by V3 Staff
The cyber threat facing businesses, governments and even end users has been growing at an alarming rate for many years, but 2014 has been a particularly harrowing year for security professionals.
We’ve seen everything from ‘mega data breaches’ that exposed thousands, if not millions, of people’s personal and financial information, to advanced threats targeting companies that form the backbone of our critical infrastructure.
The influx of new malware and attack campaigns has left many people baffled about the threats they should be most concerned about and what they should look out for in the new year.
So we’ve created a definitive list detailing the 10 biggest cyber threats to appear in 2014.
10. Energetic bears return
The Energetic Bear hack campaign was originally uncovered by researchers at US security firm CrowdStrike in January.
The operation was focused on stealing valuable data from the energy sector, and targeted companies in the US, Japan, Poland, Greece, Romania, Spain, France, Turkey, China and Germany with watering hole attacks.
The Energetic Bear hackers caused double trouble when they re-emerged in July, mounting even more dangerous attacks that could theoretically cause physical damage to industrial control systems and power plants, like the 2011 Stuxnet virus that targeted Iranian nuclear systems.
The threat posed by Energetic Bear was so severe that the US Computer Emergency Response Team warned companies involved in critical infrastructure to check their systems for signs of infection.
9. Poodle
Poodles may not be the most intimidating of animals, but the Poodle security bug was pretty scary.
The flaw was uncovered by Google engineers in October and is believed to be dangerous as it affects multiple systems.
The flaw exists in the slightly old but still commonly used Secure Socket Layer version 3.0 technology, and could be exploited by hackers to steal data in a variety of ways, such as via malicious wireless hotspots.
The commonality of Poodle caused ripples across the technology industry and led major companies including Apple, Microsoft and Cisco to release advisories.
Worse still, while we’re yet to hear of an actual attack targeting Poodle, security researchers from firms including FireEye and NCC Group have said that we should expect to see rabid Poodles in cyber space in the near future.
8. Tor ‘breaches’
The Tor network has often been viewed as one of the safest places on the internet, and is regularly used by everyone from privacy-conscious activists to outright cyber criminals.
This year, though, a wave of incidents has led many to question whether the Tor network’s anonymising powers are as robust as previously believed.
These rumblings started when law enforcement agents managed in November to arrest the people running some of the biggest cyber black markets on the dark web.
How the agents found the criminals and the command and control servers used in the campaigns remains unknown, and the Tor Project has issued an open call for any information that can help its researchers figure it out.
As if this wasn’t bad enough, mere weeks later researchers from the Indraprastha Institute of Information Technology in Delhi published research claiming that hackers and law enforcement agencies could identify over 80 percent of Tor users by mounting network analysis attacks.
7. The XP zero day
One of the most talked about events of 2014 was the inevitable end of life date for the Windows XP platform, which marked the cut-off of all support for the venerable operating system, including security patches.
The fateful day finally came on 8 April, along with dire predictions that millions of users would not have managed to upgrade in time, leaving themselves vulnerable to any security flaws that may have come to light once Microsoft ceased to supply patches.
This is despite the fact that Microsoft had been publicising the cut-off date at least as far back as 2009 when Windows XP moved out of the mainstream support phase of its lifecycle and into the final, extended support phase.
Sure enough, a critical zero-day vulnerability soon came to light in Microsoft’s Internet Explorer browser.
However, as this affected Windows 7 and Windows 8.1 users, Microsoft was forced to issue a patch for the vulnerability, and decided to include XP.
“We made this exception based on the proximity to the end of support for Windows XP. Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer,” a Microsoft spokesperson said.
Regardless of the warnings, many have continued to use XP. Figures from Net Applicationsshow that XP accounted for nearly 14 percent of computers accessing the web in November.
6. Snowman
2014 has seen an influx of vulnerabilities in Internet Explorer, and the browser has been a regular centrepiece in Microsoft’s monthly Patch Tuesday updates.
In fact, over 200 flaws have been found in Internet Explorer over the past year, and it appeared in 11 of the 12 Patch Tuesdays in 2014.
