Cyber criminals are continuing to reshape the threat landscape as they update their tactics and escalate their attacks against businesses, governments, and even the infrastructure of the internet itself. The Threat Lab’s 2019 predictions span from highly likely to audacious, but consistent across all eight is that there’s hope for preventing them. Organizations of all sizes need to look ahead at what new threats might be around the corner, prepare for evolving attacks and ensure they’re equipped with layered security defenses to meet them head-on.
I. Prediction: AI-Driven Chatbots Go Rogue
In 2019, cyber criminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. As artificial intelligence and machine-learning technologies have improved over the past few years, automated chat robots have become increasingly common. Chatbots are now a useful first layer of customer support and engagement that allow actual human support representatives to address more complex issues.
But life-like AI chatbots also offer new attack vectors for hackers. A hijacked chatbot could misdirect victims to nefarious links rather than legitimate ones. Attackers could also leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one. For example, an attacker could force a fake chatbot to pop up while a victim is viewing a banking website, asking if they need help finding something. The chatbot might then recommend that the victim click on malicious links to fake bank resources rather than real ones. Those links could allow the attacker to do anything from installing malware to hijacking the bank’s site connection.
In short, next year attackers will start to experiment with malicious chatbots to socially engineer victims. They will start with basic text-based bots, but in the future, they could use human speech bots like Google Duplex to socially engineer victims over the phone or other voice connections.
II Prediction: Utilities and Industrial Control Systems Targeted with Ransomware
Next year, targeted ransomware campaigns will focus on utilities and industrial control systems (ICSs). The average payment demand will increase by 6500 percent, from an average of $300 to $20,000 per payment. These attacks will result in real-world consequences like blackouts and loss of access to public utilities.
Ransomware has plagued the internet over the past five years, starting with CryptoLocker, the first really successful crypto-ransomware, and culminating with WannaCry, the first fast-spreading ransomworm. During these past years, cyber criminals have blasted out broad ransomware campaigns at everyone, looking to infect as many victims as possible while asking each for a relatively meager ransom.
However, over the past year hackers have shifted to targeted attacks that come with bigger payouts. Launching ransomware against organizations that offer critical services increases the odds that the ransom will be paid. Forty-five percent of all ransomware attacks in 2017 targeted healthcare organizations, like the NHS in the UK. In 2016, the Hollywood Presbyterian Medicare Center paid a $17,000 ransom to regain control of their computer systems, and other major ransomware attacks hit MedStar Health and Alvarado Hospital Medical Center, among dozens of others. Many U.S. cities were also hit with ransomware in 2017 and 2018, including Baltimore and Atlanta.
In 2019, cyber criminals will target public utilities and ICSs. These are vital services that have not yet been targeted by widespread ransomware attacks and therefore may not be as prepared for this type of attack. Cyber criminals know that any ransomware that can cause downtime to these services will get swift attention, allowing them to ask for considerably more money in return. This has the potential to cause blackouts and gaps in water and power services if these attacks are successful. To summarize, expect to see fewer ransomware attacks next year, but more focused attacks – specifically targeted towards utilities and ICS – with ransom demands increasing by 6500 percent.
III. Prediction: The United Nations Proposes a Cyber Security Treaty
In 2019, the United Nations will address the issue of state-sponsored cyber-attacks by enacting a multinational Cyber Security Treaty. There are many examples of alleged and confirmed cyber-attacks launched by nation-states. The U.S. and Israel allegedly launched the Stuxnet attack. The Russian government has been accused of everything from DDoS attacks against Estonia and turning off the power in Ukraine to election and political hacking in the United States. North Korea, meanwhile, has allegedly attacked public and civilian organizations and infrastructure, targeted Sony Pictures and ostensibly caused billions in damage in the WannaCry attack.
Many governments have blamed China for various cyberattacks focused on intellectual property, but the most recent “straw on the camel’s back” is the Supermicro supply-chain attack, where the People’s Liberation Army (PLA) has been accused of sneaking backdoors into servers sent around the world (though many dispute this story). These alleged attacks cost billions in damages and put supply chains responsible for 90 percent of computing devices at risk, showing that cyber-attacks often cause enormous economic damage outside of their intended targets.
The growing number of civilian victims impacted by these attacks will cause the UN to more aggressively pursue a multinational cyber security treaty that establishes rules of engagement and impactful consequences around nation-state cyber campaigns. They have talked and argued about this topic in the past, but the most recent incidents – as well as new ones sure to surface in 2019 – will finally force the UN to come to some consensus.
IV. Prediction: A Nation-State Launches a “Fire Sale” Attack
You may remember the fictional concept of a “fire sale” attack from the fourth Die Hard movie, in which a terrorist group planned a coordinated cyber-attack against U.S. transportation, financial, and public utilities and communication systems. The terrorists meant to use the fear and confusion caused by the attack to siphon off huge sums of money and disappear without a trace. In 2019, we will see a version of this fictional attack become a reality.
As unlikely as this attack might have seemed in the late 2000s, many modern cyber security incidents suggest that nation-states and terrorist have developed these capabilities. Cyber criminals and nation-states have launched huge distributed denial-of-service (DDoS) attacks that can take down entire countries’ infrastructure and could certainly hamper communications systems. The U.S. government claims foreign actors have already been targeting and probing the defenses of public utility and energy systems. We’ve seen these nation-sponsored attacks targeting financial systems like SWIFT to steal millions. Nation-states have also used social media and other communication systems to poison public perception with fake news.
