Last updated at Wed, 07 Apr 2021 18:25:19 GMT

This blog is the third post in our annual 12 Days of HaXmas series.

This past year was a brutal one for cybersecurity professionals, between mega-credential dumps, massive breaches, increasingly sophisticated and rapidly changing attacker techniques, the web (and routers!) awash in cryptocurrency miners, content delivery network (CDN) takeovers enabling at-scale card skimming, nigh unstoppable and continuously evolving banking trojans, and scads more internet-connected devices becoming drones in planetary-wide botnets.

As you read through that list, you likely said in your best CISO Scrooge voice, “Speak comfort to me, hrbrmstr!”

To wit, I would reply in my best Marley voice, “I have none to give.”

In this, I feel a bit like Jack Skellington in “The Nightmare Before Christmas”:

I'm sick of the scaring, the terror, the fright.
I'm tired of writing 'bout groups that do hack in the night.
I've disdain for attackers who are just out of reach.
There must be more to life than just yelling, "Breach!".

Alas, unlike the Pumpkin King, I’m not allowed to commit the serious felonies of kidnapping a magical toymaker/distributor and stealing their identity to make myself feel better. But what I can do is share some of said dismay with you to help you prepare for 2019 (aka the Nightmare After Christmas). Even if you’ve seen the animated feature, you may not be aware that it stemmed from a poem by Tim Burton. While we won’t do a reprise of 2016’s featurette, I will draw upon some of that Burton prose to scare prepare you for what’s to come.

Act I: Prepare for the phishing onslaught

'Twas the nightmare after Christmas, and in all the orgs,
Not a CISO was peaceful, but nor were they bored.
Their servers delivered emails here and there,
That when opened this day would cause quite a scare!

According to data from the Anti-Phishing Working Group, we can expect to deal with increased levels of phishing attacks in the first part of the new year. In fact, it’s a bona-fide seasonal trend:

Phishing is still the primary means of entry for attackers, and until those economics change, you’ll need to continue to focus on crafting clever attacker awareness messaging, teaching employees and contractors in your care how to spot a phish, and bolstering your email phishing defenses.

Act II: Leave the IoT at home and watch out for IoT bots

Unaware that these Things could be misdirected,
Employees gifted gadgets, each internet-connected.
Both CEO Susie and CIO Dave;
brought their Echos to work (voice commands they did crave).
And CFO Neeman was all in a rush
To set up corporate WiFi on his connected toothbrush;
Facilities said it was time to replace
All displays, corporate-wide, yes, all over the place;
So they yanked out the old and substituted with new
"Smarter" ones (with Netflix and Hulu).

At Rapid7, we talk a lot about the IoT (which we try to call “internet-enabled devices/tech”), and for good reason: People are adding microphones, cameras, CPU, memory, networking, and full-fledged operating systems to everything from personal care products to dinner table utensils to shoe inserts.

Shadow IT was bad enough when it was just employees violating corporate acceptable use policies and using their favorite personal apps and cloud services at work. Now, you’d be hard-pressed to find an office anywhere in the modern world without multiple voice assistant smart speakers, one or more smart televisions (most of which have sensors and mics and likely run some bygone version of Android OS), smart watches, and more connected to the corporate WiFi (or, if you’re lucky, “just” guest WiFi).

Internet-connected “things” are almost invisible inside an organization, and attackers get tons of practice finding and compromising these devices on the public internet. Take Hikvision products, for example. Our latest Sonar scan found over 1.5 million of these cameras/surveillance systems on the internet:

Vast numbers of them are deployed with very weak configurations, and these devices have had their share of vulnerabilities over the years.

While cameras are an easy target to pick on ever since Mirai hit the scene back in 2016, “weak” would be a good word to describe mostly any internet-connected “thing” you stick in your home or workplace (even the industrial-scale ones).

You should run discovery scans for these devices regularly and watch for egress connections to well-known networks and cloud providers associated with them. Watch out for devices with microphones and cameras, especially in workplace areas where sensitive matter may be discussed.

Finally, the Hikvision chart should give you some pause. That’s just one type of internet-enabled device with a widespread internet presence, of which a large portion serves dual masters: those who want to look at their surveillance cameras and the bot operators who really own them. These bots are using denial-of-service (DoS) attacks and spam/phishing campaigns (among many other nefarious things). Don’t contribute to these toxic internet wastelands by wittingly (or unwittingly) putting your own weak kit out there.

Act III: Duck and cover

There were packets of terror, CISO Jack did not glance,
For he was much too involved with PCI compliance;
Jack finally peered thru the cyber-teams' window
And saw the commotion; monitors all aglow!
"Why, they're celebrating, it looks like such fun!
They're pleased with all the SOX control work we've done!"
But what he thought was elation and patting of backs
Were malware infections combined with DoS attacks.

There’s no question you’re going to be busy in 2019. It’s highly likely you’ll be dealing with the following:

  • Continued battling against cryptominers in-browser and in-device
  • Further and rapid evolution of the Emotet trojan, which is already pretty advanced
  • Significant increases in CDN takeovers (aka Magecart) that go beyond payment card data as targets
  • Attackers aiming at far more under-the-radar protocols in use by myriad under-the-radar devices/services to hide/mine/move
  • A resurgence of breaking and entering and exfiltrating, especially if cryptocurrency markets keep bottoming out
  • Bottom-feeders with advanced digital weaponry as the time delay between hand-me-downs from nation-states to script kiddie ratchets down to nigh 0

This is a lot to deal with, but perhaps there are some words of comfort I can leave you with.


To end on a high[er] note, while the attackers still clearly have the advantage, we defenders have real evidence that focusing on the fundamentals works. We finally have a usable, meaningful, and tangible knowledge base of adversary tactics and techniques based on real-world observations. We have massive amounts of threat data, threat information, and—dare I even say—threat intelligence that we finally need to start sharing better in 2019. Armed with this tool chest, we should be able to make great strides in the coming year and begin to turn the tide together.

There's a lot more, blog reader, that I'd like to say,
But now I must hurry, for it's almost Christmas day."
So as I :wq! on this tome, with a wink of an eye,
I say "Merry Christmas," and bid ye goodbye.