3.1.19

What is threat cumulativity and what does it mean for digital security?


A reflection on how acknowledging the cumulative nature of cyber-threats and understanding its implications can benefit our digital security
Threat cumulativity is a term I began to use in 2018 to refer to the tendency of new technologies to spawn new threats that add to old threats without displacing them. In this article I give some examples of what I mean by threat cumulativity, some thoughts on why I came up with this term, and suggestions as to how it might prove useful in getting to grips with digital security.
Yes, security is cumulative
A few years ago, someone asked me to give a talk on the top five or six things that I had learned since I started researching computer security back in the 1980s. The first thing that came to mind was this: security is cumulative. In other words: protecting information systems and the data they process requires anticipation of new threats while defending against old threats.
So I made a slide that said “security is cumulative” and I started to include it in my talks about what is now called cybersecurity or – my preferred term – digital security. Fortunately, my presentations had already evolved in a way that illustrated the cumulative nature of threats to information systems.
In recent years I’ve given numerous talks that stressed the need for businesses to grasp the true scale of the cybersecurity problem, specifically the way it has progressed from disgruntled teenagers in hoodies hunched over keyboards in dark basements to coordinated campaigns of villainy in cyberspace. One approach I use to make my point is showing screenshots of the markets that traffic in stolen data. I also diagram the structured activity behind the creation and execution of malware campaigns.
When I first took this approach I said things like: “Don’t think random teenagers in basements, think people who go to work every day to penetrate systems and steal data.” But then I realized that was a mistake. Why? Ethically-challenged young hackers in hoodies have not gone away. Some of the biggest names on the internet learned that in 2016 when the Mirai botnet went from attacking minecraft sites to taking down a major Domain Name System provider; the story of the perpetrators was covered in depth by Brian Krebs – himself a victim of Mirai and other teenage criminals.)
Clearly, there is a need to protect information systems from well-resourced cybercriminals exploiting the latest vulnerabilities, but at the same time it would be foolish to neglect the threat from random hacker wannabees who are short on clues about consequences. Likewise it would be irresponsible for an organization to neglect anti-ransomware measures just because of a rise in cryptomining (as reported last year under headlines like Why cryptomining is the new ransomware and Ransomware is so 2017).
What cumulativity means for security
Security professionals have been dealing with the practical implications of threat cumulativity for decades. Once upon a time, computer security meant protecting a computer, a room-sized machine that usually lived behind locked doors. Threats back then included power supply issues, fire, flooding and other natural disasters. The main human threats were data entry errors or malicious code created by people authorized to use the computer, in other words: insiders. As computers got smaller and more numerous, more people learned how to use and abuse them, and the range of threats expanded to include theft of the computer and its components (the theft of an IBM PC was my first professional encounter with computer crime, circa 1986). At the same time, earlier threats like earthquakes persisted (one of my publishers lost many PCs due to overheating when the San Francisco earthquake of 1989 rendered its offices inaccessible and knocked out the air conditioning.)
The use of removable media – such as floppy disks – increased the viability of new threats like computer viruses and data theft. When the networking of computers started to happen, old threats like insider abuse and data theft were given fresh opportunities, even on small Local Area Networks or LANs. When organizations started to connect multiple offices over Wide Area Networks (WANs) then data and system access was exposed on wires that the organization itself could not protect. And of course the coming of “The Internet” took that problem to a whole new level.
Of course, at each step of the way, security professionals have warned that deploying new technology that is not “secure by design” will only add new threats to the already considerable security burden. About the middle of 2018, I articulated this aspect of threat cumulativity as a Twitter thread. Sadly, it did not “go viral,” but it did help me clarify my thoughts, so I want to share it here:
1.       For several years I have been using the phrase “security is cumulative” when briefing organizations on information security strategy. Here is how this comes about.
2.       Each step in the evolution of technology has prompted warnings about criminal abuse and unforeseen negative consequences. Many warnings go unheeded until incidents of abuse and negative consequences occur;
3.       at which point the problems are debated and measures to address them are drafted. Many of those measures are then ignored and the problem is talked down in some circles. While some measures may be implemented, it’s too late or without enough resources to make a difference.
4.       The result is new threats, even as old threats persist. I propose we call this phenomenon the cumulativity of threats. Here is an example:
5.       People exploiting vulnerabilities in software are a threat to the security of your information, which is also threatened by people using phone calls to perpetrate support scams. In other words, threats permeate the technology stack, from the telephone to the latest software.
6.       Threat cumulativity has several important implications. Most obviously, you have to guard against old threats while thwarting new ones. But threat cumulativity also has serious implications for the future of technology.
7.       For example, I would argue that – unless we change the way we have been doing things – cumulativity will negatively impact the odds of humans achieving a net improvement in the quality of life from each new generation of technology.
Ever since I wrote that, I have seen a lot of confirmation that my observations are correct. Of course, there’s probably some confirmation bias at work, but consider a single 10-day chunk of information security news randomly sampled from 2018:
That’s five examples in 10 days, five headlines that reflect the reality that “security is cumulative”. While many information security professionals have, over the years, stressed the need to learn from history, I decided that this aspect of digital security – the need to defend against an accumulating list of threats – deserved a name, hence: threat cumulativity.
Helpful language?
I assume there will be some objections to the term “threat cumulativity”. Some will say “cumulativity is not a word” and “everybody knows this already.” To the first point, cumulativity is a word, as I will explain in a moment. As for “everybody knows this already” let me clarify: if you are a security expert, you probably do know that threats are cumulative. But a whole lot of people whose work impacts security have not yet internalized the implications of this phenomenon. I think that having a term to describe the phenomenon will help to spread awareness of its implications.
As for cumulativity, it is a term used in linguistic semantics to describe an expression (X) for which the following holds: “If X is true of both of a and b, then it is also true of the combination of a and b” (Wikipedia). A commonly cited example is the expression “water”. If you combine two things that are water, what you get is more water. That said, I freely admit to not being an expert in linguistic semantics (although I do have a degree in English). Nevertheless, I think that adapting cumulativity to the security lexicon is a valid use of the word, one that can help people understand – and defend against – the phenomenon it purports to describe.
Another possible objection to “threat cumulativity” is that a better term might be “risk cumulativity.” This is a non-trivial point and so I am going to address it in a separate article. That said, I think there are good strategic reasons for using “threat” here rather than “risk”. However, I’d also like to hear what you think. Is the idea of threat cumulativity helpful? Do you see examples of this?

