1. The Death of Traditional Software Piracy, The Rise of Malware Auto-Updates
Just over 10 years ago, the Internet was riddled with Warez, keygen (key generators), and pirated software websites. It was easy to find versions of your favorite operating systems, applications, and tools with cracked versions and license keys that operated under the guise of being free—even though they were illegal and probably infected with malware.
With the paradigm shift to the cloud and application stores, many of these popular applications have disappeared from Warez sites, resulting in a welcome decrease in malware-infected applications downloaded by users. So, threat actors have concocted new attack methods. Since many of the cloud-based applications auto-update, cyber criminals are now targeting cloud-based update mechanisms. The attack techniques waged include man-in-the-middle attacks, spoofed DNS, stolen keys, and even compromising cloud accounts to infect applications and auto-update unsuspecting end users with malware.
Since the vast majority of users unreservedly trust the auto-update mechanisms of their applications, they are oblivious to the threats when their cloud connection is compromised. In 2020, this topic will command headlines as high-profile applications and operating systems are exploited by these cunning emerging threats.
2. Reruns of Old CVEs
January 2020 will usher in the end of life of Windows Server 2008 R2 and Windows 7. With millions of devices still running these operating systems, a myriad of vulnerabilities will continue to exist unless they are patched, or the operating systems are replaced. Microsoft is unlikely to patch any new Critical vulnerabilities, which will pose an unacceptable risk to many organizations. These assets, and their vulnerabilities, will be documented on vulnerability reports as an end of life operating system and vulnerabilities that are aging. These make for an easy asset attack vector for threat actors, and this will be especially true for new vulnerabilities that have no remediation path after January 2020.
To that end, vulnerabilities uncovered years ago will return to the cyber spotlight because of active exploitation and their age. This will make an old CVE a “new” threat. And, since it is costly and potentially technically difficult to replace some of these end-of-life operating systems, 2020 will experience threat actors actively assailing these systems since they present the lowest hanging fruit in many organizations for exploitation.
For the last several years, we have witnessed a surge of privileged attack vectors. A typical modus operandi involves threat actors compromising accounts to gain a foothold, then engaging in lateral movement, and then compromising additional assets and accounts via stolen credentials. The end goal varies—from the exfiltration of sensitive data, to gaining a persistent presence, or causing a business disruption. The year 2020 expects to showcase more of this, but there will be an additional component in lateral movement that security professionals need to raise visibility for; account-to-account lateral movement compromising a user’s entire identity.
3. Identity-Theft Royal Flush - Owning Every Account an Individual Owns
As threat actors refine their strategies, they will begin to target all the accounts associated with an identity (human or non-human) and impersonate users via DeepFake technology. This will be characterized, not only by DeepFake email and SMS messages, but also a distinct rise in sophistication that entails DeepFake phone calls with spoofed accents and vocal patterns, social media hijacking, and even biometric hacking based on data that has already been compromised. Identity theft will bluntly occur due to malicious artificial intelligence software used to impersonate an identity in novel ways we have not even yet conceived.
It matters not whether you are Republican, Democrat, Libertarian, Green Party, an Independent—or even unable to participate in the U.S. elections—the potential for election hacking has implications for everyone.
4. An Election on the Edge of Cybersecurity
The votes in the next major U.S. elections will most likely be tabulated and recorded by person, by voting precinct, by county, and by state. At each step in the voting process, paper and electronic systems will record our votes and be stored in secure systems to tally who our next president and regional government officials will be. This is a contentious election cycle. Considering all the previous allegations regarding voter fraud and foreign government hacking of our electoral system, as well as old school paper ballot issues (i.e. hanging chads), the 2020 United States election will doubtlessly prove to be one for the record books—and potentially one to dread.
While data loss security incidents tend to dominate news cycles, election security helps to really bring the critical issue of data integrity into focus. For the upcoming election, it’s not a matter of who actually wins, but rather whether or not the votes, storage, and tallying of the populace’s opinion has been tampered, altered, hacked, or degraded in any fashion that will make headline news and cast doubt on the integrity of the entire process. This will be true regardless of whether or not threat actors or foreign governments truly succeed in altering the outcome of the United States electoral process.
Ethical hackers have already demonstrated at cybersecurity conferences the vulnerability of electronic voting systems. The risks of voter fraud, through electronic hacking, will be a top news story in 2020. The issue will particularly be stirred up by those individuals who find themselves at the losing end of the final ballot numbers. If the U.S. presidential race is close, hacking will become the center of attention and cybersecurity forensics will be required to prove, or disprove, whether or not a threat actor truly succeeded in altering the election. This will also play out in congressional races and other down-ticket offices, potentially undermining leadership for our next slate of elected representatives. We will all be waiting breathlessly long after the final vote has been tallied to learn if the vote integrity, and security, has been upheld.