Subj : Avast 2020 Threat Assessment To : All From : Marc Lewis Date : Sun Jan 05 2020 19:28:58 Hello All. The Avast Threat Labs monitors and protects our more than 400 million users worldwide from the latest threats. Avast detects threats in near real time and blocks about 1.5 billion attacks a month. This scope gives us valuable insights into, and knowledge of, the most prevalent threats which allows us to quickly protect against emerging threats, and provides us with the ability to map trends that allow Avast experts from various fields to try and predict future threats as well. For 2020, we predict advancements to be made in terms of how malware is delivered to PCs, including: more sophisticated methods of spreading threats via malicious emails; through a resurgence of exploit kits; via supply chain attacks; and by abusing the Remote Desktop Protocol (RDP). On the mobile side, we predict that more subscription scams and fake apps will make their way onto official app stores, and that more iOS vulnerabilities will be exposed by researchers and bad actors alike. In terms of Internet of Things devices, we predict devices and even physical locations will become smart or even smarter than they already are. We have already started to see cybercriminals taking steps to further develop IoT malware, including adding obfuscation to make it more difficult for analysts to analyze, and building upon exploit kits for smart devices. Finally, we expect privacy will become the new frontier for security, especially when it comes to big data collected for AI algorithms. For more than a decade, malicious email spam, also known as malspam, was one of the primary ways cybercriminals spread malware. At the same time, antivirus companies, and email providers alike have heavily invested in spam filtering, greatly improving the detection of malicious attachments, and more. This in turn has caused adversaries to continuously innovate to better their chances of reaching potential victims. Earlier this year, the banking trojan Emotet, which has been around since 2014, began spreading using a new technique. In addition to spreading via malspam, Emotet began scanning victims’ email inboxes and replying to emails, including malicious attachments, and thus infecting further users. Similarly, there have been cases of malware creating stealthy filters on email servers to steal new incoming messages, to either spy on victims, or to add a malicious payload to the email to then send back into the conversation. Furthermore, there is an entire cybercrime business focused on stealing and reselling SMTP (Simple Mail Transfer Protocol) credentials, which are the same credentials used to log into an email account. SMTP is used by email clients to send emails, and using stolen SMTP credentials, cybercriminals can send malicious emails appearing to be from specific people. We predict emails will continue to be the number one mechanism to spread malware, but we expect the methods used to send them will become more sophisticated, and that cybercriminals will begin using adversarial AI to prepare and send emails with malicious or phishing content or attachments. =-= PC Predictions Resurgence of exploit kits: While email is and will most likely remain the primary method to spread malware, there are other more sophisticated methods we predict will be taken advantage of within the next year. One of them is exploit kits. Exploits are code that take advantage of vulnerabilities, and exploit kits are programs that exploit multiple vulnerabilities. Exploit kits are used by cybercriminals to gain access to devices, mainly via malvertising. When someone visits a site with malvertising running an exploit kit, the kit searches for vulnerabilities in the software the visitor uses to deliver and execute malware, such as trojans, or ransomware. Many cybercriminals rent out exploit kits on the darknet for further cybercriminals to abuse. Some of the most active exploit kits we have seen during 2019 were RIG and Fallout, which are offered as a service from anywhere between $700 USD to $2,000 USD a month. In the past, exploit kits used to be one of the main methods of spreading malware, however, from 2016 - 2017, the exploit business appeared to be on a decline. However, in the past two to three years, exploit kits have undergone heavy development, and cybercriminals are now adding new exploits and techniques to evade antivirus detections, including detecting virtual machines and malware analysis tools. In 2019, we also saw an increase in router exploit kits, mainly targeting Brazilians, but also local U.S. and Canadian Internet Service Providers. We expect to see an increase in the amount and sophistication of exploit kits, targeting PCs and routers in 2020. =-= PC Predictions Supply chain attacks will continue to make headlines: We've been predicting an increase in supply chain attacks for a few years now and have observed their rise over the past two years. We don't expect this trend to stop. APT (Advanced Persistent Threat) groups are attempting to infiltrate software companies with massive user bases to inject malicious code into genuine products. The motivation behind supply chain attacks often differs. We have observed cases where just a fraction of the affected user base is the actual target of a supply chain attack. This was the case in the CCleaner attack in 