During December, 2007, twelve cyber security SANS Institute veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008.
Here is their consensus list, in ranked order:
1. Increasingly sophisticated website attacks that exploit browser vulnerabilities - especially on trusted web sites. Website attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, website attacks have migrated from simple ones based on one or two exploits posted on a website, to more sophisticated attacks based on scripts that cycle through multiple exploits, to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads. One of the latest such modules, mpack, produces a claimed 10-25 percent success rate in exploiting browsers that visit sites infected with the module. While all this is happening, attackers are actively placing exploit code on popular, trusted Web sites where users have an expectation of effective security. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.
2. Increasing sophistication and effectiveness in botnets The so-called Storm worm (which was not really a worm at all) started spreading in January, 2007, with an e-mail saying, ‘230 dead as storm batters Europe,’ and was followed by subsequent variants. Within a week, it accounted for one out of every twelve infections on the Internet, installing rootkits and making each infected system a member of a new type of botnet. Previous botnets used centralized command and control; the Storm worm uses peer-to-peer control, so there is no central controller to take down. Additional variants have used messages with different subjects and improved the capabilities of the rootkit. In 2008, additional variants and continually increasing sophistication will keep this worm and other even more sophisticated worms near the top of any list of menaces.
3. Cyber espionage efforts by well resourced organizations looking to extract large amounts of data - particularly using targeted phishing One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by various nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.
4. Mobile phone threats, especially against iPhones and android-based phones; plus VoIP Mobile phones are general purpose computers, so worms, viruses, and other malware will increasingly target them. Google's recent announcement of ‘android’ and the formation of the ‘open handset alliance’ is a watershed moment for the mobile industry. A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And, hackers are taking note. The author of Metasploit, H.D. Moore, plans a mobile payload presentation Webcast this month. Attacks on VoIP systems are on the horizon and may surge in 2008. VoIP phones and the IP PBXs have had numerous published vulnerabilities. Attack tools exploiting these vulnerabilities have been written and are available on the Internet. In short, the VoIP attack surface is enormous.
5. Insider attacks. Insider attacks are initiated by rogue employees, consultants, and/or contractors of an organization. Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch. More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization’s network boundaries. Insider-related risk (as well as outsider risk) has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting access according to what users need to do their jobs.
6. Advanced identity theft from persistent bots A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used e-mail addresses, and more. They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.
7. Increasingly malicious spyware Criminal and nation-state attackers continue to refine the capabilities of their malicious code, expanding on flux techniques to obscure their infrastructure, making it even harder to locate their servers. Additionally, the recent Storm variants’ capabilities of being able to detect investigators’ activity and then respond with a flooding attack against the investigators will become more mainstream and even more powerful, protecting the attackers and making investigation more difficult. Tools will also increasingly target and dodge anti-virus, anti-spyware, and anti-rootkit tools to help preserve the attacker's control of a victim machine for as long as possible. In short, malware will become stickier on target machines and more difficult to shut down.
8. Web application security exploits Large percentages of websites have cross site scripting, SQL injection, and other vulnerabilities resulting from programming errors. Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access. Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from web programming errors as new ways of penetrating important organizations. Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes ‘user supplied data.’ In 2008, Web 2.0 vulnerabilities will be added to more traditional programming flaws and Web application attacks will grow substantially.
9. Increasingly sophisticated social engineering including blending phishing with VoIP and event phishing Blended approaches will amplify the impact of many more common attacks. For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Salesforce.com users were targeted for a ‘FTC complaint’ phishing e-mail. Monster.com users were targeted for a job offer phishing e-mail. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the US Presidential elections will be widely used this year, and many of them will succeed. A note with the subject ‘Hillary drops out of the race’ or ‘Rudy and female staffer caught on film’ could generate huge new botnets of people who are interested in politics, but may not have patched their systems fully. Add to those opportunities potential bogus fund raising sites and even political dirty tricks going digital, and you'll have an explosive junction of hacking and politics. A second area of blended phishing combines e-mail and VoIP. An inbound e-mail, apparently being sent by a credit card company, asks recipients to ‘re-authorize’ their credit cards by calling a 1-800 number. The number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they key in their credit card number, CVV, and expiration date.
10. Supply chain attacks infecting consumer devices (USB thumb drives, GPS systems, Photo Frames, etc.) distributed by trusted organizations Retail outlets are increasingly becoming unwitting distributors of malware. Devices with USB connections and the CDs packaged with those devices sometimes contain malware that infect victims’ computers and connect them into botnets. Even more targeted attacks using the same technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly contain just the conference papers, but increasingly also contain malicious software.
More information can be found here.