Fortinet has released the findings of its latest Global Threat Landscape Report, which highlights that cybercriminals are evolving their attack methods to increase their success rates and speed infections. While ransomware continues to impact organizations in destructive ways, there are indications that some cybercriminals now prefer hijacking systems and using them for cryptomining rather than holding them for ransom.
Highlights of the report include:
Spike in cryptojacking: malware is becoming more difficult to prevent and detect. The prevalence of cryptomining malware more than doubled from quarter to quarter from 13 percent to 28 percent. Additionally, cryptojacking was quite prevalent in the Middle East, Latin America, and Africa. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are targeting multiple operating systems as well as different cryptocurrencies, including Bitcoin and Monero. They are also fine tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful to improve future success rates.
Targeted attacks for maximum impact: the impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these types of more targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase success rates. Afterwards, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples where cybercriminals combined a designer attack with a destructive payload for maximum impact.
Ransomware continues to disrupt: the growth in both the volume and sophistication of ransomware continues to be a significant security challenge for organizations. Ransomware continues to evolve, leveraging new delivery channels such as social engineering, and new techniques such as multi-stage attacks to evade detection and infect systems. GandCrab ransomware emerged in January with the distinction of being the first ransomware to require Dash cryptocurrency as a payment. BlackRuby and SamSam were two other ransomware variants that emerged as major threats during the first quarter of 2018.
Multiple attack vectors: although the side channel attacks dubbed Meltdown and Spectre dominated the news headlines during the quarter, some of the top attacks targeted mobile devices or known exploits on router, web or Internet technologies. 21 percent of organizations reported mobile malware, up 7 percent, demonstrating that IoT devices continue to be targeted. Cybercriminals also continue to recognize the value of exploiting known vulnerabilities that haven’t been patched as well as recently discovered zero-days for increased opportunity. Microsoft continued to be the number one target for exploits, and routers took the number two spot in total attack volume. Content management systems (CMS) and web oriented technologies were also heavily targeted.
Cyber hygiene - more than just patching: measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that hygiene involves more than just patching. It is also about cleanup. Data showed that 58.5 percent of botnet infections are detected and cleaned up the same day. 17.6 percent of botnets persist for two days in a row and 7.3 percent last three days. About 5 percent persist for more than a week. As an example, the Andromeda botnet was taken down in Q4 2017 but data from Q1 found it showing prominently in both volume and prevalence.
Attacks against operational technology (OT): while OT attacks are a smaller percentage of the overall attack landscape, the trends are concerning. This sector is increasingly becoming connected to the Internet, with serious potential ramifications for security. Currently, the vast majority of exploit activity is directed against the two most common industrial communication protocols because they are widely-deployed and therefore highly-targeted. Data shows that in Asia ICS exploit attempts appear to be somewhat more prevalent when comparing the prevalence of ICS exploit activity across other regions.
The Fortinet Global Threat Landscape Report is a quarterly view that represents the collective intelligence of FortiGuard Labs drawn from Fortinet’s vast array of sensors during Q1 2018. Research data covers global, regional, industry sector, and organizational perspectives. It focuses on three central and complementary aspects of that landscape, namely application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities.