Kevin Stear

2017: time for a wake-up call

Blog Post created by Kevin Stear Employee on Dec 29, 2016

I am keenly aware that many of us are carrying lots of baggage due to the myriad of 2016 happenings that threatened free and open societies, but I need you to shake it off and consider the following:


Life is increasingly data dependent, and the Internet is increasingly at risk

First off, it’s a pretty obvious assumption, but life (not just world commerce) is increasingly data dependent. Just how many commercials have you seen where a hipster parent is clicking on their smartphone app to access their home automation setup? Ruling out your need to lock the car doors while away on beach vacation, our daily data addiction is probably better exhibited through our appetite for texting, social media, streaming music, Google, and the many other conveniences of taking the Internet with you. Like it or not, we have rapidly become a connected culture. And while our data reliance seems like a logical progression of technology within our society, so few are aware of the precarious balance. In recent years, the Internet has become a huge enabler of really every market sector… but it’s also become an increasingly more volatile place to operate.


(source: Deloitte[1])


The increasing volatility of the Internet was clearly demonstrated during the second half of 2016 with a wave of critical services outages (e.g., Dyn[2]) and the continued rise of malware. We’ll discuss the Internet of Things (IoT) a bit further on in this post, and for now let’s focus crimeware, where actors ”saturated both the rural and urban U.S. populace with ransomware, and constantly improved their tactics, execution and business model to evade detection by current solutions”[3]. A number of FirstWatch investigations (i.e., previous analysis of Cerber and Locky campaigns) also provide evidence and have documented a growing maturity in the crimeware operating model, specifically detailing best practices ranging from innovative attack vectors and diversified revenue streams to customer service for ‘victim assistance’. These are all part of the recipe that allowed Ransomware to see unprecedented revenues in 2016.


Maybe that’s not enough evidence though… So let’s consider ‘methbot’, a Russian botnet responsible for exploiting online advertising. In this case, actors gamed the Real Time Bidding process (central to how online exchanges auction and place advertising) by forging nearly 600,000 IP address registrations associated with major US internet service providers (ISPs) and creating “more than 250,000 fake web pages with counterfeit inventory from over 6,000 top-line publishers, including The Economist, The Huffington Post, Vogue, ESPN, Fox News and CBS Sports. Methbot generated between 200 and 300 million bogus video ad impressions per day” to fraudulently earn revenue estimated at more than $1 billion[4]. That means that late 2016 crimeware initiatives earned more than the projected GDP for 14 countries[5].


2017 will be the year of crimeware from Eastern Ukraine

So maybe 2016 was just a bad year; how will 2017 see the unprecedented further escalation of crimeware? The answer lies more in the ‘where’… and the answer is Eastern Ukraine. Since the initial invasion in early 2014, Crimea and Eastern Ukraine have been largely under the control of Russian military and Intelligence organizations, and it’s no coincidence that the area has become a hotbed for cyber activity.


easter ukraine russia putin invasion crimeware

Ukraine map as of 18 December 2016[6] (source: BleepingComputer)


Consider the context of ongoing BlackEnergy attacks against Ukrainian power infrastructure and banking[7], which are increasingly suspect of Russian state involvement. It has also been widely reported that Russian GRU (‘Glavnoye razvedyvatel'noye upravleniye’, which translates to Main Intelligence Directorate) was responsible for deploying malware to exploit and gain intelligence from an app commonly used by Ukrainian military forces[8]. Clearly the Russian state is engaged in an active cyber campaign in the region.


But is the increase in crimeware related? During our investigations of summer ransomware attacks, we did note Cerber domains registered to Ukrainian citizens and even to the street address of the Holy Trinity Cathedral in Donetsk; additionally, SKS-Lugan (operating out of Alchevs’k) continues to rise as a in notorious cyber-crime friendly ISP[9]. Both Donetsk and Alchevs’k fall within pro-Russian separatist areas of control in the map above. So… are crimeware actors simply taking advantage of the near bulletproof operating environment that is Eastern Ukraine? Or has Putin connected the dots and begun to directly leverage crimeware to fund his ‘operations’? While it remains unclear, somehow that second idea rings more true each day. Either way, it is likely that we will see continued heightened cyber (and specifically crimeware) operations out of the region in 2017.


My toaster and the Internet of Things is ready to ruin everyone’s day

While the situation in Eastern Ukraine is pretty bleak and the cyber campaigns are certainly going to keep Security Industry folks busy. The real problem is that as if this wasn’t bleak enough, now we have to talk about the Internet of Things (IoT) and why you should be very afraid… First and foremost, let’s all agree the IoT is comprised of all the ‘dumb’ networked devices around our homes and offices (e.g., routers, thermostats, sprinklers, refrigerators, echoes, etc.). Unfortunately, we (society) may have lost our head a bit in the frenzy to field all these flavors of connected devices; apparently security wasn’t a calculated concern.


Evidence to this fact, 2016 witnessed the first major IoT exploit with the simple brilliance of Mirai, its botnet armies, and historically massive distributed denial of service (DDoS) capabilities. The fact that these sleeper botnets exist is disturbing enough, but perhaps even more significant is that Mirai broke the silence about the ‘middle-school-quality’ security of large swathes of the Internet of Things. Despite a frenzy of OEM patching and rapid growth in the emerging IoT security market, our devices are going to be a welcoming attack surface for Mirai and other IoT related campaigns for years to come.


l33t ddos IOT

650Gbps DDoS Attack from Leet Botnet on 21 December 2016[10] (source: Imperva)


If you’re still not making the connection, the vulnerabilities in the IoT effectively mean that everything from our privacy to critical infrastructure[11] to personal safety[12] might be in jeopardy. Now imagine what happens when opportunistic crimeware actors leverage IoT vulnerabilities for a myriad of nefarious purposes… car and TV ransomware[13], over-driven heating system explosions, privacy leaks from Amazon Echoes[14], public transportation outages[15]… the list of the possible goes on and on. Scared yet?


The Bottom Line

Thanks for the lessons in humility 2016. It’s clear that with the plethora of IoT vulnerabilities and the potential for their exploit from bulletproof operating environments (i.e., Eastern Ukraine), 2017 will usher in a new level of threat to our (society’s) ever-increasing data habit.  Now is the time to start shoring up the levies.



RSA FirstWatch banner