Cyber security company Fortinet, last week published its semi-annual FortiGuard Labs Global Threat Landscape Report. Research findings covered in the report for the first half of 2022 include:
- More and more ransomware variants are popping up as a result of the popularity of Ransomware-as-a-Service (RaaS) on the darkweb.
- Cybercriminals continue to target the endpoints of mobile and home workers to gain access to corporate networks. Operational technology (OT) and information technology (IT) environments are attractive targets for cybercriminals looking to take advantage of the growing attack surface and convergence between IT and OT.
- The arsenal of cybercriminals is complemented by increasingly devastating cyber threats, as evidenced by the wide spread of wiper malware.
- Cybercriminals are embracing techniques for conducting reconnaissance and bypassing security mechanisms in order to act more accurately and turn their target's processes and systems into weapons.
- Endpoints remain a prime target of cybercriminals due to the continuing trend of ‘work from anywhere’
Growth of ransomware variants points to development of criminal ecosystems
Ransomware remains one of the most important threats. Cybercriminals are investing plenty of time and money in it. FortiGuard Labs observed a total of 10,666 ransomware variants in the past six months. In the previous six months, the figure was only 5,400. This represents a growth of nearly 100% in the number of ransomware variants in six months. RaaS, because of its popularity on the dark web, remains a key growth driver behind a cybercriminal industry that forces organizations to pay ransom. Companies of all sizes and in every industry must take a proactive approach to cybersecurity to protect against ransomware. This requires real-time visibility, protection and remediation combined with zero trust network access (ZTNA) and advanced endpoint detection & response (EDR) functionality.
OT and endpoints remain popular targets
The convergence of IT and OT and endpoints deployed for work from anywhere provide cybercriminals with plenty of opportunities to target the growing attack surface. They often exploit vulnerabilities on endpoints to penetrate corporate networks. Popular techniques included abuse of a spoofing vulnerability (CVE 2022-26925) and a vulnerability that allowed remote execution of malicious code (CVE 2022-26937). An analysis of the number of vulnerabilities on endpoints and the number of malware detections shows that cybercriminals know how to take full advantage of both old and new vulnerabilities to gain access to networks. They are also gratefully exploiting vulnerabilities within OT systems. This is due to the convergence of IT and OT environments and the fact that cybercriminals such as state hackers can cause great damage with OT attacks. Advanced endpoint security solutions can reduce the number of cyber attacks and contribute to more effective recovery of infected devices at an early stage of attack. Organizations can also turn to services such as a digital risk protection service (DRPS) to expose vulnerabilities in their infrastructure and receive contextual information that gives them insight into current and future threats.
Devastating attacks with wiper malware grow in number
Trends in wiper malware point to the worrying rise of even more devastating and sophisticated attack techniques that involve wiping the victim's data. The war in Ukraine sparked a surge in disk wiping malware. Attacks with these were primarily targeted at critical infrastructures. FortiGuard Labs identified seven major new wiper variants in the first months of 2022. These were used in various attacks against government agencies, military organizations and businesses. Attacks with wiper malware were not limited to one geographic region. They were detected in 24 other countries besides Ukraine. Minimizing the impact of these types of attacks requires boosting detection capabilities by combining network detection & response (NDR) functionality with self-learning artificial intelligence. In addition, it is critical to store backups in a remote offline location.
Bypassing security mechanisms remains the main attack tactic
An analysis of the various strategies employed by cybercriminals sheds light on the evolution of attack techniques. FortiGuard Labs analyzed the operation of detected malware to determine which techniques were used most frequently over the past six months. Bypassing security mechanisms preach at the top of the list of most used tactics by malware developers. They try to circumvent security mechanisms by disguising their attack techniques. For example, they use a bona fide certificate to abuse trusted processes. The second most popular technique was process injection. Here, cybercriminals inject code into the address space of a process to bypass security mechanisms and go about their business unseen.
Organizations can provide more effective protection against the vast arsenal of cybercriminals if they have practically deployable threat intelligence. Integrated, AI and machine learning-driven security platforms with advanced detection and incident response functionality powered by real-time threat intelligence are indispensable to provide protection for all edges of hybrid networks.
AI-assisted protection of the entire attack surface
Organizations that analyze threat intelligence to gain deep insight into cybercriminals' targets and tactics will be better able to adapt their security mechanisms and respond quickly and proactively to new attack techniques. Knowledge of the latest cyber threats is critical to prioritize vulnerability patching and protect IT and OT environments more effectively. Security awareness training is also important to keep employees and security teams abreast of the changing threat landscape. Organizations also need security processes that can nip in the bud the large number of sophisticated and dynamic modern cyber threats at the speed of the network. A security strategy supported by AI and ML that provides detection, prevention and incident response and is based on a mesh architecture offers the possibility of much tighter integration, more intensive automation and faster, coordinated and effective response to cyber threats across the network with all its ramifications.
About the Global Threat Landscape Report
This new edition of the Global Threat Landscape Report reflects the collective knowledge of FortiGuard Labs. It is based on information on billions of security incidents collected through Fortinet's global sensor network in the second half of 2022. The MITRE ATT&CK framework divides cybercriminals' attack techniques into three categories: explore, building a presence and the first entry. The FortiGuard Labs Global Threat Landscape Report uses this model to describe how cybercriminals find vulnerabilities, set up a malicious infrastructure and exploit vulnerabilities within their target's systems. The report provides both global and regional perspectives and addresses cyber threats that target IT and OT environments.
Vincent Zeebregts, Regional Director of the Netherlands
“Cybercriminals are adopting increasingly clever ways to circumvent security mechanisms and are further expanding their network of criminal partners. They proceed extremely aggressively and do not shy away from extortion or erasing their victims” data. Leading up to their attacks, they conduct extensive reconnaissance of their target's network to achieve maximum results. To counter sophisticated attacks, organizations need integrated security solutions fed with real-time threat intelligence. These solutions must be able to detect threat patterns and contrast vast amounts of data to identify anomalous activity and automatically trigger coordinated countermeasures within hybrid networks." You can view or download the full analysis of the study below.
The report is available at this link Report 2022 H 1 Threat Landscape.
Thanks to cybercrimeinfo's blog: Last six months, number of ransomware variants doubled (cybercrimeinfo.co.uk)
