{"id":15039,"date":"2014-12-12T19:09:33","date_gmt":"2014-12-12T19:09:33","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3417"},"modified":"2020-12-15T20:05:47","modified_gmt":"2020-12-15T18:05:47","slug":"the-crystal-ball-of-facts-2015-apt-predictions","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/the-crystal-ball-of-facts-2015-apt-predictions\/15039\/","title":{"rendered":"The Crystal Ball of Facts: 2015 APT predictions"},"content":{"rendered":"<p>2014 is wrapping up with a bang \u2013 the <a href=\"https:\/\/business.kaspersky.com\/with-the-doors-wide-open-yet-another-sony-megahack\/3408\" target=\"_blank\" rel=\"noopener nofollow\">Sony Pictures megahack<\/a> \u2013 to be exact. However this post isn\u2019t about looking back, but rather looking forward and making some educated predictions based on the events of 2014. Kaspersky Lab has revealed its new study, \u201c<a href=\"https:\/\/securelist.com\/analysis\/kaspersky-security-bulletin\/68117\/kaspersky-security-bulletin-2014-a-look-into-the-apt-crystal-ball\/\" target=\"_blank\" rel=\"noopener\">A Look into the APT Crystal Ball<\/a>\u201c. It doesn\u2019t include witchcraft, tarot cards, or summoned spirits. All predictions are based purely on the facts and trends observed this year.<\/p>\n<p style=\"text-align: center\">\n<\/p><p><strong>What does the future (possibly) hold regarding APTs?<\/strong><\/p>\n<p>Our Global Research and Analysis Team (GReAT) experts assume that a <strong>merger between cyber-crime and APT<\/strong> will take place. This means cybercriminals will be targeting the end users less and larger entities more. This is a troubling development for businesses, especially those (like banks) dealing with a lot of money transfers.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>The Crystal Ball of facts: 2015 #APT predictions #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FLa5v&amp;text=The+Crystal+Ball+of+facts%3A+2015+%23APT+predictions+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><em>\u201cIn a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks\u2019 networks, they collected enough information to enable them to steal money directly from the bank in several ways:<\/em><em>\u00a0<\/em><\/p>\n<ul>\n<li><em>Remotely commanding ATMs to dispense cash.<\/em><\/li>\n<li><em>Performing SWIFT transfers from various customer accounts,<\/em><\/li>\n<li><em>Manipulating online banking systems to perform transfers in the background.\u201d<\/em><\/li>\n<\/ul>\n<p>Of course, criminals prefer to keep it as simple as possible, and while it isn\u2019t easy to penetrate banks\u2019 cyber defenses, it\u2019s definitely much more profitable than picking \u201ccrumbs\u201d from the end-users.<\/p>\n<p>GReAT also expects <strong>fragmentation of the larger APT groups<\/strong> into smaller, more elusive ones. This, in turn, may lead to diversification of the attacks, as well as a \u201cmore widespread attack base.\u201d Simply put, this means more companies will be hit, including those compromised before.<\/p>\n<p><strong>More emphasis will be made on evasion techniques<\/strong><\/p>\n<p>APT criminals are well aware that they are being sought after and some even get discovered from time to time, which is bad for their business. APT stands for \u201cadvanced persistent threat\u201d, and \u201cpersistent\u201d doesn\u2019t mean \u201cone-off.\u201d Criminals want to stay stealthy and keep a foothold within their target\u2019s infrastructure for as long as possible while inflicting more harm.<\/p>\n<p><strong>New sources of the attacks are also expected.<\/strong><\/p>\n<p>The Darkhotel APT <a href=\"https:\/\/business.kaspersky.com\/the-dark-story-of-darkhotel\/2829\" target=\"_blank\" rel=\"noopener nofollow\">we wrote about earlier<\/a>\u00a0was targeting high-profile individuals such as corporate CEOs and governmental officials via free WiFi networks in a number of hotels. While unexpected, it\u2019s hard to imagine a more perfect position to launch the targeted attacks. However, criminals are quite resourceful these days, so there\u2019s no telling where the origin of their strikes may be in the future. And even if there were, we\u2019re not going to suggest ideas to criminals.<\/p>\n<p>Data exfiltration is also a point of special interest for criminals who want to stay hidden over a prolonged period of time.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Cybercriminals will adopt APT methods to stay hidden #prediction #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FLa5v&amp;text=Cybercriminals+will+adopt+APT+methods+to+stay+hidden+%23prediction+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>APT groups are expected to adopt use of cloud services in order to make exfiltration stealthier and harder to notice.<\/strong><\/p>\n<p>Gone are the days when attackers would use a plain backdoor to siphon terabytes of information to FTP servers worldwide: actions like this are certain to be intercepted and halted. Today, more sophisticated groups regularly use SSL and custom communications protocols.<\/p>\n<p>According to Securelist, \u201cSome of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers). These have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS denylists.