1.1.19

2018: Research highlights from ESET’s leading lights


As the curtain has fallen on yet another eventful year in cybersecurity, let’s look back on some of the finest malware analysis by ESET researchers in 2018
If you never got the chance to read this year’s investigations by ESET researchers into some of the most dangerous hacker shenanigans in recent years, or if you just want to refresh your memory, now is the time. Let’s cut to the chase and recall just a handful of ESET’s delvings into the murky depths of 2018’s malware, including malicious code targeting Linux servers.
The evil twin
On one occasion, it wasn’t only fellow cybersecurity professionals who sat up and took notice, as ESET researchers uncovered a rootkit that goes to especially great lengths – and, indeed, depths – in order to open a backdoor to the targeted machine. While extremely rare, rootkits that burrow all the way into the computer’s Unified Extensible Firmware Interface (UEFI) aren’t entirely unheard of, and proof-of-concept samples thereof have been seen before. However, this was the first time that such a rootkit was detected in active use.
Unsurprisingly, LoJax – as we named the rootkit – is the work of an Advanced Persistent Threat (APT) group. In this case, our research uncovered solid evidence to tie the rootkit to a particularly nefarious hacking collective nicknamed Sednit (and also called APT28, Sofacy, Strontium, and Fancy Bear). This group has made a name for itself by possessing a diverse set of insidious tools that – as previously documented, on many occasions, by ESET researchers among others – it has deployed against a range of geopolitical targets.
To implant LoJax deep inside a system’s innards, Sednit has repurposed legitimate anti-theft software for laptops, which is known as LoJack (hence the rootkit’s name). LoJax co-opts the LoJack agent in order to maintain usermode persistence, after Sednit’s operators use legitimate utilities to overwrite parts of the victim machine’s SPI flash memory, where the LoJack UEFI module resides.
LoJax is both extremely difficult to detect – particularly for security software that doesn’t incorporate UEFI protection – and exceptionally persistent. Withstanding a reinstallation of the operating system and even a replacement of the hard drive is required by legitimate anti-theft software if it is to enable its owner to track down their lost or stolen computer. After all, a hard drive replacement or an operating system reinstallation could very well be the first thing a thief will do, and it is this ability to resist removal that LoJax co-opts from LoJack.
At any rate, there is a remedy when a system is compromised with LoJax. Its owner has essentially two ways to clean up: re-program the machine’s SPI flash memory or replace the motherboard outright. Neither option is simple, however, and both go far beyond the usual process of malware removal. This, again, helps illustrate just how intrusive, persistent and ultimately dangerous of a threat LoJax is.
Does LoJax portend an explosion in malware targeting computer firmware? Hardly, given that this is not your run-of-the-mill sort of malware. However, attackers do have the habit of borrowing from the devious playbooks of their predecessors, with LoJax aiding and abetting malware writers to expand the frontiers of computer intrusions. And this only highlights the importance of effective UEFI scanning and threat blocking.
Rumor has it … no longer
In another major discovery of 2018, ESET researchers unearthed enough evidence to assert that malware known as Industroyer, which caused the hour-long blackout in and around Ukraine’s capital, Kiev, in late 2016, was the work of the same threat actor that would unleash the NotPetya (DiskCoder.C) wiper disguised as ransomware six months later.
The culprit – a prolific APT collective called TeleBots – is descended from a group called BlackEnergy, whose eponymously named malware was responsible for another breakthrough incident: a power outage that affected a quarter of a million homes in Ukraine and lasted several hours in December 2015.
The above effectively ties three of the most impactful malware-induced incidents in memory to the same threat actors.
