Grading our Predictions: See how we aired in 1H 2017

In December of last year, we released eight predictions as to what we thought the 2017 cybersecurity landscape would hold. Although we’ve definitely observed new trends and attacks that we didn’t foresee, we’ve also seen several of our predictions play out as anticipated.

With only three and a half months left in the year, we’re taking this opportunity to look back and grade ourselves on some of our own predictions – and we promise to be fair:

1. Ransomware growth will plateau in 2017, but attack methods and targets will diversify: A-

What we said: “We predict a 25% growth in the number of new ransomware families in 2017, translating to an average of 15 new families discovered each month. Although the tipping point has passed in 2016, a period of stabilization will push competing cybercriminals to diversify, hitting more potential victims, platforms, and bigger targets.”

What we’ve seen: Our forecast was mostly accurate, however the “plateau” is slightly higher than anticipated, with 83 million ransomware threats detected and an average of 28 new families per month. Compared to the alarming 400 percent spike in the number of ransomware families from January to September 2016, this is what we consider a plateau.

Also as predicted, this period of relative stabilization sees cybercriminals focusing on diversifying their pool of potential victims, platforms and bigger targets. New ransomware tactics, techniques and procedures (TTPs) that have emerged, include:

  • Erebus ransomware targeting Linux systems
  • UIWIX ransomware using the same SMB vulnerabilities as WannaCry but appears to be fileless
  • SLocker mobile ransomware featured file encryption capability and copied the graphical user interface of WannaCry. Overall, there was an increase in mobile app ransomware to 234,000 in six months.

2. Internet of Things (IoT) devices will play a bigger role in DDoS attacks; IIoT systems in targeted attacksA

What we said: “We predict that in 2017, more cyber attacks will find the IoT and its related infrastructure front and center, whether threat actors use open routers for massive DDoS attacks or a single connected car to stage highly targeted ones.”

What we’ve seen: Although we (thankfully) haven’t experienced an attack equaling the caliber of Mirai, by April we discovered a piece of malware that confirmed this prediction. The IoT botnet Persirai was targeting more than 1,000 Internet Protocol (IP) camera models based on various Original Equipment Manufacturer products. According to Shodan data we gathered in late April, as many as 120,000 IP cameras had been vulnerable to the malware.

The second half of this prediction was also proven true through our research paper Rogue Robots: Testing the Limits of an Industrial Robot’s Securitypublished in collaboration with Politecnico di Milano (POLIMI), showing that industrial robots can be compromised. Our research revealed 83,000 exposed industrial routers and 28 exposed industrial robots allowing users to remotely control the robots and potentially cause diverse effects from productivity loss and defective products to unsafe work environments and the replacement of multi-million-dollar machines.

3. The simplicity of BEC attacks will drive an increase in the volume of targeted scams in 2017 – A+

What we said: “We predict that this simplicity will make BEC, specifically CEO fraud, a more attractive mode of attack for cybercriminals. The scam is easy and cost-effective, not requiring so much in terms of infrastructure. But the average payout for a successful BEC attack is US$140,000—the price of a small house. The total estimated loss from BEC in two years is US$3 billion.”

What we’ve seen: According to the Federal Bureau of Investigation (FBI), since 2013 global losses from BEC scams have reached US$5.3 billion, making it one of the top threats affecting enterprises in 2017. Additionally, we’ve observed that the most spoofed position in BEC is the CEO, whereas the most targeted positions are CFO and financial directors.

4. Cyberpropaganda will become a norm – A+

What we said: “The upcoming elections in France and Germany, including subsequent movements similar to the United Kingdom (UK)’s withdrawal from the European Union (EU), also known as Brexit, will be influenced by what is being shared and done using electronic media. We will likely see more sensitive information used in cyberpropaganda activities stem from espionage operations such as Pawn Storm. Entities that are able to navigate public opinion using this means in a strategic manner will be able to produce results that favor them. In 2017, we will see much more use, abuse, and misuse of social media.”

What we’ve seen: Exactly that. Most notably, only two days before the May presidential election in France, hackers attempted to sabotage the campaign of frontrunner (now French president) Emmanuel Macron by leaking a 9GB archive of emails from his political party.  On Twitter, misinformation on the leaks was spread using #Macronleaks. Additionally, as mentioned in our research paper on Fake News, Chinese, Russian, Middle Eastern, and English-speaking underground markets have a range of services that can push propaganda, including tools for content creation, boosting social media reach and directly influencing the outcome of online polls through vote buying.

5. Adobe and apple will outpace Microsoft in terms of platform vulnerability discoveries. – A

What we said: “We predict that more software flaws will be discovered in Adobe and Apple products in addition to Microsoft’s. Apart from the fact that Microsoft’s PC shipments have been declining in recent years as more users opt for smartphones and professional-level tablets instead, the vendor’s security mitigations and improvements will also make it more difficult for attackers to find more vulnerabilities in its OS.”

What we’ve seen: Despite the declining number of Apple, Google and Microsoft bugs, it is true that Apple and Adobe are outpacing Microsoft in terms of vulnerabilities disclosed. Alternatively, Foxit and Adobe product flaws are on the rise. In total, Trend Micro Zero Day Initiative (ZDI), and the 3,000 independent researchers who submit to the program, discovered and disclosed 382 new vulnerabilities during the first half of this year. Additionally, ZDI defines a zero-day as a vulnerability disclosed which the vendor has not yet patched. For comparison, only eight zero-days were discovered in the second half of 2016, whereas 49 have been discovered so far in 2017.

6. Threat actors will come up with new targeted attack tactics that circumvent current anti-evasion solutions. – B

What we said: “As we observe attackers’ movements and ability to adjust their TTPs to be able to target different organizations in different countries, we predict new and unexpected techniques to emerge in future targeted attacks. We predict that this learning curve will mean using more methods primarily intended to evade most modern security technologies developed in recent years.”

What we’ve seen: Although we haven’t seen VM escapes as predicted, we didn’t completely miss the mark. Cerber ransomware had evolved to evade pre-execution machine learning detection and sport defense mechanisms that include anti-sandbox and anti-antivirus techniques.

Overall, we think we scored pretty well on our predictions, but the year isn’t over yet. What we know from the first half of the year is that it is much costlier for enterprises to experience a breach than it is to secure networks now. The complete report demonstrates what we’ve faced and what Trend Micro has protected customers from this year, which can help businesses prioritize security protection moving forward – before the next major attack occurs.

Source: Jon Clay