Fortinet’s FortiGuard Labs Reveals 2013 Threat Predictions

Expected Trends Include Mobile Advanced Persistent Threats, Exploits Through Machine-to-Machine Communications and Cross-Platform Botnets

MALAYSIA, 19 December 2012 ― Fortinet − a world leader in high-performance network security – today revealed FortiGuard Labs’ 2013 threat predictions, highlighting six threats to watch out for next year.

Top 6 Security Predictions for 2013

1. APTs Target Individuals through Mobile Platforms
APTs also known as Advanced Persistent Threats are defined by their ability to use sophisticated technology and multiple methods and vectors to reach specific targets to obtain sensitive or classified information. The most recent examples include Stuxnet, Flame and Gauss. In 2013 we predict we’ll see APTs targeted at the civilian population, which includes CEOs, celebrities and political figures. Verifying this prediction will be difficult, however, because after attackers get the information they’re looking for, they can quietly remove the malware from a target device before the victim realizes that an attack has even occurred. What’s more, individuals who do discover they have been victims of an APT will likely not report the attack to the media. Because these attacks will first affect individuals and not directly critical infrastructure, governments or public companies, some types of information being targeted will be different.  Attackers will look for information they can leverage for criminal activities such as blackmail; threatening to leak information unless payment is received.

2. Two Factor Authentication Replaces Single Password Sign on Security Model
The password-only security model is dead. Easily downloadable tools today can crack a simple four or five character password in only a few minutes. Using new cloud-based password cracking tools, attackers can attempt 300 million different passwords in only 20 minutes at a cost of less than USD20. Criminals can now easily compromise even a strong alphanumeric password with special characters during a typical lunch hour. Stored credentials encrypted in databases (often breached through Web portals and SQL injection), along with wireless security (WPA2) will be popular cracking targets using such cloud services. We predict next year we’ll see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it’s true that we’ve seen the botnet Zitmo recently crack two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.

3. Exploits to Target Machine-to-Machine (M2M) Communications
Machine-to-machine (M2M) communication refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. It could be a refrigerator that communicates with a home server to notify a resident that it’s time to buy milk and eggs, it could be an airport camera that takes a photo of a person’s face and cross references the image with a database of known terrorists, or it could be a medical device that regulates oxygen to an accident victim and then alerts hospital staff when that person’s heart rate drops below a certain threshold. While the practical technological possibilities of M2M are inspiring as it has the potential to remove human error from so many situations, there are still too many questions surrounding how to best secure it. We predict next year we will see the first instance of M2M hacking that has not been exploited historically, most likely in a platform related to national security such as a weapons development facility. This will likely happen by poisoning information streams that transverse the M2M channel – making one machine mishandle the poisoned information, creating vulnerability and thus allowing an attacker access at this vulnerable point.

4. Exploits Circumvent the Sandbox
Sandboxing is a practice often employed by security technology to separate running programs and applications so that malicious code cannot transfer from one process (i.e. a document reader) to another (i.e. the operating system). Several vendors including Adobe and Apple have taken this approach and more are likely to follow. As this technology gets put in place, attackers are naturally going to try to circumvent it. FortiGuard Labs has already seen a few exploits that can break out of virtual machine (VM) and sandboxed environments, such as the Adobe Reader X vulnerability. The most recent sandboxing exploits have either remained in stealth mode (suggesting that the malware code is still currently under development and test) or have actively attempted to circumvent both technologies. Next year we expect to see innovative exploit code that is designed to circumvent sandbox environments specifically used by security appliances and mobile devices.

5. Cross Platform Botnets
In 2012, FortiGuard Labs analyzed mobile botnets such as Zitmo and found they have many of the same features and functionality of traditional PC botnets. In 2013, the team predicts that thanks to this feature parity between platforms, we’ll begin to see new forms of Denial of Service (DoS) attacks that will leverage both PC and mobile devices simultaneously. For example, an infected mobile device and PC will share the same command and control (C&C) server and attack protocol, and act on command at the same time, thus enhancing a botnet empire. What would once be two separate botnets running on the PC and a mobile operating system such as Android will now become one monolithic botnet operating over multiple types of endpoints.

6. Mobile Malware Growth Closes in on Laptop and Desktop PCs
Malware is being written today for both mobile devices and notebook/laptop PCs. Historically, however, the majority of development efforts have been directed at PCs simply for the fact that there are so many of them in circulation, and PCs have been around a much longer time. For perspective, FortiGuard Labs researchers currently monitor approximately 50,000 mobile malware samples, as opposed to the millions they are monitoring for the PC. The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. This is due to the fact that there are currently more mobile phones on the market than laptop or desktop PCs, and users are abandoning these traditional platforms in favor of newer, smaller tablet devices. While FortiGuard Labs researchers believe it will still take several more years before the number of malware samples equals what they see on PCs, the team believes we are going to see accelerated malware growth on mobile devices because malware creators know that securing mobile devices today is currently more complicated than securing traditional PCs.