Speculation that TeleBots hatched Industroyer was rife after ESET researchers released their findings about this most powerful modern malware that targeted industrial control systems. Incriminating evidence was missing, however – until the same ESET researchers picked apart a piece of malware that they code-named Win32/Exaramel and that shared significant code similarities with the main Industroyer backdoor.
At its simplest, Win32/Exaramel is an upgrade of the backdoor that was at the heart of Industroyer. And although the attack deploying the improved version was prevented thanks to ESET’s timely alert to Ukraine’s authorities, “the discovery of Exaramel shows that the TeleBots group is still active in 2018”. That’s reason aplenty to worry as 2018 draws to a close.
More shades of malice
TeleBots isn‘t the only heir apparent to BlackEnergy, which seems to have gone dark after the December 2015 blackout. Another nefarious collective, called GreyEnergy, has been operating in parallel, and probably in close liaison, with TeleBots. That said, the turf and modus operandi of each of the two groups differ substantially.
As revealed by another landmark piece of ESET research – the first to shine a light on GreyEnergy globally – this hacking group doesn’t court attention for its malice. Instead, it engages in reconnaissance and espionage, ostensibly in order to prepare the ground for future attacks of its own making or to grease the wheels of operations to be run by other groups. All the while, GreyEnergy aims to lie low and vanish ‘into the fog’ once it has done its job.
GreyEnergy’s malware toolkit shares a number of similarities with that of its predecessor, although GreyEnergy was actually found to be an enhancement of BlackEnergy and “with an even greater focus on stealth”. At any rate, both groups share a keenly malicious interest in the energy sector and critical infrastructure in Ukraine and Poland.
Ties between GreyEnergy and TeleBots, for their part, are evidenced by the former’s use in December 2016 of a worm, called ‘Moonraker Petya’, that turned out to be a precursor to the NotPetya worm, unleashed by TeleBots six months later. At the risk of repeating ourselves: GreyEnergy is yet another extremely dangerous threat actor that is worth watching closely.
Turning tables
First off, bear with us while we recall a few quick facts from history prior to 2018. More than five years ago, ESET researchers analyzed and helped disrupt Operation Windigo, a malicious campaign that created a botnet comprising tens of thousands of Linux-powered servers. Windigo stood out for many things, but let’s settle for just two of them:
First, at its heart was a highly advanced backdoor and credential-stealer called Linux/Ebury that abused a widely used suite of remote connectivity tools known as OpenSSH. Second, before installing itself, Linux/Ebury would check if other OpenSSH backdoors were present on the system.
Lo oking at the code allowed ESET researchers to discover other in-the-wild SSH backdoors, some previously unknown to the AV community. Fast forward to 2018 and ESET unveils new research that describes this effort, offering unique insights into the state of affairs in Linux server-side malware.
Having tracked down in-the-wild backdoors in OpenSSH servers, the researchers have documented no fewer than 21 malware families, including 12 that had not been ‘on file’ before. They include both simple (off-the-shelf) and advanced (bespoke) malware, variously operated by crimeware and APT groups.
Eighteen out of the 21 strains are fitted with credential-stealing features, while 17 contain a backdoor mode. The associated white paper provides a comprehensive view of the malware strains and their inner workings, representing a significant contribution to the body of research into Linux-specific malware.
All told, this research effort is also a reminder that, while Linux may, for whatever reasons, be hit with less malware than Windows, the security of Linux-based systems, including internet-facing servers, may not be as bulletproof as some may (want to) believe.
Conclusion
To be sure, the research sketched out above draws on only a sample of the deliberate and purposeful methods used by some of the world’s most resourceful cybercriminals. And yet, that sample is more than enough to illustrate the magnitude of the threat represented by miscreants as the curtain is set to open on 2019.
More findings from the ESET research community are available in a dedicated section on our website.