2017, and in the ASUS supply chain attack in 2018. On the other hand, there are cases where the motivation behind supply chain attacks is mass destruction, like with the NotPetya attack. Cybercriminals spread the NotPetya ransomware, more precisely wiper, by compromising Ukrainian account software, M.E.Doc. =-= PC Predictions RDP -- Innocent until used for evil: The Remote Desktop Protocol (RDP), a feature included in every Windows version since XP, is used to allow remote access from one machine to another, e.g. an employee working remotely can access a workstation or server located in their company. It could be as simple as running RDP client software on a laptop and connecting to a machine with the RDP server counterpart. RDP then provides an encrypted connection between both endpoints. The usefulness of connecting remotely to a desktop using RDP has changed the way much of the world conducts business. It is, unfortunately, also one of the most attractive methods for cybercriminals to infiltrate a victim's network and deliver the malicious payload. In the past, cybercriminals have either brute-forced, or guessed, weak credentials to gain access. With newly discovered RDP vulnerabilities, such as BlueKeep, there are even more opportunities for cybercriminals. In the past few years, cybercriminals have abused the feature to distribute ransomware to small and medium businesses. In 2020, we expect to see a significant increase in all types of attacks on RDP. We are likely to see cybercriminals abusing weakly configured servers with RDP as well as exploiting RDP vulnerabilities - whatever will be more profitable for them at a time. The majority of delivered malicious payloads will probably still be ransomware, but we expect a rise in distribution of coin-miners and password stealers. We also expect to see the spread of worm-like strains similar to WannaCry. =-= PC Predictions About Jakub Kroustek Jakub is Head of the Threat Intelligence Systems at Avast. Jakub is a passionate malware hunter and researcher with a love of reverse engineering. His expertise lies in ransomware, botnets, and automating all the boring stuff. Jakub hates malware, but enjoys analyzing it and spreading the word about his findings including presentations on conferences such as Virus Bulletin, CARO, or Botconf. Jakub holds a Ph.D. degree in Computer Science and Engineering from the Brno University of Technology. =-= Mobile Subscription scams and fake apps: On the mobile side, we predict that more subscription scams and fake apps will make their way onto official app stores. Subscription scams allow people to use an app for free for a limited period of time, and if the subscription is not canceled, the app charges customers higher than usual fees — often on a weekly or monthly bas is. We expect we will see subscription scam apps rise on both the Google Play Store and the Apple App Store. Fake apps, on the other hand, are illegitimate apps posing as benign ones in order to drive downloads, to collect personal data, and expose people to advertisements or malware. Cybercriminals are resorting to subscription scams and fake apps, as it is difficult to surpass official app store security checks. =-= iOS jailbreaks opening the door: On the iOS side, based on the latest findings from the iOS jailbreak community, we expect more vulnerabilities will be exposed by researchers and bad actors alike. The checkm8 jailbreak exploit, discovered this year, is a very serious vulnerability as it exploits the first thing that runs on iOS devices when they are turned on, thus allowing access to anything that comes after. Additionally, it can’t ever be updated or fixed on the existing devices, as the exploited code is in a read-only memory. The only “fix” is to buy a new device, like the iPhone XS / XR or newer. While the exploit requires physical access to the targeted device, criminals and even government agencies have gained a new tool for their arsenal. We are already seeing community projects, like checkra1n, providing high-quality semi-tethered jailbreaks based on the checkm8 bootrom exploit. This could enable researchers to discover more vulnerabilities which, we hope, will be reported to Apple and not used for evil. Mobile About Nikolaos Chrysaidos Nikolaos Chrysaidos is Head of Mobile Threat Intelligence and Security at Avast, leading mobile security projects, mobile threat intelligence, and threat prevention. In his day-to-day work, he drives mobile forensics, malware analysis, reverse engineering, and application penetration testing to stay ahead of current mobile threats and security issues.Additionally, Nikolaos and his team work on apklab.io, a mobile threat intelligence platform designed to make it easier for security researchers to hunt and analyze mobile malware.Nikolaos holds a Bachelor of Science in Computing from the University of Wales, and a Master of Science in CyberSecurity from the University of York, and has successfully presented at various conferences such as AVAR, CARO, RSA, BSides, and MWC 360. =-= Internet of Things (IoT) Smarter smart devices and places: In terms of the IoT, we predict smart devices will become even smarter, collecting more data about users, to learn and predict user behavior. This will be done to target users with advertisements, similar to how websites collect user data to better target users with ads based on