The Target data breach was the first of many major retail point-of-sale (POS) system breaches in 2014. Target’s registers were infected with a malware strain that stole payment card information. This use of malware is not surprising, given that we have seen more POS malware written in the past year than we have since 2007-2008, with the different variants including BlackPOS, Kaptoxa, Backoff, Chewbacca and updated versions of Dexter, Alina and VSkimmer. Attacks on other retailers like Jimmy John’s, P.F. Chang’s, Kmart, and The Home Depot followed suit.
In 2015, I feel that retailers will continue to be a major target and, as they start implementing tighter security strategies, the attack vector will change. I believe we will see more data exfiltration from online e-commerce sites that rely on open source or low cost POS systems that may not be as secure as an onsite POS network that is segregated from the rest of a corporate network. As the retail industry begins to invest in their security posture, victims of POS attacks through brick and mortar retail stores may decline.
We have seen malicious actors, like the Rescator group, that was responsible for the breaches at Target, The Home Depot, P.F. Chang’s and others, improve their skills and reinvest in their operations to successfully compromise retail and e-commerce environments. Rescator has traditionally targeted vulnerable websites with SQL injections and X site scripting (XSS) attacks. I think that they will go back to their roots of compromising websites, but instead of just using SQLite and XSS, they will weaponize their successful POS malware to target more online commerce sites, exploiting inexpensive and opens source POS platforms.
Having a solid security in depth strategy will assist in defending against these types of attacks. Whether you are in the cloud or a brick and mortar retail business there are several security technologies that can be implemented as long as you support them with sufficient people and process to deliver the best security outcome. If you cannot afford the investment to build a solid security program, there are Managed Security Services that you can outsource too, to deliver the security outcomes you require for your environment.
Healthcare
In 2013, the healthcare industry lost more personal identifiable information (PII) than any other industry. PII has historically been a very profitable commodity, demanding prices on the underground 10 times the price of credit card information. Healthcare PII data is valuable because it can be used to create fake identities for criminals and mask true personal data or even help terrorist organizations present valid identities to enter the United States. However, the attack vector really changed in 2014 – the new targets became businesses that support the healthcare industry through medical devices and technologies.
The US Federal Drug Administration released a bulletin that identified over 300 medical devices that contained vulnerabilities that could potentially be exploited.[1] Security researcher Barnaby Jack has even demonstrated the wireless hacking of insulin pumps and pacemakers. Before his death in 2013, he was able to showcase the manipulation of insulin pump settings from over 300 feet away and the security shortcomings in medical transplants. His work illustrates how vulnerable medical devices are to outside exploitation. This trend will continue into 2015, with more medical technology manufacturers becoming a primary target of some state-sponsored industrial espionage and organised criminal hacking groups. Is 2015 the year in which we will see the first online murder through a vulnerability that exists in a medical device? Will it be through an insulin pump or the wireless capability of a pacemaker? We shall see.
Medical device manufacturers need to work on implementing the proper level of security to secure their devices that are sold to the healthcare industry. Healthcare facilities also need to do a better job at securing their environments and implementing a solid security program with sufficient resources to accomplish the task efficiently.
Education
Higher education institutions are also an attractive target for identity and information theft because of the sensitive PII data available from students, faculty and alumni. Universities, in particular, are at risk due to the inexperience of users who utilize the networks for both academic and personal reasons. This inexperience creates paths for multiple infections and rampant use of un-supported software and tools. Unfortunately, the cost of an in-depth security strategy using the latest technology, processes and experts is often out of the budget range of most universities. According to the FBI, some foreign nations are also interested in stealing classified information and intellectual property from universities, possibly to bypass expensive research and development or spread false information for political or other reasons.[2] It is not unusual for campuses to be the targets of phishing emails with attached malware or computer intrusions, with the intent to access confidential research or exploit social media networking sites. To mitigate risk, educational institutions should consider the private cloud for storing sensitive data. After all, the primary purpose of a private cloud service provider is to provide availability and security for the data stored in their datacenters.
Oil, Gas and Energy
In 2014, the oil, gas and energy industries saw a few new malicious groups form and produce some advanced malware that targets supervisory control and data acquisition (SCADA) systems. Cyberspying organization Energetic Bear is a group whose ties with the Russian government make them an interesting adversary. They have been around since 2011, but have been incredibly effective with updating malicious code and attack vectors in 2014. Their primary attack vector was a series of phishing emails deployed into an energy organization with exploits against popular everyday products like Adobe Reader and Microsoft Office. They have also been launching attacks using Havex, which is a tool that has both the SCADA system search functions and Remote Access Trojan (RAT) capabilities. Havex may be an updated version of the SYSMain RAT that the group has traditionally used in prior attacks.
Attacks against infrastructure monitoring systems can be detected and defences built to deny the attacker his desired target. Proper network segmentation, security tool implementation and constant patching are a few of several ways to protect your environment. Using threat intelligence to understand the adversaries of the Oil Gas and Energy Industry will reveal their motives and assist in detecting and mitigating vulnerabilities before they are exploited by these malicious actors.
2015 and Beyond
2015 will produce more new and emerging malware that will affect multiple industries. We will see the emergence of new malicious actors and a revived list of old ones. We will see more groups starting to partner on operations to compromise their common targets, which really highlights the need for a proper, in-depth security strategy that is supported by both people and process.
This also highlights the need for information sharing among industry groups. If companies can tear down the barriers that prevent them from sharing information regarding phishing campaigns, malware received, IP address and locations of malicious actors who are attempting to compromise their environments, this data can be used to prevent others from potentially being compromised by the same actors using the same techniques. We are all in this together and need to partner with each other to achieve a collective of intelligence that we can use to efficiently defend against organized groups who are also partnering to compromise our environments.
[1] http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
[2] http://www.fbi.gov/about-us/investigate/counterintelligence/higher-education-and-national-security