However, one particular Internet Explorer flaw stands out as the worst: Operation Snowman.
The Operation Snowman campaign was uncovered by security firm FireEye in February after researchers spotted hackers trying to infiltrate US military veterans website VFW.org.
The attack exploited vulnerabilities in Internet Explorer to break into systems and remotely execute code.
The flaw related to how Internet Explorer accessed an object in memory that had been deleted or had not been properly allocated.
The vulnerability was so severe that Microsoft released an out-of-cycle emergency fix.
5. Data breaches hit eBay, Staples and JPMorgan
Data breaches remain a staple security community headache, and Staples itself was one of the victims in 2014.
The Staples attack came to light in October after hackers made off with millions of credit card details. Some reports said that as many as 110 million people were affected.
Staples was not the first major retailer to be hit this year. eBay suffered an attack that made off with user names and passwords, although the firm claimed that no financial data was affected.
EBay did itself few favours by providing advice that didn’t work, failing to make it easy for people to change their passwords and taking up to two months to start informing people of the incident.
Another major institution that was left red-faced by a data breach was JPMorgan, which had to fess up to a whopping 83 million customer records being infiltrated by criminals.
4. Regin
Uncovered by Symantec in November, the Regin malware is believed to have been used for surveillance operations since 2008 against governments, major organisations and individuals.
Kaspersky Lab revealed that 14 nations have been infected by the malware so far, including Iran, Germany and Russia.
The UK, US, Australia, New Zealand and Canada remained suspiciously untouched by Regin,leading many to believe that Western intelligence agencies are responsible.
Whatever its origin, Regin’s advanced powers make it one of 2014’s biggest threats, featuring anti-forensic capabilities, encryption features and the ability to communicate using covert methods such as hiding commands in HTTP cookies.
3. WireLurker drags Apple into mobile security mire
Apple’s closed iOS ecosystem has remained mostly trouble free when it comes to security incidents. However, that all changed this year with the discovery of the WireLurker malware by security firm Palo Alto Networks.
What made WireLurker so notorious was that it could infect non-jailbroken iPhones and iPads via Mac OS X apps that had been downloaded from third-party apps stores hosted in China.
“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” said Ryan Olson, intelligence director of Palo Alto Networks’ Unit 42 security team.
Apple moved to counter the outbreak by blocking the apps spreading the malware, and so far infection rates seem limited.
However, the incident is likely to serve as a milestone moment in the history of mobile malware, and 2015 may well see more such incidents.
2. Shellshock
The Shellshock flaw was discovered in September and is viewed as one of the worst vulnerabilities in recent years.
Uncovered on 25 September, the Shellshock bug exists in the Bash code used in numerous Unix-based or Unix-like operating systems including Linux and Mac OS X.
The widespread use of Bash and Unix systems means that the flaw, if unpatched, can be used to target everything from servers to the industrial control systems used in critical infrastructure.
What’s worse, numerous attack campaigns were uncovered targeting Shellshock after its discovery.
These included a campaign to install malware on Nginx and Apache web servers, and an attempt to infect systems, including Mac OS X, with a distributed denial-of-service malware known as Kaiten.
1. Heartbleed
Of all the security incidents to hit the headlines this year, Heartbleed came top. Uncovered in April, the Heartbleed bug referred to a vulnerability in the OpenSSL software used by around two-thirds of the world’s web servers, which would allow an attacker to steal reams of data.
The discovery was made by security firm Codenomicon and traced to a German programmer who submitted the code containing the flaw at midnight on new year’s eve 2011.
A fix was issued by the OpenSSL project and firms were urged to patch their systems as quickly as possible, but attacks were seen within 24 hours of the flaw being disclosed, underlining the ability for crooks to act quickly.
If there was a silver lining to this incident it was that the tech community finally addressed the lack of support and funding given to open source projects such as OpenSSL, leading to a fresh influx of cash and help for the organisation.
This has enabled it to hire more staff and take a more thorough approach to the vetting of code. Of course, this means more security heartaches may be on the cards for 2015.