their preferences. We also predict a rise in the number of ‘smart supermarkets’ like Amazon Go, which track customers, the items they select, and allow customers to walk out of the store without cashing out at a register. Smart devices and locations that collect data offer convenience but they limit people’s control over their privacy. Additionally, companies collecting and storing a plethora of customer data make attractive targets for data hungry cybercriminals looking to sell data for financial gain on underground markets. More sophisticated IoT malware: We have already noticed cybercriminals adding sophisticated defences to IoT malware, adding obfuscation to their code, similar to how cybercriminals attempt to protect their Windows malware code from being analyzed by researchers, and we expect this to continue as more people adopt smart devices, widening the IoT attack surface. Internet of Things (IoT) About Anna Shirokova: Anna Shirokova is a security researcher at Avast, focusing on the IoT threat landscape. Anna has presented at leading industry events including Botconf, Troopers, BruCon, Wacco Workshop, Virus Bulletin, and Black Hat Europe.Anna also works on the Stratosphere IPS project where she analyzes attacks carried ou t on IoT devices, and publishes her findings along with other project team members. =-= Internet of Things (IoT) RCE exploits: Remote code execution vulnerabilities allow cybercriminals to exploit devices, execute commands, download malware, and gain control of vulnerable devices. Successful botnets have taken advantage of zero-day RCE exploits for particular devices. Nevertheless, n-day exploits, or known exploits, are also effective and used daily, as not every IoT vulnerability is patched and updated fast enough. As new smart devices are introduced to the market, new exploits are developed and released and malware authors can build upon older, already established malware families, expanding them with newly released exploits to widen their IoT attack surface. We expect this trend to continue and predict that large botnets will be even easier to build in the future. =-= Botnet infrastructure: Malware authors have been making progress in preparing their attack infrastructure. The ‘state of the art’ botnets have progressed from the early-days of IoT malware with hard-coded C&C servers to become well-designed fully-fledged networks using a variety of techniques, both client-server and peer-to-peer based. We have seen IoT malware adopting DNS-over-HTTPS, Tor communication, proxies, and different encryption methods, and we expect malware authors will adopt other security practices to make their networks more robust. We also expect to see progress when it comes to botnet monetization. Although DDoS attacks and cryptocurrency mining are still the most popular uses of botnets, we foresee more specialized botnets for proxying, information gathering, or eavesdropping will appear in 2020. Internet of Things (IoT) About Daniel Uhricek: Daniel Uhricek is a security researcher at Avast. Daniel works on multiple areas within IoT threat research. His expertise comes from tracking IoT malware on a daily basis and developing tools to hunt and analyze malware. His interests include Linux, networking, and data analysis.Daniel is currently a Master's student of Computer Security at the CTU in Prague, Czech Republic. =-= Artificial Intelligence (AI) Privacy will become the new frontier for security: The general public and legislature are becoming aware of the dangers of a society with little privacy, and we are seeing a number of regulation attempts around the world, e.g. in Europe (GDPR), and California, U.S. (CCPA), to provide protection and control over personal privacy. AI has, unfortunately, been a major driver for the harnessing of private data and the resultant lack of privacy. In the coming year, we will see practical applications of AI algorithms, including differential privacy, a system in which a description of patterns in a dataset is shared while withholding information about individuals, to profit from big data insights as we do today, but without exposing all the private details. =-= Data ownership: There is recent work, for example, Data Shapley, to attribute value to individual pieces of data provided by users. While we do not foresee a monetization of personal data in 2020 yet, we hope to start seeing initial products that at least allow individuals to control their own data, e.g. to decide whether and which companies can harness data, and what data they can use. Artificial Intelligence (AI) About Rajarshi Gupta Rajarshi Gupta is the Head of Artificial Intelligence at Avast, responsible for Avast’s AI products and research.Dr. Gupta manages data science teams in Silicon Valley and Europe, leading AI-driven malware detection and mobile protection, together with network security for Smart Home, Avast's next-generation IoT security platform.Prior to joining Avast, Dr. Gupta worked at Qualcomm Research for many years, where he created "Snapdragon Smart Protect", the first ever product to ac hieve On-Device Machine Learning for Security. Dr. Gupta has authored over 200 issued U.S. Patents.Dr. Gupta holds a PhD in Electrical Engineering and Computer Science from UC Berkeley. =-= Best regards, Marc --- timEd/2 1.10.y2k+ * Origin: Sursum Corda! BBS-Huntsville,AL-bbs.sursum-corda.com (1:396/45) .