Fortinet has released the findings of the semi-annual Global Threat Map report by FortiGuard Labs, the company’s threat intelligence and research body. The report is based on FortiGuard Labs’ collaborative intelligence, drawn from Fortinet’s extensive sensor array, which collects billions of security events observed worldwide during the second half of 2022.
Also, the FortiGuard Labs report uses the MITER ATT&CK working model to categorize cybercriminals’ methods and techniques to describe how threat actors target vulnerabilities, build malicious infrastructure, and exploit their targets. The report addresses global and regional perspectives and threat trends affecting the IT and OT environments.
Wide spread of destructive APT-like malware removal software
Analysis of malware erasure data reveals a trend whereby cybercriminals regularly use devastating attack techniques against their targets. The analysis shows that the lack of boundaries on the Internet allows attackers to easily increase their types of attacks, which is largely enabled by the Cybercrime-as-a-Service (Cybercrime-as-a-Service) model.
In early 2022, FortiGuard Labs researchers reported the presence of a number of new Wiper software discovered at the same time as the war between Russia and Ukraine. Later in the year, the erasure software expanded to other countries, resulting in a 53% increase in software activity from the third quarter to the fourth quarter alone.
While some of this activity was made possible by malicious erasure software that may have been developed and deployed first by political parties around the war, they were also adopted by cybercriminal groups and spread beyond continental Europe.
Based on the volume of activity recorded in the fourth quarter of 2022, it does not appear that the trajectory of the erasure software is going to stop anytime soon, which means that organizations are still a potential target, even those not located in Ukraine or neighboring countries.
Vulnerability mapping reveals the weak points in the dangerous areas that must be addressed
Vulnerability trend analysis helps show which attack targets are of interest to cybercriminals in their search for future attacks and which targets they are actively targeting. FortiGuard Labs researchers rely on an extensive archive of known vulnerabilities and by enriching the data, the researchers were able to identify vulnerabilities that are actively exploited in real time and map areas of active risk along the attack surface.
In the second half of 2022, less than 1% of all vulnerabilities discovered in a very large organization were on endpoints and actively under attack, providing CISOs with clear visibility into which area of risk they should prioritize to minimize risk to the organization and the places to focus their repair efforts.
Financial motivations have resulted in record levels of cybercrime and ransomware attacks
FortiGuard Labs’ Incident Response (IR) team found that financially motivated cybercrime caused the highest number of security incidents (73.9%), with espionage a distant second (13%).
In all of 2022, 82% of financially motivated cybercrime cases involved the use of ransomware attacks or malicious scripts, indicating that the threat of global ransomware attacks remains unabated with no evidence of slowing down, thanks to the growing popularity of ransomware-as -a-Service) on the dark web.
According to the report’s findings, the scope of ransomware attacks increased by 16% from the first half of 2022. Of the 99 ransomware attack families examined, the top five families accounted for approximately 37% of all ransomware attack activity in the second half of 2022, when the malicious GandCrab ransomware attack that appeared in 2018, was at the top of the list.
Although the criminals behind GandCrab announced that they were retiring after earning over $2 billion, there were many repetitions of the attack during its active period. It is possible that the long legacy of this crime group is still being perpetuated or that other criminals are building, changing or relaunching its code, which highlights the importance of global collaborations between all types of organizations to permanently dismantle criminal activity.
Reuse of malicious code demonstrates the resourcefulness of attackers
Cybercriminals are entrepreneurs by nature and are always looking to maximize existing investments and knowledge to make their attack efforts more efficient and profitable. Code reuse is an efficient and cost-effective way for them to build on successful results while making repeated changes to adapt their attacks and overcome defensive obstacles.
When FortiGuard Labs researchers analyzed the most prevalent malware in the second half of 2022, most of the top spots belonged to malware over a year old. The researchers tested different versions of Emotet to analyze their tendency to borrow and reuse code.
The researchers’ research revealed that the Emotet software underwent a significant re-creation with versions that split into 6 different malware “strains”. Hence, cybercriminals not only automate the threats, but also actively improve the code to make it even more effective.
A revival of old botnets
Cybercriminals are also leveraging existing infrastructure and older threats to maximize their opportunities. When examining the prevalence of botnet threats, FortiGuard Labs researchers discovered that many of the top botnets are not new. For example, the Morto botnet, which was first observed in 2011, re-emerged in late 2022.
Other botnets such as Mirai and Gh0st.Rat continue to be prevalent in all geographies. Surprisingly, of the 5 botnets tested, only RotaJariko is from the last decade.
Although there is a tendency to forget about older threats, organizations in all sectors must remain vigilant. These “ancient” botnets are still very effective and therefore, continue to be common. Resourceful cybercriminals will continue to leverage existing botnet infrastructure and develop it into more persistent versions using unique techniques, which will provide them with a return on investment.
In the second half of 2022, significant Mirai targets included managed service providers (MSSP), telecom companies and the manufacturing industry, known for its extensive operational technology (OT). Cybercriminals are making a concerted effort to target these industries using proven methods.
The Log4j vulnerability is still widespread and a target for cybercriminals
Even with all the publicity the Log4j vulnerability received in 2021 and early 2022, many organizations still haven’t updated or installed the security controls necessary to defend against one of the most prominent vulnerabilities in history.
In the second half of 2022, the Log4j vulnerability was in second place in terms of activity and was recorded all over the world. FortiGuard Labs researchers found that 41% of organizations detected Log4j activity, indicating the threat’s widespread impact even today. Log4j’s Intrusion Prevention System (IPS) activity was most common in the technology, government, and education sectors, which is not surprising, given Apache Log4j’s popularity as open source software.
The changing supply of malware demonstrates the urgent need for user awareness
Analysis of attacker strategies provides valuable insights into evolving attack techniques and methods to better defend against future attack scenarios. FortiGuard Labs researchers examined the functionality of the detected malware based on sandbox data to track the most common delivery approaches. The information refers only to samples that have been neutralized.
In a review of the top 8 techniques and methods tested in sandboxing, the most popular method of gaining access to the organization’s systems in all regions of the world was drive-by-compromise. According to this method, the attackers gain access to the systems when the user surfs the Internet and unintentionally downloads a malicious payload by visiting a hacked website, opening a malicious file attached to an email or even clicking on a deceptive link or pop-up window.
The challenge with the drive-by technique is that once the malicious payload is downloaded to the computer, it is usually too late to escape harm, unless the user implements a holistic approach to security.
Derek Munkey, senior security strategist and VP of global collaborations at FortiGuard Labs, Fortinet: “For cybercriminals, maintaining access to systems and avoiding detection are not trivial matters, when cyber defenses in organizations today continue to advance.
“To counter this, attackers are expanding their operations using intelligence gathering techniques and deploying more sophisticated attack alternatives to enable their destructive attempts using APT-like threat methods such as malware or other advanced payloads.
“To defend against the persistent and advanced methods of cybercriminals, organizations need to focus on coordinated threat intelligence that can be acted upon in real time, based on machine learning and applied to all security devices to detect malicious actions and initiate preventive action across the entire extended attack surface.”