• Avast 2020 Threat Assessment

    From Marc Lewis@1:396/45 to All on Sunday, January 05, 2020 19:28:58
    Hello All.

    The Avast Threat Labs monitors and protects our more than 400
    million users worldwide from the latest threats. Avast detects
    threats in near real time and blocks about 1.5 billion attacks a
    month. This scope gives us valuable insights into, and knowledge
    of, the most prevalent threats which allows us to quickly protect
    against emerging threats, and provides us with the
    ability to map trends that allow Avast experts from various
    fields to try and predict future threats as well.

    For 2020, we predict advancements to be made in terms of how
    malware is delivered to PCs, including: more sophisticated
    methods of spreading threats via malicious emails; through a
    resurgence of exploit kits; via supply chain attacks; and
    by abusing the Remote Desktop Protocol (RDP).

    On the mobile side, we predict that more subscription scams and
    fake apps will make their way onto official app stores, and that
    more iOS vulnerabilities will be exposed by researchers and bad
    actors alike.

    In terms of Internet of Things devices, we predict devices and
    even physical locations will become smart or even smarter than
    they already are. We have already started to see cybercriminals
    taking steps to further develop IoT malware, including adding
    obfuscation to make it more difficult for analysts to analyze,
    and building upon exploit kits for smart devices.

    Finally, we expect privacy will become the new frontier for
    security, especially when it comes to big data collected for AI

    For more than a decade, malicious email spam, also known as
    malspam, was one of the primary ways cybercriminals spread
    malware. At the same time, antivirus companies, and email
    providers alike have heavily invested in spam filtering, greatly
    improving the detection of malicious attachments, and more. This
    in turn has caused adversaries to continuously innovate to
    better their chances of reaching potential victims.

    Earlier this year, the banking trojan Emotet, which has been
    around since 2014, began spreading using a new technique. In
    addition to spreading via malspam, Emotet began scanning
    victims’ email inboxes and replying to emails, including
    malicious attachments, and thus infecting further users.

    Similarly, there have been cases of malware creating stealthy
    filters on email servers to steal new incoming messages, to
    either spy on victims, or to add a malicious payload to the
    email to then send back into the conversation.

    Furthermore, there is an entire cybercrime business focused on
    stealing and reselling SMTP (Simple Mail Transfer Protocol)
    credentials, which are the same credentials used to log into an
    email account. SMTP is used by email clients to send emails, and
    using stolen SMTP credentials, cybercriminals can send malicious
    emails appearing to be from specific people.

    We predict emails will continue to be the number one mechanism
    to spread malware, but we expect the methods used to send them
    will become more sophisticated, and that cybercriminals will
    begin using adversarial AI to prepare and send emails with
    malicious or phishing content or attachments.


    PC Predictions
    Resurgence of exploit kits:

    While email is and will most likely remain the primary method to
    spread malware, there are other more sophisticated methods we
    predict will be taken advantage of within the next year. One of
    them is exploit kits.

    Exploits are code that take advantage of vulnerabilities, and
    exploit kits are programs that exploit multiple vulnerabilities.
    Exploit kits are used by cybercriminals to gain access to
    devices, mainly via malvertising.

    When someone visits a site with malvertising running an exploit
    kit, the kit searches for vulnerabilities in the software the
    visitor uses to deliver and execute malware, such as trojans, or
    ransomware. Many cybercriminals rent out exploit kits on the
    darknet for further cybercriminals to abuse. Some of the most
    active exploit kits we have seen during 2019 were RIG and
    Fallout, which are offered as a service from anywhere between
    $700 USD to $2,000 USD a month.

    In the past, exploit kits used to
    be one of the main methods of
    spreading malware, however, from 2016 - 2017, the exploit
    business appeared to be on a decline. However, in the past two
    to three years, exploit kits have undergone heavy development,
    and cybercriminals are now adding new exploits and techniques to
    evade antivirus detections, including detecting virtual machines
    and malware analysis tools.

    In 2019, we also saw an increase in router exploit kits, mainly
    targeting Brazilians, but also local U.S. and Canadian Internet
    Service Providers.

    We expect to see an increase in the amount and sophistication of
    exploit kits, targeting PCs and routers in 2020.


    PC Predictions
    Supply chain attacks will continue to make headlines:

    We've been predicting an increase in supply chain attacks for a
    few years now and have observed their rise over the past two
    years. We don't expect this trend to stop.

    APT (Advanced Persistent Threat) groups are attempting to
    infiltrate software companies with massive user bases to inject
    malicious code into genuine products. The motivation behind
    supply chain attacks often differs. We have observed cases where
    just a fraction of the affected user base is the actual target
    of a supply chain attack. This was the case in the CCleaner
    attack in 2017, and in the ASUS supply chain attack in 2018.