\u201d<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2017\/05\/06020413\/wide2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-3418\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2017\/05\/06020413\/wide2.jpg\" alt=\"wide\" width=\"1000\" height=\"708\"><\/a><\/p>\n<p><strong>APT criminals will most likely take a more active approach to throwing security researchers off their scent.<\/strong><\/p>\n<p>Whether the attacks come from private attackers or from \u201ccyber-armies\u201d backed by nation states, they would prefer to keep their origins concealed. And just like cybercriminals use spoofed IP addresses to cover their activities, they will try to \u201cplant the evidence\u201d of their origin, so that fingers point in the wrong directions.<\/p>\n<p>This theory is substantiated with real evidence: In 2014 we observed several \u201c<strong>false flag<\/strong>\u201d operations where attackers delivered \u201cinactive\u201d malware commonly used by other APT groups.<\/p>\n<p><a href=\"https:\/\/business.kaspersky.com\/with-the-doors-wide-open-yet-another-sony-megahack\/3408\" target=\"_blank\" rel=\"noopener nofollow\">The recent hack of Sony Pictures<\/a> asks tough questions about the origin of that attack. Initially the first suspect was North Korea, however as more information arrived, this has become less and less certain. It is possible someone simply tried to make everyone think North Koreans were at fault.<\/p>\n<p>GReAT experts suggest that in 2015, APT groups will be carefully adjusting their operations and throw fake flags into the game.<\/p>\n<p><strong>Preparedness is still key<\/strong><\/p>\n<p>The origin of an attack is not as important as being ready for the attack. However, it\u2019s probably more appealing for an APT victim to claim they\u2019ve been hit by some dreaded nation\u2019s cyber army than by a bunch of miscreants, who probably didn\u2019t write the software used \u2013 especially in such cases when it is actually the victim\u2019s own cybersecurity shortcomings that made the APT attack possible.<\/p>\n<p>In 2015 we will probably hear a lot about new techniques cybercriminals are using, taking their stealth, persistence, and efficiency of data exfiltration to the next level. Some new techniques have already been observed this year, and Kaspersky Lab used this data to develop and deploy several new defense mechanisms for our users.<\/p>\n<ul>\n<li>To read about these and more new trends in the APT world, please visit the\u00a0<a href=\"https:\/\/securelist.com\/analysis\/kaspersky-security-bulletin\/68117\/kaspersky-security-bulletin-2014-a-look-into-the-apt-crystal-ball\/\" target=\"_blank\" rel=\"noopener\">Securelist blog<\/a>.<\/li>\n<li>To watch Kaspersky Lab\u2019s video \u201cGame of cyber-thrones: attacks on the corporate sector and business executives in 2014\u201d, please click\u00a0<a href=\"http:\/\/youtu.be\/eh3IdYR3hg0\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>.<\/li>\n<li>To read more about key events that have defined the threat landscape in 2014, please read the full report on\u00a0<a href=\"http:\/\/25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com\/files\/2014\/12\/Kaspersky-Security-Bulletin-2014-EN.pdf\" target=\"_blank\" rel=\"noopener nofollow\">the Securelist website<\/a>.<\/li>\n<\/ul>\n<p>As an added bonus, Kaspersky Lab is launching an interactive project, the\u00a0<a href=\"https:\/\/apt.securelist.com\/\" target=\"_blank\" rel=\"noopener\">\u2018Targeted Cyberattack Logbook\u2019<\/a> today.\u00a0 This chronicles all the complex cyber-campaigns, or APTs (advanced persistent threats) that have been investigated by the company\u2019s world-leading Global Research and Analysis Team. To explore the logbook, please visit\u00a0<a href=\"https:\/\/apt.securelist.com\/\" target=\"_blank\" rel=\"noopener\">apt.securelist.com<\/a>\u00a0.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab experts shared their predictions on the evolution of APT. While these predictions may not come true, they are based on facts and trends already observed. <\/p>\n","protected":false},"author":209,"featured_media":15776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[499,2253,282,2254,2255],"class_list":{"0":"post-15039","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-apt-attacks","11":"tag-cybersecurity","12":"tag-cybersecurity-in-2015","13":"tag-kaspersky-research"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/the-crystal-ball-of-facts-2015-apt-predictions\/15039\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/the-crystal-ball-of-facts-2015-apt-predictions\/15039\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/the-crystal-ball-of-facts-2015-apt-predictions\/15039\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=15039"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15039\/revisions"}],"predecessor-version":[{"id":28390,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15039\/revisions\/28390"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15776"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=15039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=15039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=15039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}