Fortinet公佈2013年网路威胁趋势

预测的威胁趋势包括行动式APT、藉由机器对机器通讯的弱点攻击、以及跨平台的僵尸网络

马来西亚 – 2012年12月19日 - 全球高效能网路安全领导厂商Fortinet，公佈其威胁防护中心FortiGuard Labs最新的2013年网路威胁趋势预测，该报告列举了明年应特别注意的六大网路威胁。

2013年六大网路威胁预测

1. APT透过行动平台攻击个人使用者
APT即所谓的进阶持续性渗透攻击(Advanced Persistent Threats)，它的名称定义来自于它们能使用复杂技术、多种攻击方式与媒介的能力，能藉此锁定特定目标，取得敏感或机密的资料。最近的例子包括Stuxnet、Flame、和Gauss。在2013年，我们预期APT的目标将转向普罗大众，包括企业执行长、名流和政治人物。然而，要证实这项预测并不容易。因为攻击者在取得所需的资料后，在受害者发现遭攻击之前，就能悄悄地把受攻击设备上的恶意软件移除。此外，就算受害者发现遭到APT的攻击，可能也不会将此事诉诸媒体。因为这些攻击会先直接影响受害的个人，而非重要的基础建设、政府或上市公司，锁定窃取的资料类型也会有所不同、攻击者会寻找它们可以用来犯罪的有用资料，例如威胁付款否则公开资料的勒索行径。

2. 双重验证取代单一密码
仅使用密码的安全模式已经过时。现在很容易就能下载密码工具，在几分钟内破解简单的4或5个字的密码。若是使用云端密码破解工具，则只需花不到20美元，就能在20分钟内尝试3亿种不同的密码组合。即使是一个密码强度高，内含特殊字元的字母和数字组合，网路罪犯现在还是能利用中午用餐时间就能轻易破解。储存在资料库里的加密资料(通常是透过网站和SQL injection资料隐码攻击），以及无线网路安全系统（WAP2），将会是利用此类云端服务最普遍的攻击目标。我们预期明年起也会针对员工和客户，增加双重验证机制的部署。这将使网页登陆时，不仅需要一个传统的使用者密码，还需要另一个传送至收集或标准安全Token的密码。尽管Zitmo僵尸网路日前破解了Android装置和RSA SecurID安全Token（被骇于2011年）上的双重验证，但这种连续两次的密码验证，仍是目前保护线上活动最有效的方法。

3. 弱点攻击锁定机器之间的通讯
机器对机器，即所谓的M2M （Machine-to-Machine），指的是有线或无线系统彼此之间自行通讯。这可能是冰箱与家中的伺服器通讯，告知用户该买牛奶和鸡蛋了；也可能是机场摄影机拍下一个人的脸部影像，然后与恐怖分子资料库交叉比对；或是医疗设备控制给病患的氧气，并在心跳数度降至某个界限时通知医护人员。M2M可行的实际应用仍在不断创新发展中，因为它有潜力能免除许多状况下的人为错误，尽管如何妥善防护仍存在许多问题。我们预计明年会出现有史以来第一个M2M遭骇的案例，最有可能是与国家安全有关的，例如武器发展设施。藉由在M2M通讯管道中注入有害资讯，并让其中一个机器错误处理了它，如此便能产生一个漏洞，让攻击者渗透进入这个弱点。

4. 弱点攻击能绕行沙盒
沙盒Sandbox是安全技术经常采行的方式，用以隔离执行中的程式。如此恶意程式码便无法从某个程序（例如文书处理）转移到另一个（例如作业系统）。许多厂商包括Adobe和Apple都采用这种方法，而且可能会更多更进效法。随着这项技术落实到位，攻击者自然会想尝试绕过它。FortiGuard Labs已经发现一些能突破虚拟机器和沙盒环境的弱点攻击，例如Adobe Reader X的漏洞。最新的沙盒弱点攻击不是仍在隐身中（指恶意程式码仍在开发测试中），就是早已积极尝试绕行这两项技术。明年我们预期将会看到创新的攻击程式，专门设计用来绕行网路安全设备和行动装置的沙盒环境。

5. 跨平台僵尸网路
在2012年，FortiGuard Labs分析了行动僵尸网路，例如Zitmo，并发现许多和传统PC僵尸网路相同的特色和功能。由于两平台之间存在此项共通性，预计在2013年，我们将开始发现能同时运用PC和行动装置的新形态阻绝服务攻击（Dos；Denial of Service）。例如，受感染的一个行动装置，将能和PC共用相同的命令控制伺服器(C&C Server)与攻击协定，并且准照命令同步执行动作，如此将能强化僵尸网路帝国的威力。要是一次有两个僵尸网路执行于PC和行动作业系统如Android，那么将能变成一个更庞大的僵尸网路，同时运作与多种不同的终端设备上。

6. 恶意软体在笔记行与桌上型电脑的成长趋缓
现今恶意软体都是同时针对行动设备和笔记型个人电脑而设计。尽管从历史的角度来看，大多数还是针对个人电脑，因为它们为数最多，而且PC的存在更为久远。FortiGuard Labs的研究人员目前监控大约5万个行动恶意软体的样本，相较之下PC却高达百万个。不过，研究人员已经发现行动恶意软体的数量已大幅增加，而且相信从明年起，如此倾向PC的悬殊比例将会剧烈改变。因为事实是，市场上的行动电话数量已经比笔记型和桌上型电脑还多，使用者逐渐摒弃传统PC，转而采用更新、更小的平板设备。FortiGuard Labs研究人员相信，尽管行动恶意软体的数量要追上PC还需要好几年，但我们将会看到恶意软体在行动设备上的加速成长。因为恶意软体的开发者明白，比起要保护传统的PC，现在要保护行动设备更加复杂和困难。