Fortinet, the global cybersecurity company driving the convergence of networking and security, today announced the latest semiannual Global Threat Landscape Report from FortiGuard Labs. The threat landscape and organizations’ attack surface is constantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose a significant risk to businesses of all sizes, regardless of industry or geography. For a detailed view of the report, as well as some important takeaways, read the blog.
Highlights of the 2H 2022 report follow:
• The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks.
• New intelligence allows CISOs to prioritize risk mitigation efforts and minimize the active attack surface with the expansion of the “Red Zone” approach.
• Ransomware threats remain at peak levels with no evidence of slowing down globally with new variants enabled by Ransomware-as-a-Service (RaaS).
• The most prevalent malware was more than a year old and had gone through a large amount of speciation, highlighting the efficacy and economics of reusing and recycling code.
• Log4j continues to impact organizations in all regions and industries, most notably across technology, government, and education.
Destructive APT-like Wiper Malware Spreads Wide in 2022
Wiper malware data analysis shows a pattern of persistently using destructive attack methods against their targets by cyber adversaries. It also demonstrates how readily cyber adversaries can scale these kinds of attacks because the internet has no physical boundaries, which has been made possible in large part by the Cybercrime-as-a-Service (CaaS) model.
FortiGuard Labs revealed in early 2022 that new wiper malware had emerged during the Russia-Ukraine conflict. Later in the year, wiper malware spread to other nations, resulting in a 53% increase in wiper activity from Q3 to Q4 alone. While some of this activity may have been initiated by nation-state actors linked to the war, cybercriminal groups have also been using it and spreading it beyond Europe. Unfortunately, the growth of destructive wiper malware is showing no signs of slowing down, based on the high activity levels in Q4. As a result, any organization, regardless of its location, remains susceptible to becoming a target.
Mapping CVEs Reveals Vulnerability Red Zone to Help CISOs Prioritize
Exploit trends help show what cybercriminals are interested in attacking, probing for future attacks, and actively targeting. FortiGuard Labs has an extensive archive of known vulnerabilities, and through data, enrichment was able to identify actively exploited vulnerabilities in real-time and map zones of active risk across the attack surface.
Less than 1% of all observed vulnerabilities found in enterprise-size organisations in the second half of 2022 were on endpoints and actively being attacked. This gave CISOs a clear picture of the Red Zone through intelligence about the active attack surface, allowing them to prioritise efforts to reduce their risk and determine where to focus patching efforts.
Financially Motivated Cybercrime and Ransomware Threat Holding at Peak Levels
FortiGuard Labs Incident Response (IR) engagements showed that financially motivated cybercrime accounted for the majority of incidents (73.9%), with espionage coming in a distant second (13%). Throughout 2022, 82% of financially motivated cybercrime cases involved the use of ransomware or malicious scripts, indicating that the global ransomware threat is still prevalent and not showing any signs of abating. This trend is partly due to the increased popularity of Ransomware-as-a-Service (RaaS) on the dark web.
Ransomware volume increased by 16% from the first half of 2022. Out of a total of 99 observed ransomware families, the top five families accounted for roughly 37% of all ransomware activity during the second half of 2022. GandCrab, a RaaS malware that emerged in 2018, was at the top of the list. Although the criminals behind GandCrab announced that they were retiring after making over $2 billion in profits, there were many iterations of GandCrab during its active time. The long-tail legacy of this criminal group may be still perpetuating, or the code has simply been built upon, changed, and re-released, demonstrating the importance of global partnerships across all types of organizations to permanently dismantle criminal operations. Effectively disrupting cybercriminal supply chains requires a global group effort with strong, trusted relationships and collaboration among cybersecurity stakeholders across public and private organizations and industries.
Adversary Code Reuse Showcases the Resourceful Nature of Adversaries
Cyber adversaries are enterprising in nature and always looking to maximize existing investments and knowledge to make their attack efforts more effective and profitable. Code reuse is an efficient and lucrative way for cybercriminals to build upon successful outcomes while making iterative changes to fine-tune their attacks and overcome defensive obstacles.
The majority of the top positions were held by malware that was older than one year, according to FortiGuard Labs’ analysis of the most common malware for the second half of 2022. FortiGuard Laboratories further investigated a variety of Emotet variations to assess their propensity for stealing and recycling code. According to the study, Emotet has undergone significant speciation, with variants dividing into about six different “species” of malware. Cyber adversaries constantly modify code to make it even more effective in addition to automating threats.