    On the other hand, there are cases where the motivation behind
    supply chain attacks is mass destruction, like with the NotPetya
    attack. Cybercriminals spread the NotPetya ransomware, more
    precisely wiper, by compromising Ukrainian account software,


    PC Predictions
    RDP -- Innocent until used for evil:

    The Remote Desktop Protocol (RDP), a feature included in every
    Windows version since XP, is used to allow remote access from
    one machine to another, e.g. an employee working remotely can
    access a workstation or server located in their company. It
    could be as simple as running RDP client software on a laptop
    and connecting to a machine with the RDP server counterpart. RDP
    then provides an encrypted connection between both endpoints.
    The usefulness of connecting remotely to a desktop using RDP has
    changed the way much of the world conducts business. It is,
    unfortunately, also one of the most attractive methods for
    cybercriminals to infiltrate a victim's network and deliver the
    malicious payload.

    In the past, cybercriminals have either brute-forced, or
    guessed, weak credentials to gain access. With newly discovered
    RDP vulnerabilities, such as BlueKeep, there are even more
    opportunities for cybercriminals.

    In the past few years, cybercriminals have abused the feature to
    distribute ransomware to small and medium businesses.

    In 2020, we expect to see a significant increase in all types of
    attacks on RDP.

    We are likely to see cybercriminals abusing weakly configured
    servers with RDP as well as exploiting RDP vulnerabilities -
    whatever will be more profitable for them at a time. The
    majority of delivered malicious payloads will probably still be
    ransomware, but we expect a rise in distribution of coin-miners
    and password stealers. We also expect to see the spread of
    worm-like strains similar to WannaCry.


    PC Predictions
    About Jakub Kroustek

    Jakub is Head of the Threat Intelligence Systems at Avast. Jakub
    is a passionate malware hunter and researcher with a love of
    reverse engineering. His expertise lies in ransomware, botnets,
    and automating all the boring stuff.

    Jakub hates malware, but enjoys analyzing it and spreading the
    word about his findings including presentations on conferences
    such as Virus Bulletin, CARO, or Botconf.

    Jakub holds a Ph.D. degree in Computer Science and Engineering
    from the Brno University of Technology.


    Mobile Subscription scams and fake apps:

    On the mobile side, we predict that more subscription scams and
    fake apps will make their way onto official app stores.

    Subscription scams allow people to use an app for free
    for a limited period of time, and if the subscription is
    not canceled, the app charges customers higher than usual fees
    — often on a weekly or monthly bas
    is. We expect we will see
    subscription scam apps rise on both the Google Play Store and the
    Apple App Store.

    Fake apps, on the other hand, are illegitimate apps posing
    as benign ones in order to drive downloads, to collect personal
    data, and expose people to advertisements or malware.

    Cybercriminals are resorting to subscription scams and fake
    apps, as it is difficult to surpass official app store
    security checks.


    iOS jailbreaks opening the door:

    On the iOS side, based on the latest findings from the iOS
    jailbreak community, we expect more vulnerabilities will be
    exposed by researchers and bad actors alike. The checkm8
    jailbreak exploit, discovered this year, is a very serious
    vulnerability as it exploits the first thing that runs on
    iOS devices when they are turned on, thus allowing access
    to anything that comes after. Additionally, it can’t ever be
    updated or fixed on the existing devices, as the exploited code
    is in a read-only memory. The only “fix” is to buy a
    new device, like the iPhone XS / XR or newer.

    While the exploit requires physical access to the
    targeted device, criminals and even government agencies have
    gained a new tool for their arsenal.

    We are already seeing community projects, like checkra1n,
    providing high-quality semi-tethered jailbreaks based on the
    checkm8 bootrom exploit. This could enable researchers to
    discover more vulnerabilities which, we hope, will be
    reported to Apple and not used for evil.

    About Nikolaos Chrysaidos

    Nikolaos Chrysaidos is Head of Mobile Threat Intelligence
    and Security at Avast, leading mobile security projects,
    mobile threat intelligence, and threat prevention. In his
    day-to-day work, he drives mobile forensics, malware
    analysis, reverse engineering, and application penetration
    testing to stay ahead of current mobile threats and security issues.Additionally, Nikolaos and his team work on
    apklab.io, a mobile threat intelligence platform designed to
    make it easier for security researchers to hunt and analyze
    mobile malware.Nikolaos holds a Bachelor of Science in
    Computing from the University of Wales, and a Master of
    Science in CyberSecurity from the University of York, and has
    successfully presented at various conferences such as AVAR,
    CARO, RSA, BSides, and MWC 360.


    Internet of Things (IoT)
    Smarter smart devices and places:

    In terms of the IoT, we predict smart devices will become
    even smarter, collecting more data about users, to learn and
    predict user behavior. This will be done to target users
    with advertisements, similar to how websites collect user
    data to better target users with ads based on their preferences.
    We also predict a rise in the number of ‘smart supermarkets’
    like Amazon Go, which track customers, the items they
    select, and allow customers to walk out of the store
    without cashing out at a register.

