According to security vendor Malwarebytes there will also be an expansion of web skimmers’ impact and an escalation of hybrid attacks, among other cybersecurity threats expected to evolve in 2020 and later years.
“We have seen more vulnerabilities in 2017 and 2018 than any year before and 2019 is close to matching 2017, and we still have a month to go,” says Adam Kujawa, Security Evangelist and Director of Malwarebytes Labs.
"This year alone, we’re also seeing more malware developed to focus on business targets as opposed to the consumer. Overall, we are probably going to see some of the 43,000+ vulnerabilities discovered over the last two years show up in future Exploit Kit offerings.
“Bottom line, more vulnerabilities means more, and the development of malicious tools designed to attack networks more effectively. Therefore, we are likely to see more non-affiliated cybercriminals utilising tricks developed by state-sponsored malware groups (APT) as we did with EternalBlue.”
After its number 1 prediction of continuing ransomware attacks on businesses and governments, Malwarebytes’ other 2020 security predictions include:
Web skimmers will broaden their impact by going after more e-commerce platforms and plugins - beyond Magento.
Looking at web skimming activity, we see that there is no target too big to take on and that no platform will be spared. As long as there is data to be stolen, criminals will put the effort to either compromise online merchants directly or indirectly. The indirect attacks are actually the more dangerous ones because they are CMS agnostic. Essentially any third-party code such as web libraries can be tampered with and loaded by a number of websites downstream. The current state of web security is still way behind, and most shops are not validating external content before loading it. Another shift we will see is where skimmers may not be where we expect them to be. The majority of them right now are loaded at the checkout form, where customers enter their payment data. However, we now see skimmers impersonating payment processors and doing phishing like tricks. So overall, this is a very dynamic field where we can expect to see many novel attack techniques.
Exploit kit activity will be at the highest it's been since the post-Angler era.
For example, we will see a surge of exploits (and zero-days) for Chrome and Chromium-based browsers. This year, we've heard of at least a few 0-day vulnerabilities for Google Chrome. Those are rare and difficult to achieve, but they are getting more common. The browser market will be even more dominated by Chrome/Chromium, when Microsoft's Edge browser switches to a Chromium engine in January. Attackers will see Chromium as a prime target for exploitation. Overall, we will see more drive-by attacks involve fileless malware. Magnitude EK, Underminer EK and Purple Fox are all examples of exploit kits that do not drop a typical payload on disk.
VPN scandals will increase.
VPNs have been oversold as the solution to privacy and security. As we saw last year at Black Hat, SSL VPN’s are becoming a popular way for remote access into businesses. For example, two popular VPNs were hijacked - Pulse Secure VPN and Fortinet's FortiGate VPN - after vulnerabilities in their software were presented at the security conference. The talk, given by security researchers at Devcore, may have tipped off the bad actors, but it’s more likely that their blog with technical details and proof-of-concept code sealed the deal. It’s important to note that VPN’s often leave users with a false sense of security that they don’t need additional security tools. However, VPN’s are only one piece of the security equation and you should consider a layered approach similar to having collision detection AND side mirrors on your car. In the coming year, we’re going to see more VPN security flaws, as well as fake VPN websites lead to additional enterprise VPN hacks.
Biometric tracking will draw an international outcry for data privacy laws.
This year, we’re already seeing the dissemination of user data by Google’s purchase of Fitbit. What will happen to this private healthcare information? Consumers are unaware that their health tracking devices could fall into the hands of someone who could use the data for unauthorized purposes. What’s more, the increased use of biometric data for authentication also calls for stronger regulations for data privacy, as consumers could be subject to bias. Additionally, there are also fears about how biometric data could be used and who will have access to data such as law enforcement, immigration enforcement, or repressive foreign governments.
Election security mishaps will undermine the confidence of US voters.
From compromised voting machines to fake news across the Internet and social media, the US voters will call into question the reliability of today’s voting process. For example, scammers and malware authors will, of course, use the election to spread their threats via phishing emails. However, we will also see the use of DeepFake technology for political purposes. The DeepFake tech will either be incredibly subtle or incredibly convincing to the point where it would require a lot of digging to determine whether it was fake. Regardless of the tactics for scamming, the real threat will be the attacks on our hearts and minds through social media and media manipulation.
Hybrid attacks with multi-stage payloads will escalate.
A multi-stage attack allows for an attacker to infiltrate a network in the most efficient and effective way possible. The first stage gathers information so the attacker can consider the best way to launch the next stage of the attack, which could include further infection across the network or the sale of the infection to someone who wants to mine for cryptocurrency or spread more malware. Most recently, we saw Emotet used as a first stage infection to drop more malware (and in particular, ransomware). We predict there will be more similar types of malware where the dwell time will be days or even weeks - before attackers decide on what to do next. This is an interesting type of monetisation by alternating payloads and doing proper victim triage.