It’s that special time of year again! In perhaps the most festive of all end-of-the-year traditions, the cyber security community tries to predict the next big scary incident which will make headlines in the new year. At the risk of sounding cynical, building strategies to respond to cyber security threats are a bit like New Year’s resolutions… if you haven’t already started trying to form those healthy new habits, it’s unlikely that waiting until the clock strikes midnight on December 31st will make it any easier to begin. It’s rare that threat actors wait for the new year to suddenly unveil a new kind of attack, drastically change tactics, or alter their targets. Threats evolve slowly and adapt to ever-improving security controls. And so, with all those caveats—plus the guilt of not starting at that gym—here are F5 Labs’ top predictions for the new year, along with analysis from F5 malware reversers, cyber threat intelligence specialists, and security operations center (SOC) engineers.
Prediction #1: Shadow APIs Will Lead to Unforeseen Breaches
Application programming interfaces (APIs) are exploding in popularity. The convergence of mobile apps, data sharing between organizations, and ever-increasing application automation all contributed to 1.13 billion requests being made in 2021 through the API-focused developer tool Postman. However, 48% of survey respondents in the Postman State of the API report admitted to dealing with API security incidents at least once a month.1
As with all aspects of cyber security, it’s impossible to secure what you don’t know exists. And, according to Shahn Backer, F5 senior solutions architect and cloud and API consultant, shadow APIs represent a growing risk that will likely result in some large-scale data breaches the victim organization didn’t even know were possible.
“Many organizations today do not have an accurate inventory of their APIs and it is leading to a new threat vector known as the ‘shadow API.’ Organizations with a mature API development process maintain an asset inventory known as the API inventory, which will ideally contain information on all the available API endpoints, details on acceptable parameters, authentication and authorization information, and so on. However, many organizations do not have an API inventory, and for others, APIs in production and benefiting from continuous development will drift far from their original definition in the inventory. As a result, in both cases there are exposed APIs that organizations have no visibility into. These APIs are known as shadow APIs and I expect to see many apps breached via APIs which organizations have very little understanding – or even awareness – of.”
Prediction #2: Multi-Factor Authentication Will Become Ineffective
In our 2020 Phishing and Fraud report we showed how attackers were using real-time phishing proxies to bypass multi-factor authentication (MFA) systems. While we still strongly recommended implementing MFA solutions for all users, many organizations fail to understand the limits of a second factor when a social engineering threat actor is sufficiently motivated. Fake sites used in real-time phishing proxy attacks saw attackers collecting the common 6-digit MFA PIN and using it themselves to authenticate to the real target website. Since attacks occurred in real time, the method of MFA used made little difference—SMS messages, mobile authenticator apps, and even hardware tokens. None were able to thwart real-time phishing proxies. Since 2020, we’ve also reported on the growing trend of MFA bypass techniques, from session re-use attacks, to mobile malware able to steal MFA codes.
In an effort to reduce the friction of MFA, many new solutions rely on push notifications. When a user attempts to log in to a system, rather than ask them to manually input the MFA code, modern solutions send a push notification to the users’ registered phone asking them to approve or deny the login attempt.
Remi Cohen, cyber threat intelligence manager from F5’s Office of the CISO, has this to say:
“Social engineering isn’t going away and MFA fatigue attacks, also known as MFA bombing attacks, are only going to increase in frequency and effectiveness. These MFA bombing attacks aim to annoy victims by flooding them with so many authentication requests that they approve the notification request either by accident or out of frustration. This type of attack presents an immediate risk to companies as employees are the most vulnerable threat vector to social engineering attacks. Along with that, MFA is a key security control used to prevent unauthorized access to critical assets. Oftentimes companies will overlook breached passwords or use a lower bar for the type of passphrase required because there are other compensating controls such as MFA. MFA-enabled phishing kits and MFA bombing negate that compensating control and highlight the importance again of passphrases, defense-in-depth, and moving to a zero-trust architecture where there are other factors taken into account for a company or individual’s security.”
Much of the cyber security landscape is an arms race between defenders and attackers. Authentication methods are no exception. Ken Arora, distinguished engineer in F5’s Office of the CTO, considers what the future holds for MFA:
“Attackers are adapting to MFA solutions using a mix of techniques, including typo squatting, account takeover, MFA device spoofing, and social engineering. As a result, application and network defenders are looking at what’s next.
