTPS, meaning some transactions are secret and others are not.

In denial

As the complexity of malware has increased, so has the size and scale of distributed denial of service (DDoS) attacks.

Ever-growing botnets have provided attackers with the compute power they need to overwhelm servers with data, while vulnerabilities in web architecture have allowed them to amplify their attacks to record highs.

The latest peak came earlier this year, when a French organisation, which remains unnamed, was hit by a 325Gbps DDoS.

That attack exploited the “monlist” command vulnerability in the Network Time Protocol (NTP), which meant a small request to an NTP server would respond with many times the data sent.

By doing some IP spoofing, attackers can send the epic responses from thousands of vulnerable NTP servers to knock people offline.

Darren Anstee, director of solutions architects at anti-DDoS provider Arbor Networks, says the gaming industry is the target of many attacks.

France has some major hosting providers, such as OVH, which contain many of the servers used by gaming providers, hence the significant DDoS activity in the country, he says.

It will come as no surprise if a DDoS surpasses 500Gbps this year, given that there are numerous internet services that can be abused for amplification.

While they don’t provide the same turbo injection to DDoS attacks, the Simple Network Management Protocol and open Domain Name System resolvers are both being used en masse to flood networks.

The problem shows little sign of abating, even if companies such as Arbor and Cloudflare claim to have systems that can dampen the effect of epic attacks using traffic scrubbing alongside DDoS detection and IP blocking.

Degrees of separation

As the Internet of Things builds up and objects that weren’t previously connected get an IP address, it is easy to forget some of those devices managing critical systems are already accessible over the web and therefore hackable.

“Everything that is connected to the internet can become a potential entry point to the home or office network for the attacker,” says Janus

As a prime example, Scada machines, used in energy and water plants, transport and various other national infrastructure systems, have been shown to carry serious vulnerabilities. It is unclear how many of these systems are being hacked, but there is no doubt they can be compromised.

Due to the numerous weaknesses in critical machines, from those managing traffic lights to those helping to run the power grid, many security experts believe there will be an increase in digital attacks with a real destructive effect.

“There are those threats which kind of drop off the radar and no one is really quite sure how they are being used or if they have been used at all because they don’t need to be used en masse,” says Malik.

“For example, industrial control systems have been shown to be vulnerable but there isn’t enough public data available to show that they have been actively exploited.

“On the other hand, you have threats to medical equipment and facilities. How many people's pacemakers have been remotely turned off, or insulin levels tampered with?

“The long and short of it is that just because something isn't widespread, does that mean it hasn’t become a reality?” ®

Related stories

• Angry Birds CEO hops into slingshot, goes 'WEEEEE!' (29 August 2014)

  https://www.theregister.com/2014/08/29/angry_birds_ceo_hops_into_slingshot_goes_weeeee/

• Traffic lights, fridges and how they've all got it in for us (23 June 2014)

  https://www.theregister.com/2014/06/23/hold_interthreat/

• CloudFlare slurps CryptoSeal (19 June 2014)

  https://www.theregister.com/2014/06/19/cloudflare_slurps_cryptoseal/

• Hate phone games that make you buy in-app gumble? Congrats, you're a niche player (18 June 2014)

  https://www.theregister.com/2014/06/18/make_mobile_games_get_rich/

• Protecting code's secrets wins ACM prize (5 June 2014)

  https://www.theregister.com/2014/06/05/protecting_codes_secrets_wins_acm_prize/

• Dodgy installer drops Trojan in Japanese Buffalo update (4 June 2014)

  https://www.theregister.com/2014/06/04/dodgy_installer_drops_trojan_in_japanese_buffalo_update/

• Tens of thousands of 'Watch Dogs' pirates ENSLAVED by Bitcoin botmaster (28 May 2014)

  https://www.theregister.com/2014/05/28/watch_dogs_pirate_gamers_botnet/

• 'I was trained as a spy' says Snowden (28 May 2014)

  https://www.theregister.com/2014/05/28/i_was_a_trained_as_a_spy_says_snowden/

• Kaspersky warns of imposter mobile security apps (17 May 2014)

  https://www.theregister.com/2014/05/17/kaspersky_warns_of_imposter_mobile_security_apps/

• Drink me: Adobe pours Flash Player bug squash (28 April 2014)

  https://www.theregister.com/2014/04/28/adobe_flash_update/

• Despite your fancy-schmancy security tech, passwords still weakest link in IT defences (22 April 2014)

  https://www.theregister.com/2014/04/22/verizon_breach_report/