Older Botnet Resurrection Demonstrates the Resiliency of Adversarial Supply Chains
Aside from reusing code, attackers are taking advantage of the pre-existing infrastructure and older threats to increase their chances of success. According to FortiGuard Labs, many of the most common botnets are not new and have been in use for a long time. For instance, the Morto botnet, which was first detected in 2011, experienced a resurgence in late 2022. Meanwhile, botnets like Mirai and Gh0st.Rat continues to be widespread across all regions. It’s worth noting that out of the top five botnets observed, only RotaJakiro was developed within the last decade.
Although it may be tempting to write off older threats as history, organizations across any sector must continue to stay vigilant. These “vintage” botnets are still pervasive for a reason: They are still very effective. Resourceful cybercriminals will continue to leverage existing botnet infrastructure and evolve it into increasingly persistent versions with highly
specialized techniques because the ROI is there. Specifically, in the second half of 2022, significant targets of Mirai included managed security service providers (MSSPs), the telco/carrier sector, and the manufacturing sector, which is known for its pervasive operational technology (OT). Cybercriminals are making a concerted effort to target those industries with proven methods.
Log4j Remains Widespread and Targeted by Cybercriminals
Even with all the publicity that Log4j received in 2021 and the early parts of 2022, a significant number of organizations still have not patched or applied the appropriate security controls to protect their organizations against one of the most notable vulnerabilities in history.
Throughout the latter half of 2022, Log4j continued to be highly prevalent in all regions and was ranked second. FortiGuard Labs discovered that Log4j activity was detected by 41% of organizations, highlighting the widespread nature of the threat. The tech, government, and education sectors had the highest instances of Log4j IPS activity, which is unsurprising given the popularity of Apache Log4j as open-source software.
Analyzing a Piece of the Malware Story: Delivery Shifts Demonstrate Urgency for User Awareness
Analyzing adversarial strategies gives us valuable insights into how attack techniques and tactics are evolving to better protect against future attack scenarios. FortiGuard Labs looked at the functionality of detected malware based on sandbox data to track the most common delivery approaches. It is important to note that this only looks at detonated samples.
Drive-by-compromise was the most common method used by cybercriminals to access organisations’ systems worldwide, according to a study of the top eight tactics and techniques seen in sandboxing. When an unwary user browses the internet and inadvertently downloads a malicious payload by going to a compromised website, opening a malicious email attachment, or even clicking a link or trick pop-up window, adversaries are primarily getting access to victims’ systems. The problem with the drive-by attack strategy is that once a malicious payload has been viewed and downloaded, it is frequently too late for the user to recover from the compromise unless they have a comprehensive security strategy.
Shifting to Meet the Threat Landscape Head-On
Fortinet is a leader in enterprise-class cybersecurity and networking innovation, helping CISOs and security teams break the attack kill chain, minimize the impact of cybersecurity incidents, and better prepare for potential cyber threats.
Fortinet offers a range of security solutions that encompass multiple robust tools such as NGFW, network analytics, EDR, XDR, DRP, SIEM, inline sandboxing, deception, SOAR, and more. These tools are designed to provide cutting-edge capabilities for threat detection and prevention, allowing businesses to promptly identify and react to security threats across their entire attack area.
Fortinet also provides threat intelligence and response services that are supported by machine learning to complement these solutions and assist understaffed teams that are being adversely affected by cybersecurity talent scarcity. These give businesses the most recent information on the most recent cyber threats and allow them to react quickly to security incidents, reducing the impact on their company. Security teams can better plan for cyber threats with the aid of Fortinet’s human-based SOC augmentation and threat intelligence services, which also offer real-time threat monitoring and incident response capabilities.
This comprehensive suite of cybersecurity solutions and services enables CISOs and security teams to focus on enabling the business and higher-priority projects.
Report Overview
This latest Global Threat Landscape Report is a view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during the second half of 2022. Using the MITRE ATT&CK framework which classifies adversary tactics, techniques, and procedures (TTPs), the FortiGuard Labs Global Threat Landscape Report sets out to describe how threat actors target vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives as well as threat trends affecting both IT and OT environments.
