We asked our Head of Product Management, Dr. Yvonne Bernard, to give us an expert assessment of cyberthreats that we should have on our radar in 2020.
Being asked to predict what the next big threats are will always be ambivalent: On the one hand, I have access to big data analysis tools which enable forecasts on a great level and our very own security lab gives me all types of technical details. On the other hand, predictions also require a combination of intuition, experience and self-confidence … But it is a great opportunity to warn people just by looking into your crystal ball, and I’m willing to take on the task.
My overall assumption is that email will remain attack vector no. 1, especially for the kind of business customers we protect daily. That said, my first threat prediction might astonish you:
1. Hacked IOT devices
I expect attacks on IOT devices to increase further in 2020. These devices are cheap and even useful in an industry 4.0 or digitalization scenario. They often lack patch management, and are based on standard open operating systems with well-known default users or admins (e.g. opeHAB for Raspberry Pi). My worry in such a setting that it is not just a Chinese hacker switching off your coffee machine: These millions of easily hacked devices from different IPs worldwide are the perfect breeding ground for botnets like reaper. DDoS and many more worldwide large-scale attacks can be directed to many small or large companies or critical infrastructure – using hacked IOT devices worldwide for free.
2. Big data exfiltration attacks with ransomware as a service
We’ve seen Ransomware as a Service before: People with no programming or hacking skills at all can build their own Malware. Malware build kits like Philadelphia (sell for $389) or the currently active Satan (via revenue share sales model).
This and similar simplifications of malware attacks could increase the attacks on SMB as it is now cheaper and easier than ever. Being a small company does not relieve you from being a potential victim of cybercrime – but being a large one does not either.
We see first hints that Data Exfiltration attacks based on ransomware will highly increase. The last big Ransomware extortion trend that is built to encrypt your data and blackmail the victim to pay for the decryption key is still out there … but data exfiltration grows rapidly: instead of tampering with the data, the data is stolen and extracted to external storages. Attackers (sometimes even providing proof of the data possession) then threaten to publish them if you do not pay. Stolen data can be private media as well as intellectual property, company secrets or customer data. This trend is quite new but expected to grow rapidly.
3. AI-enhanced malware
The usage of AI for cyberattacks will increase: Deepfakes e.g. to fool even new voice recognition have already been seen, also different techniques to improve the targeting of attacks. One of the major threats based on AI, is that malware becomes host-system aware:
New AI-enhanced malware is able to assess the system it is installed on and its vulnerabilities, especially which operating system it uses. It then learns about the systems patch status. Based on what vulnerabilities are found on the infected host, AI-enhanced malware downloads targeted modules from the Command and Control servers. The initial malware already knows the downloaded modules will succeed in execution, because it is designed to use the detected vulnerabilities of the host system.
4. Smart Phishing
Phishing emails will become smarter, more realistic and more automated. Thus, the amount of hard-to-determine phishing emails in inboxes will increase. For instance, many Social Networks offer APIs which enable them to scale Business Email Compromise to a whole new level – both real-looking and effortless – fully automated. Again, this scaling of realistic attacks might affect companies of all sizes.
5. Malware with hidden encrypted attachments
We have seen an increase of the amount of Malware hidden in encrypted attachments starting mid-2019 which is still growing. This sounds very abstract and unlikely, but imagine you are working in HR and receive an email with an application for a job you posted on stepstone. The applicant writes a perfectly matching cover letter and their resume is attached in the PDF which can be opened using password “yourjoboffer2020!”. Would you fall for it?