16 Years of Black Hat: The Changing Face of Cyberattacks

 

This year marks the 16th anniversary of Black Hat, and to celebrate the security company Venafi released a report chronicling nearly two decades of cyberattacks. More than just a parade of malicious accomplishment, the Venafi report tells a remarkable story about the changing motivations and techniques of cyberattacks, and what it means for the future.

From Basement Hobby to CybercrimeVenafi says that around the time the first Black Hat conference was held in 1997, hackers were looking for fame by compromising computer systems with worms and viruses. That changed quickly.

"The mid-to-late 2000s saw the emergence of spyware and bots launched by cybercriminals in search of financial gain," writes Venafi. This signaled an important change, as potential profits brought new players to the table. 

"The most recent era of the evolving cyberattack landscape has proven to be the most dangerous yet, as it is no longer being driven by the lone wolves of the world but rather by heavily-backed cybercriminals and state- backed actors with political and financial objectives," writes Venafi. The report also gives a nod to the rice of hacktivism in recent years, where political motivations outweigh financial gain.

Venafi writes that a consequence of this evolution has been the proliferation of advanced tools and techniques. "Because the most advanced attack techniques are available to everyone, any attack could be launched with the heaviest and most decisive cyberartillery available," reads the report. This means a high-level attack could come from anywhere, like "a facility identified by the likes of Mandiant or from grandma's basement."

New Weapons and WeaknessesAlong with changing actors behind the attacks, the attacks themselves have grown and evolved to take advantage of different vulnerabilities and technologies. To demonstrate, Venafi takes a little walk down cybersecurity memory lane, looking at famous attacks from 1997 on. 

Remember the CIH computer virus? Venafi calls it one of the most damaging viruses to date, that infected 60 million computers. Allegedly, it was created by a Taiwanese student, Chen Ing-hau, to "challenge the bold claims of the antivirus community.

While Anonymous and LulzSec have made extensive use of DDOS attacks in recent years, Venafi says that the first DOS attack took place in 1998. Then as now, it's targets were political organizations: the Mexican government and the Pentagon in the U.S.

Just a year later, Venafi says the general public got a taste of malware in 1999 with the Melissa virus. This was quickly followed by 2000's ILOVEYOU computer worm that marked the beginning of spam attacks.

By 2004, the roots of modern APTs can be seen in worms like Mydoom, which Venafi says "added a back door to victims' machines to be used for future compromises. Three years later, the ZeuS Trojan changed the game. "This is one of the first examples of an attack that takes advantage of technologies used to ensure trusted digital communications," writes Venafi--a tactic which would come to define modern attacks, but not before ZeuS "infected millions of computers and helped steal hundreds of millions of dollars."

Stolen certificates became more and more important over the years. The ZeuS SpyEye upgrades, for instance, were retooled in 2010 to steal digital certificates and cryptographic keys. Just a year later, DigiNotar took digital certificate theft to a new level. "For the first time," writes Venafi, "a trust technology provider […] force customers, including a national government, to warn the world that they could not be trusted."

Flame, sometimes seen as a follow-up to Stuxnet, hit in 2012 and  passed itself off as a Microsoft software update using rogue certificates. "When infected computers updated, Flame intercepted the request and instead of downloading the update, it delivered a malicious executable that appeared to Windows as valid and digitally signed software," writes Venafi.

Looking to the FutureThe list of attacks in Venafi's report goes on, demonstrating how attacks informed future intrusions and what they inherited from previous attacks. "Heavily-backed cybercriminals have reaped the fruits of early attack forms," reads the report. "In the same way that military weapons have made their way into physical criminal communities, advanced cyberattack techniques that leverage cryptographic keys and digital certificates have made their way into all levels of cyberciminal community. 

It seems clear that Venafi believes that this is phony digital certification is so valuable an asset to attackers that it will continue for the foreseeable future. "By turning our greatest IT security strengths against us," writes Venafi, "cybercriminals are able to compromise systems, trick people, and gain access to sensitive data no matter how well protected it is and regardless of where it resides and travels."

While we don't know what the future will hold, this years' Black Hat conference will surely give us a glimpse. Follow SecurityWatch for more coverage from Black Hat.