Biometric authentication is viewed with some skepticism since fingerprints, for example, can’t be changed should they need to be. Instead, behaviors—typically, user-specific behaviors—are harder to spoof, especially at scale. This might include mundane behavioral artifacts, such as the browser used and geolocation, app-specific behaviors (navigation patterns in a site, dwell times), and user behavior (double-click speed, mouse movement patterns, typing rate).”
Melissa McRee, senior manager for the anti-fraud threat analytics reporting (TAR) team, had this to add:
“Pattern analysis and anomaly detection has been applied to user behaviors to detect suspicious activities since the mid 2010s, under the moniker UBA (User Behavioral Analytics). We may be set for a leap forward in efficacy as processing capacities catch up to the data sufficiently to enable more complex real-time evaluation.”
In the near-term, the FIDO Alliance’s passkey solution promises perhaps the first truly effective method to mitigate social engineering attacks, since the crypto-key used to authenticate users is based on the website address they are visiting.2 It remains to be seen how quickly this new technology will be adopted by the average user.
Prediction #3: Troubles with Troubleshooting
Predicting security incidents with cloud deployments might sound like we are stating the obvious, but as the frequency of breaches for cloud apps continues to grow—and since the scale of those breaches can be enormous—we think it bears repeating. As we highlighted in the 2022 Application Protection report, the majority of cloud incidents are related to misconfigurations, typically overly broad access control. So while it might seem like we are shooting fish in a barrel, insights from F5 security operations center (SOC) engineers, who see and help remediate breaches of cloud apps, add a unique perspective on the reasons that so many problems exist. Ethan Hansen, an F5 SOC engineer who focuses on securing cloud native infrastructure for customers, shares his experience:
“Whether by accident or for troubleshooting purposes, many cloud users struggle with correctly configuring access control, both at the user and network levels. Multiple times in 2022 the F5 SOC has seen users create ‘temporary’ service users and then assign them very broad permissions either via built-in IAM policies or through inline policies. These ‘temporary’ users are often created for the purposes of troubleshooting issues or for getting an application that relies on a specific user or role back up and running.
We often witness configurations in which this ‘temporary’ fix has become permanent—and rolling back changes then becomes that much harder. On top of this if they are using long-term fixed credentials instead of short-lived credentials there is also a chance those credentials could get stolen or leaked somehow.”
Prediction #4: Open Source Software Libraries Will Become the Primary Target
Much like the global economy in which we all live, software is becoming increasingly interdependent. Many apps and services are built using open-source libraries, yet few organizations can accurately detail every single library in use. As defenders improve the “perimeter” of applications (i.e., public-facing web apps and APIs), threat actors will naturally look toward other vectors. Increasingly a preferred vector is the use of third-party code, libraries, and services within an application. As much as 78% of code in hardware and software codebases is composed of open source libraries and not developed in-house.3 As a threat actor, if you knew that more than three quarters of an application’s code was maintained in open source libraries, it would make sense to target those code repositories.
In recent years, we have witnessed a growing number of methods in which libraries pose risks to the organizations that rely on them:
- Developer accounts were compromised, commonly due to the lack of MFA, leading to malicious code being inserted into widely used libraries and Google Chrome web browser extensions
- Trojan and typo-squatting attacks, in which threat actors develop tools which sound useful or have very similar names to widely used libraries
- Destructive and other malicious code deliberately inserted by the genuine author of a library as a form of hacktivism or political protest
Ken Arora considers what this all means for the future of app development:
“Many modern apps leverage software-as-a-service (SaaS), such as centralized authentication, databases-as-a-service, or data leakage prevention (DLP). If an attacker can compromise either the open source software (OSS) code base or a SaaS offering that is consumed by an application, the attacker then has a toehold ‘inside’ the application, bypassing perimeter defenses such as web application firewalls and API gateways.
This toehold can then be exploited for lateral motion in different forms (remote shell, monitoring, data exfiltration). The consequence of this is that software developers will want greater visibility into the software components that an application is composed of and, most notably, a Software Bill of Materials (SBoM) that enumerates all the software components. This will allow the consumer of the delivered software product to more quickly and efficiently determine if any discovered vulnerabilities will affect the product.”
Aaron Brailsford, principal security engineer for F5’s security incident response team (SIRT), agrees that SBoMs are sorely needed, but notes that they will bring with them a huge amount of work for organizations:
“I think the widespread adoption of SBoMs is going to unearth an enormous amount of tech debt. I don’t believe uncovering that will make any products or systems inherently less secure, but I do think it is going to shine a spotlight on the somewhat haphazard way the industry develops products now. Companies are going to have to make some heavy inward investments to either bring older systems up to date and fix or mitigate large (very large—thousands) numbers of vulnerabilities, consider starting with a clean slate for a new generation of products, or both. There is, of course, always the chance that customers will simply learn to accept huge numbers of unfixed vulnerabilities in their chosen products because they’re all much of a muchness. I’m rooting for sweeping change, not apathy.”
We asked Ken what he considered to be the solution to the risks posed by third-party libraries:
“For undisclosed/zero-day vulnerabilities, the best chance to detect the attacker is to have visibility into the internal ‘east-west’ traffic between software components and services ‘inside’ the application, as well as how those components interact with the underlying platform (IaaS). Today, these interactions are captured by CSPM (infra), CWPP (e-w), and ADR (app layer); these separate markets will need to come together to provide the holistic view required to detect intra-app threats with high efficacy and a low rate of false positives.”
Prediction #5: Ransomware Will Expand on the Geopolitical Stage
It is no stretch to claim that encrypting malware is now at epidemic levels. But it’s not all about “encrypting data for impact,” as the MITRE ATT&CK framework refers to ransomware.4 Last year we found that, including non-encrypting varieties, malware was the single biggest cause of data breach for U.S. organizations in 2021. Attacker focus is very much about exfiltrating (stealing) data. Once they have their hands on it, they then have multiple ways in which they can monetize their efforts.
Aditya Sood, senior director of threat research in F5’s office of the CTO, has recently uncovered a growing trend in ransomware directly targeting databases:
“Organized cybercrime and nation-state adversaries will continue to develop their ransomware tactics and we expect them to focus, in particular, on critical infrastructure. Ransomware attacks against cloud databases will increase dramatically in the coming year since that’s where mission critical data resides, for businesses and governments, alike. Unlike traditional malware which encrypts files at the filesystem level, database ransomware is able to encrypt data within the database itself.”
David Arthur, F5 security solutions architect for the Asia-Pacific region, believes that scams that result in successful ransomware infections will be the main driver in attracting political pressure:
“Attackers are going to increase their attempts to monetize breach data directly from the impacted individual through various kinds of scams and downstream fraud (e.g., applying for new credit cards). These scams are getting more credible and, while they still contain obvious mistakes to the trained observer, will likely be quite successful; the juice will definitely be worth the squeeze for the attackers. From the attacker mindset, if theft of customer’s personal information can’t be monetized by extorting the breached organization (for example, asking for a ransom, threatening to release intellectual property, etc.), then their targets will shift to the individual.”
Ransomware has been creating severe business operational issues, and impacting personal privacy for years, with very little being done at the political level to combat it. The exceptions occur when critical infrastructure (CI) is impacted. Shortly following the Colonial pipeline attack in June of 2021, U.S. president Joe Biden was reported to have put pressure on Russian president Vladimir Putin to act on the amount of ransomware gangs that appear to operate from Russia, seemingly with impunity. Applying geopolitical pressure—along with legislating cryptocurrency use as it is the enabler for many cybercrimes—seems like a much more effective technique to combat this epidemic than technical controls. So, it seems reasonable to predict that further political pressure will only come if (or, rather, when) another nation suffers a serious, high-profile impact to an area of their CI.
It’s rare that threat researchers reveal trends in attacker behavior that drastically alter the focus and priorities of CISOs and other security leaders. Our predictions for 2023 are likely no exception. Many of our observations of malicious activities teach us that attackers only make significant changes in their operations when forced to by the improving security controls we all use, such as MFA. What this suggests is that we need something radical to happen. Neither incremental improvements in technology nor geopolitical pressure alone is likely to make a significant difference to many of the attacks we face, particularly those that directly target the end user. Where there is money to be made from scams, fraud, and other forms of social engineering, the criminal element will find a way to exploit things to their advantage.