In summary, each of these individual types of attack are already possible. It’s just a matter of time before some country combines many attacks as a smoke screen for a larger operation.
V. Prediction: Fileless, Self-Propagating “Vaporworms” Attack
In 2019, a new breed of fileless malware will emerge, with wormlike properties that allow it to self-propagate through vulnerable systems and avoid detection. It has been over 15 years since the Code Red computer worm spread through hundreds of thousands of vulnerable Microsoft IIS web servers in an early example of a fileless worm. Since then, both worms and fileless malware have impacted networks worldwide individually, but rarely as a combined attack.
Fileless malware, which runs entirely in memory without ever dropping a file onto the infected system, continues to grow in popularity. Sophisticated attackers prefer this method because without a malicious file to scan, traditional endpoint antivirus controls have a hard time detecting and blocking fileless threats. This results in higher infection rates. Pair this with systems running unpatched and vulnerable software that’s ripe for worm exploitation, and you have a recipe for disaster.
Last year, a hacker group known as the Shadow Brokers caused significant damage by releasing several zero-day vulnerabilities in Microsoft Windows. It only took a month for attackers to add these vulnerabilities to ransomware, leading to two of the most damaging cyber-attacks to date in WannaCry and NotPetya. This isn’t the first time that new zero-day vulnerabilities in Windows fueled the proliferation of a worm, and it won’t be the last. Next year, “vaporworms” will emerge; fileless malware that self-propagates by exploiting vulnerabilities.
VI. Prediction: WPA3 Circumvented by a Layer 2 Threat Vector
In 2019, one of the six Wi-Fi threat categories as defined by the Trusted Wireless Environment Framework will be used to compromise a WPA3 Wi-Fi network despite the enhancements in the new WPA3 encryption standard. Unless more comprehensive security is built into Wi-Fi infrastructure, users will be fed a false sense of security with WPA3, while remaining susceptible to threats like Evil Twin APs.
WPA3 is the next evolution of the Wi-Fi encryption protocol. It has undergone significant improvements over WPA2, but it still does not provide protection from the six known Wi-Fi threat categories. These threats operate primarily at Layer 2 and include: rogue APs, rogue clients, evil twin APs, neighbor APs, ad-hoc networks and misconfigured APs.
The Evil Twin AP, for example, is very likely to be used in Enhanced Open Wi-Fi networks as opportunistic wireless encryption (OWE) can still take place between a victim client and an attacker’s Evil Twin AP that is broadcasting the same SSID and possibly the same BSSID as a legitimate AP nearby. Although OWE would keep the session safe from eavesdropping, the victim’s Wi-Fi traffic would flow through the Evil Twin AP and into the hands of a man-in-the-middle (MitM) that can intercept credentials, and plant malware and remote backdoors. It’s highly likely that we’ll see at least one of the threat categories utilized to compromise a WPA3 network in 2019, and our money is on the Evil Twin AP.
VII. Prediction: Biometrics as Single-Factor Authentication Exploited by Attackers
As biometric logins become more common, hackers will take advantage of their use as a single-factor method of authentication to pull off a major attack in 2019. Biometric login methods such as face and fingerprint readers on consumer devices like smartphones and gaming consoles present a tempting target for hackers.
While biometrics are more convenient than remembering many complex passwords, and they are more secure than poor passwords, they are still just a single method of authentication. If people don’t add a second form of authentication, cyber criminals that successfully hack biometrics can easily gain access to their personal and financial data.
But aren’t biometrics much harder to crack? Well, a researcher fooled a fingerprint scanner with gummy bears in 2002, and a hobbyist hacking group defeated the iPhone’s TouchID in 2013. In 2017, a Vietnamese security group claims to have created a mask that can fool Apple’s FaceID. It’s only a matter of time before hackers perfect these methods and exploit the growing trend of biometrics as the sole form of authentication.
Of course, users can prevent these hacks by using multi-factor authentication. We believe that enough of the public will continue using single-factor biometric authentication in 2019 that hackers will take advantage of their naivete and pull off a major biometric hack.
VIII. Prediction: Attackers Hold the Internet Hostage
Next year, a hacktivist organization or nation-state will launch a coordinated attack against the infrastructure of the internet. The industry already saw the impact of an attack against a critical piece of internet infrastructure when a DDoS attack against DNS hosting provider, Dyn, took down many popular websites including Twitter, Reddit, and Amazon.com.
Around the same time, security expert Bruce Schneier noted that attackers were probing several unnamed companies that provide similar critical internet services for potential weaknesses. A DDoS attack of this magnitude against a major registrar like Verisign could take down an entire top-level domains (TLD) worth of websites. Imagine the impact if every single .com address was no longer resolvable.
Even the protocol that drives the internet itself, Border Gateway Protocol (BGP) operates largely on the honor system. Only 0.1 percent of the internet’s autonomous system numbers (ASNs, collections of IP address routes under control of an organization) have deployed Route Origin Validation, meaning the other 99.9 percent are wide open for hostile takeover from route hijacking.
The bottom line, the internet itself is ripe for the taking by someone with the resources to DDoS multiple critical points on the internet or abuse the underlying protocols themselves. With nation-state and hacktivism attacks ramping up recently, we could see cyber attackers take down the internet in 2019.
About the author
Corey Nachreiner is the Chief Technology Officer at WatchGuard Technologies. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys "modding" any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.