    Smart devices and locations that collect data offer
    convenience but they limit people’s control over their
    privacy. Additionally, companies collecting and storing a
    plethora of customer data make attractive targets for data
    hungry cybercriminals looking to sell data for financial gain
    on underground markets.

    More sophisticated IoT malware:

    We have already noticed cybercriminals adding sophisticated
    defences to IoT malware, adding obfuscation to their code,
    similar to how cybercriminals attempt to protect their
    Windows malware code from being analyzed by researchers,
    and we expect this to continue as more people adopt
    smart devices, widening the IoT attack surface.

    Internet of Things (IoT)
    About Anna Shirokova:

    Anna Shirokova is a security researcher at Avast, focusing on
    the IoT threat landscape. Anna has presented at leading industry
    events including Botconf, Troopers, BruCon, Wacco Workshop,
    Virus Bulletin, and Black Hat Europe.Anna also works on the
    Stratosphere IPS project where she analyzes attacks carried ou
    on IoT devices, and publishes her findings along with other
    project team members.


    Internet of Things (IoT)
    RCE exploits:

    Remote code execution vulnerabilities allow cybercriminals to
    exploit devices, execute commands, download malware, and gain
    control of vulnerable devices. Successful botnets have
    taken advantage of zero-day RCE exploits for particular
    devices. Nevertheless, n-day exploits, or known exploits,
    are also effective and used daily, as not every IoT
    vulnerability is patched and updated fast enough.

    As new smart devices are introduced to the market, new
    exploits are developed and released and malware authors
    can build upon older, already established malware families,
    expanding them with newly released exploits to widen their
    IoT attack surface. We expect this trend to continue and
    predict that large botnets will be even easier to build in the


    Botnet infrastructure:

    Malware authors have been making progress in preparing their
    attack infrastructure. The ‘state of the art’ botnets
    have progressed from the early-days of IoT malware with
    hard-coded C&C servers to become well-designed fully-fledged
    networks using a variety of techniques, both client-server
    and peer-to-peer based. We have seen IoT malware adopting
    DNS-over-HTTPS, Tor communication, proxies, and different
    encryption methods, and we expect malware authors will
    adopt other security practices to make their networks more

    We also expect to see progress when it comes to botnet
    monetization. Although DDoS attacks and cryptocurrency
    mining are still the most popular uses of botnets, we
    foresee more specialized botnets for proxying, information
    gathering, or eavesdropping will appear in 2020.

    Internet of Things (IoT)
    About Daniel Uhricek:

    Daniel Uhricek is a security researcher at Avast. Daniel
    works on multiple areas within IoT threat research. His
    expertise comes from tracking IoT malware on a daily basis
    and developing tools to hunt and analyze malware. His interests
    include Linux, networking, and data analysis.Daniel is
    currently a Master's student of Computer Security at the
    CTU in Prague, Czech Republic.


    Artificial Intelligence (AI)
    Privacy will become the new frontier for security:

    The general public and legislature are becoming aware of the
    dangers of a society with little privacy, and we are seeing a
    number of regulation attempts around the world, e.g. in
    Europe (GDPR), and California, U.S. (CCPA), to provide
    protection and control over personal privacy. AI has,
    unfortunately, been a major driver for the harnessing of
    private data and the resultant lack of privacy.

    In the coming year, we will see practical applications
    of AI algorithms, including differential privacy, a system
    in which a description of patterns in a dataset is shared
    while withholding information about individuals, to profit
    from big data insights as we do today, but without
    exposing all the private details.


    Data ownership:

    There is recent work, for example, Data Shapley, to
    attribute value to individual pieces of data provided by
    users. While we do not foresee a monetization of personal
    data in 2020 yet, we hope to start seeing initial products that
    at least allow individuals to control their own data,
    e.g. to decide whether and which companies can harness data,
    and what data they can use.

    Artificial Intelligence (AI)
    About Rajarshi Gupta

    Rajarshi Gupta is the Head of Artificial Intelligence at Avast,
    responsible for Avast’s AI products and research.Dr. Gupta
    manages data science teams in Silicon Valley and Europe, leading
    AI-driven malware detection and mobile protection,
    together with network security for Smart Home, Avast's
    next-generation IoT security platform.Prior to joining Avast,
    Dr. Gupta worked at Qualcomm Research for many years,
    where he created "Snapdragon Smart Protect", the first ever
    product to ac
    hieve On-Device Machine Learning for Security.
    Dr. Gupta has authored over 200 issued U.S. Patents.Dr. Gupta
    holds a PhD in Electrical Engineering and Computer Science from
    UC Berkeley.


    Best regards,

    --- timEd/2 1.10.y2k+
    * Origin: Sursum Corda! BBS-Huntsville,AL-bbs.sursum-corda.com (1:396/45)