Was The Crystal Ball Crystal Clear? Reflecting on 2018 Cybersecurity Predictions


We’re halfway through 2018 and several cybersecurity predictions made in late 2017 have, unfortunately, already come true. From cryptojackers becoming an actual threat to organizations instead of just a nuisance for end users, to hardware vulnerabilities that may even impact decade-old CPUs, and IoT threats that have increased in sophistication, 2018 has been quite eventful.

The reason cybersecurity predictions are usually accurate has to do with understanding how cybercriminals operate and what tools they use. A crystal ball might help, but it usually boils down to spotting trends and patterns in the use of techniques and tools that have a low barrier to entry when it comes to being weaponized. Financial motivation is usually a strong factor with threat actors and, if they’re presented with an easy way to make money, they’ll likely take it. Understanding all this helps security experts make accurate predictions and build or improve defenses before these threats become viral.

Reviewing 2018 Predictions

Meltdown and Spectre CPU vulnerabilities were revealed just days into the start of the new year, potentially impacting not just CPU performance, but also the security of affected systems. CPU manufacturers, software developers, and security companies rushed to deploy patches and mitigations that would prevent threat actors from exploiting the vulnerability, to address what is considered one of the most massive coordinated endeavors by the entire industry.

Meanwhile, the growing popularity of cryptocurrencies led to the emergence of a new cryptomining technique — one that didn’t involve relying on expensive GPU-powered rigs, but on commodity CPUs. Browser-based cryptocurrency mining quickly became popular because it was presented as an easy way to generate revenue by using the computing power of incoming visitors, instead of relying on traditional ads. Faced with a new method for generating easy revenue, threat actors quickly embraced the browser-based mining script and illicitly placed it on high traffic websites to tap into the collective computing power of visitors to mine for cryptocurrencies.

While average users were initially the main group impacted, threat actors started targeting large businesses and organizations that could meet their ever-increasing need for computing power. From water utility infrastructures to Linux servers and containerization solutions, cryptojackers were stealthily deployed in all types of infrastructure, generating cryptocurrency for attackers potentially worth millions of dollars. Unlike ransomware, which is very intrusive and disruptive, cryptojackers allow threat actors to remain undetected for months by throttling down CPUs’ computing consumption just enough to fly below the radar of traditional IT and security teams.

The IoT threat landscape has also aligned to security experts’ predictions, with botnets becoming the new norm and even potentially being used by governments to disrupt critical infrastructures. Malware persistency on IoTs has also occurred in 2018, with VPNFilter proving the predictions right. With security experts estimating that the VPNFilter botnet was specifically created to disrupt critical infrastructure in a massive and coordinated denial-of-service attack, other botnets such as Hide ‘N’ Seek are constantly improved with new “features.” Although Hide ‘N’ Seek’s supported command list doesn’t currently include support for DDoS attacks, it is capable of file exfiltration, potentially for espionage or extortion.

What to Expect Next

In addition to the proliferation of ransomware and cryptojackers, fileless malware also shares the spotlight. Threat actors have already started using fileless malware in conjunction with cryptojackers when infecting organizations, as fileless attacks can sometimes pass undetected by traditional security solutions. Traditionally, fileless attacks have been associated with advanced and sophisticated threats. The low barrier to entry has made them quite popular in delivering even seemingly benign threats, such as cryptocurrency miners.

Malware samples that use lateral movement techniques and tools to spread across an organization’s infrastructure will also become more prevalent. Cryptojackers have recently made use of the military-grade cyber weapon EternalBlue—used to spread the WannaCry ransomware—in conjunction with Mimikatz, a tool for harvesting credentials. Dubbed WannaMine, it is likely that we’ll see future threats use these mechanisms for spreading and moving laterally.

The use of machine learning algorithms for cybercrime is looking more like a certainty as the year progresses. Researchers have already demonstrated how machine learning can strengthen brute force techniques by learning how to generate texts. Even botnets could be made “smarter” by replacing the traditional Command and Control server with machine learning algorithms that can adapt and perform repeated attacks on known vulnerabilities. Machine learning could potentially be used as a new decentralization mechanism for controlling and commanding bots.

Supply chain attacks similar to 2017’s CCleaner are likely to occur again by the end of 2018, as advanced and sophisticated attacks against organizations are more likely to succeed if popular tools are tampered with and delivered.

Protecting Against What’s to Come

Layered security solutions that can protect against a wide range of threats and attack vectors are a critical security measure and should ensure complete visibility across the entire infrastructure. The security posture of an organization is also strengthened by the integration of endpoint detection and response solutions which are carefully planned, then executed as an iterative process that supports a continuously updated incident response plan. Security is a perpetual cycle in which potential threats are identified from the first security warning all the way to updating or implementing new security policies that prevent such attacks.

Cryptojackers have become the new norm, and their presence in an infrastructure is a clear sign of a data breach. Security teams must investigate to determine whether these threat actors have already accessed or exfiltrated sensitive data before deploying the cryptocurrency mining client. Establishing a performance baseline for how the infrastructure normally operates may help spot any anomalous computing spikes that could indicate the presence of a stealth cryptojacker.

Critical infrastructures and organizations that have deployed, or are considering deploying, IoTs within their infrastructures should consider network segmentation, firewalls, and constant updates of all their devices’ firmware, as this will not only help prevent threat actors from remotely dialing into vulnerable devices, but also minimize the potential fallout caused by a compromised smart device.


About Author

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact. When he's not online, he's either taking something apart or putting it back together again.