Fortinet® announced the findings of the latest FortiGuard Labs Global Threat Landscape Report.
“To get out ahead of the cycle of increasingly sophisticated and automated cyber threats, organizations need to use the same sorts of technologies and strategies to defend their networks that criminals are using to attack them. That means adopting integrated platforms that leverage the power and resources of AI-driven threat intelligence and playbooks to enable protection and visibility across the digital infrastructure.”
1) A Not So Charming Kitten: Research shows significant levels of activity across regions associated with Charming Kitten, an Iran-linked advanced persistent threat (APT) group in Q4. Active since around 2014, the threat actor has been associated with numerous cyberespionage campaigns. Recent activity suggests that the threat actor has expanded into the election disruption business, having been linked to a series of attacks on targeted email accounts associated with a presidential election campaign.
2) Security Risks for IoT Devices Magnify: IoT devices continue to be challenged with exploitable software and these threats can affect unexpected devices such as wireless IP cameras. This situation is magnified when components and software are embedded into different commercial devices sold under a variety of brand names, sometimes by different vendors. Many of these components and services are often programmed using bits and pieces of pre-written code from a variety of common sources. These common components and pre-written code are sometimes vulnerable to exploit, which is why some of the same vulnerabilities crop up repeatedly across a wide range of devices. A lack of patch awareness or availability, the prevalence of vulnerabilities in some IoT devices, and the documented attempts to “enslave” these devices in IoT botnets all contributed to these exploits having the third-highest volume among all IPS detections during the quarter.
3) Senior Threats Help Junior Threats: Amidst the constant pressure to keep ahead of new threats, organizations sometimes forget that older exploits and vulnerabilities really have no expiration date, and threat actors will continue to use them as long as they work. A case in point is EternalBlue. The malware has been adapted over time to exploit common and major vulnerabilities. It has been used in numerous campaigns, including, most notably, the WannaCry and NotPetya ransomware attacks. In addition, a patch was issued last May for BlueKeep, a vulnerability that if exploited could be wormable, which had the potential to spread at the same speed and scale as WannaCry and NotPetya. And now, a new version of the EternalBlue Downloader Trojan surfaced last quarter with the ability to exploit the BlueKeep vulnerability. Fortunately, the version currently in the wild is not completely ironed out, forcing targeted devices to crash before loading. But looking at the traditional development cycle of malware, determined cybercriminals are likely to have a functional version of this potentially devastating malware package in the near future. And while a patch for BlueKeep has been available since May, far too many organizations still have not updated their vulnerable systems.
4) Trends Demonstrate a New Perspective on Global Spam Trade: This quarter’s report combines the volume of spam flow between nations with data showing the ratios of spam sent vs. spam received, visually revealing a new perspective on an old problem. The majority of spam volume seems to follow economic and political trends. For example, the heaviest “spam trade partners” of the United States include Poland, Russia, Germany, Japan, and Brazil.
5) Tracking the Tracks of Cybercriminals to See What is Next: Looking at IPS triggers detected in a region not only shows what resources are being targeted, but may also indicate what cybercriminals might focus on in the future, either because enough of those attacks were ultimately successful, or simply because there is more of a certain type of technology deployed in some regions. Assuming that companies patch their software at about the same rate in each region, if a botnet was simply probing for vulnerable instances of ThinkPHP before deploying an exploit, the number of detected triggers should be much higher in APAC. However, only 6% more IPS triggers were detected in all of APAC than in North America from a recent exploit, indicating that these botnets are simply deploying the exploit to any ThinkPHP instance they find.
The Need for Broad, Integrated, and Automated Security:
Organizations are facing increased sophistication of attacks targeting the expanding digital infrastructure, including some being driven by artificial intelligence and machine learning. To effectively secure their distributed networks, organizations have to shift from protecting just security perimeters to protecting the data spread across their new network edges, users, systems, devices, and critical applications. Only a cybersecurity platform designed to provide comprehensive visibility and protection across the entire attack surface–including devices, users, mobile endpoints, multi-cloud environments, and SaaS infrastructures–is able to secure today’s rapidly evolving networks driven by digital innovation.