It’s December, and in the security industry that means one thing: predictions from experts about what trends will emerge in the next year. As always, some stuff is new, while other items show up on these lists every year.

Criminal groups will increasingly adopt nation-state tactics. There are a couple of ways that I see this potentially working: the nation-state groups could work together with criminal groups towards a common goal. State groups could also contract their espionage activities out to criminal groups, that will use criminal tools and expertise to perform spying activities, steal intellectual property or gather intelligence about vulnerabilities. Below there are nine predictions from experts.

ShellShock, the remote code execution bug affecting GNU Bash, the command interpreter present on many Unix systems and Linux distributions, is still being exploited by attackers.

Experts warn about attackers leveraging a new version of the Bashlite malware, which was initially created as a DDoS bot with brute forcing capabilities and exploits the ShellShock bug. The malware now targets both computers and other devices running on BusyBox, located on the same network. The BusyBox software provides a number of Unix tools in a single executable file, and was specifically developed for embedded operating systems with limited resources. 

The persistence of the Shellshock vulnerability remains high more than a month after it first surfaced. The latest attacks involved SMTP servers belonging to web hosts. Attackers are using Shellshock exploits targeting the now infamous vulnerability in Bash in order to drop a perl script onto compromised computers.

The script adds the hacked computers to a botnet that receives its commands over IRC. The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields. Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.

Polycom has published a security advisory listing several products that are vulnerable to the recently disclosed GNU Bash vulnerability dubbed "ShellShock." Polycom provides telepresence, video, voice and infrastructure solutions to 400,000 organizations worldwide.

The company says some of its products are still under investigation, but so far it has identified a dozen solutions plagued by the Shellshock bug. The ShellShock vulnerability can be exploited via four attack vectors. Depending on the vector, organizations can take steps to protect themselves before a patch is released by the vendor.

In what seems like the most impactful security vulnerability since the OpenSSL Heartbleed affair, a new Internet-wide bug emerged this week in the Bourne again shell (Bash).

While its true severity remains unknown, the Bash vulnerability (also known as “shell shock”) is being talked about everywhere, and you may have even seen your local news anchors discussing the story in front of a green-screen covered in fast-scrolling computer code on last night’s evening news. Bash is present in a very large number of Web-servers and in-home appliances. What is Bash?

With a bug as dangerous as the “shellshock” security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic. The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers’ commands.

And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers. The attack is simple enough that it allows even unskilled hackers to easily piece together existing code to take control of target machines.