This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Bing Sun, with assistance from Andy Cheng, Yingwu Han, Haifei Li, Qiang Liu, Shennan Wang, Jun Xie, Chong Xu, and Stanley Zhu.
Our research into threats to networks and applications shows us three top targets of malware developers. They aim zero-day and advanced persistent threat attacks against vulnerabilities in Microsoft Internet Explorer (including IE plug-ins and ActiveX), Adobe applications (including PDF and Flash), and Sun’s Java. We also see vulnerabilities in Microsoft Office applications and other Windows native components (such as GDI +, the kernel module, and drivers) exploited in the wild. These targets are favorites each year for attackers, so it’s not hard to predict where they will look in 2014.
- Browsers will remain the primary target for remote code execution attacks. Browsers have a range of factors that can be leveraged for exploitation, such as third-party plug-ins and various scripting-language support.
- The prevalence of vulnerabilities in Adobe applications will increase, perhaps related to source-code leakage. Adobe product vulnerabilities, especially in Flash, are often used in conjunction with other application vulnerabilities (in browsers, Office, etc.) to bypass protections.
- Java vulnerabilities and exploits, either of the Java virtual machine or native component layer, will remain very popular. Compared with memory corruption issues, Java exploits don’t require a shellcode-like payload; thus they are more reliable and easier to make. Although Java enhanced its security in Version 7.0—a security alert will prompt users before running any unsigned applet, for example—many users will choose to disable the alert to avoid the noise. Moreover, we suspect many Java users still use old or unsupported versions due to compatibility issues with legacy Java apps or simply bad habits. This would explain why so many old Java vulnerabilities are still actively exploited by exploit kits.
- Attackers will continue to find holes in Office. Our analysis of the recent Office exploit CVE-2013-3906 (TIFF embedded in .docx) reminded us that Office documents employ a compound-document format that is designed to allow many other types of content (such as OLE objects). Such a rich set of features, some perhaps unknown or hidden, will inspire attackers to find new weaknesses in these applications. From this exploit, we know that a Word document can embed a number of ActiveX binaries to do heap sprays, and can load an incompatible module (VB6) to completely disable data execution prevention for the entire process.
- Kernel-mode elevation of privilege vulnerabilities will be widely exploited in combination with other application vulnerabilities to achieve both temporary and persistent infections. As we see in Microsoft’s Patch Tuesday security bulletin data, there are often new patches for kernel-mode vulnerabilities, notably in the GUI subsystem (win32k.sys). Kernel-mode issues accounted for roughly one-quarter of all Microsoft product vulnerabilities in 2013. Considering the complexity of kernel-mode components, we can foresee that the number of kernel vulnerabilities of 2014 will be at least as high as in 2013.
To add to our worries, exploits have become more advanced in their reliability, persistence, and ability to bypass various protections. Further predictions:
- Native operating system and application protection mechanisms are not adequate to detect and stop advanced exploits. Attackers will increase their efforts to break these defenses in 2014. Although both OS and application vendors have made many security improvements, attackers can always find new ways to create reliable exploits, which was well demonstrated in the 2013 Pwn2Own hacker contest. For example, the combination of data execution prevention and address space layout randomization can be easily defeated by memory information leaks and return-oriented programming.
- Many exploits are now aware of the existence of network and endpoint security software. As we have observed during our research, the trick of API hook hopping has become a standard weapon of advanced shellcode to prevent its execution from being monitored. We have seen this technique in wide use, especially in zero-day exploits. We expect exploit tools such as Metasploit Framework and Canvas may soon add this feature.
- Many applications have implemented “sandbox” solutions to confine malicious behaviors in a restricted environment to minimize their impact. Office, Adobe Reader, and Google Chrome each have a sandbox implementation. To break out of an application-level sandbox and do malicious things to a whole system, an attacker will have to use more than one vulnerability and achieve a multistage exploitation. An elevation of privilege vulnerability can help an attacker escape from the sandbox and install malware on the compromised system. Here’s where a kernel-mode vulnerability will come in handy because it can let an attacker run code in Ring 0. We expect more attackers to take advantage of kernel exploits to escape application-level sandbox products.
- We believe exploits (especially zero day and advanced persistent threats) will soon evolve to include features that defeat sandboxing. First, exploits will become stealthier, especially during the postexploitation stage. They will try to leave as few footprints as possible because sandbox detection relies heavily on postinfection behaviors to identify an attack. Further, more exploits will begin to detect or even escape from a sandbox. Although the latter seems difficult, it is possible.
The post 2014 Threats Predictions: Network and Host Attacks Will Again Target Adobe and Microsoft Apps, Java appeared first on McAfee.
Energy is crucial to our modern lifestyle. Disturbingly, reports of attempted attacks against the companies and industries that supply it are increasing every year. In the first half of 2013, the energy sector was the fifth most targeted sector worldwide, experiencing 7.6 percent of all cyberattacks. So, it’s not surprising that in May 2013, the US Department of Homeland Security warned
of a rising tide of attacks aimed at sabotaging processes at energy companies. At Symantec, our researchers are finding that traditional energy utility companies are particularly concerned about scenarios created by the likes of Stuxnet
or Disttrack/Shamoon which can sabotage industrial facilities.
We are also learning that aggressors who target the energy sector also try to steal intellectual property on new technology, like wind or solar power generators or gas field exploration charts. While data theft incidents may not pose an immediate and catastrophic threat to a company, they can create a longer term strategic threat. Information stolen could be used in the future to perform more disruptive actions.
The motivations and origins of attacks can vary considerably. A competitor may commission actions against energy companies to gain an unfair advantage. There are “hackers for hire” groups such as the Hidden Lynx group
, who are more than willing to engage in this type of activity. State-sponsored hackers could target energy firms in an attempt to disable critical infrastructure. Hacktivist groups may also victimize companies to further their own political goals. Symantec researchers know these threats can originate from all over the world and sometimes from within company walls. Insiders who are familiar with the systems can carry out attacks for extortion, bribery or revenge. And disruptions can simply happen by accident such as a misconfiguration or a system glitch. For example, in May 2013, the Austrian power grid nearly had a blackout due to a configuration issue
Our research has found that modern energy systems are becoming more complex. There are supervisory control and data acquisition (SCADA) or industrial control systems (ICS) that sit outside of traditional security walls. And as smart grid
technology continues to gain momentum, more new energy systems will be connected to the Internet of Things
, which opens up new security vulnerabilities related to having countless connected devices. In addition to this, many countries have started to open the energy market and add smaller contributors to the electric power grid, such as private water power plants, wind turbines or solar collectors. While these smaller sites make up only a small portion of the grid, the decentralized power input feeds can be a challenge to manage with limited IT resources and need to be carefully monitored to avoid small outages that could create a domino effect throughout the larger grid.
We see the need for a collaborative approach combining IT and industrial component security to protect the industry’s information. To partner in this effort, Symantec has conducted an in-depth study into attacks focused on the energy sector that took place in the past 12 months. This research presents the facts and figures, and covers the methods, motivations, and history of these attacks.
The following infographic illustrates some of the key points around attacks against the industries in the energy sector.