Fortinet® (NASDAQ: FTNT), the global leader in network and security convergence, recently released the "Global Threat Situation Research Report for the Second Half of 2022". The report points out that, relative to the continuous expansion of the organization's attack surface and the continuous evolution of the global threat landscape, the ability of cybercriminals to design and optimize techniques and tactics is also increasing day by day. All industries and enterprises of all sizes around the world will continue to face major risks.
Second half of 2022
Global Threat Landscape Research Report
seven discoveries
01
2022 sees surge in APT-like attacks like destructive wiper malware
Wiper malware analysis data reveals that cyber attackers have become accustomed to using destructive attack techniques to continuously attack potential specific targets. Additionally, due to the ever-expanding perimeter of the Internet, cybercrime-as-a-service (CaaS) models can be leveraged by cyber attackers to easily scale such attacks.
In the first half of 2022, FortiGuard Labs (Fortinet Global Threat Research and Response Laboratory) has discovered several new wiper malware variants in local areas. By the end of the year, wiper malware had begun to rampant in many countries. In the third and fourth quarters alone, wiper malware activity surged by 53%. It is worth noting that malware is rapidly becoming a powerful tool of destruction for cybercriminal groups and is gradually spreading to all regions of the world. According to attack tracking data, destructive windshield wiper malware remained active in the fourth quarter and shows no signs of slowing down. This trend shows that any organization can become a potential target of criminals, not just limited to corporate organizations in local areas and surrounding countries.
Trend graph of the number of wiper malware attacks
02
CVE Mapping Shows Vulnerability Red Zones Help CISOs Accurately Prioritize Threats
Analyzing exploit trends can provide insight into what cybercriminals are interested in attacking, what attack vectors they are using in the future, and who they are actively targeting. FortiGuard Labs has a large amount of known vulnerability information. After data enrichment analysis, it can quickly identify security vulnerabilities that have been actively exploited in real time, and draw a risk map of active attack areas across the entire attack surface.
In the second half of 2022, of the total number of detected vulnerabilities in enterprises at scale, the number of vulnerabilities located on the endpoint and frequently attacked by threats will be less than 1%. However, this kind of attack activity helps the chief information security officer to accurately locate the "red zone" through the active attack surface threat intelligence information, so as to accurately determine the priority of mitigating threats and key repair targets.
03
Profitable cybercrime and ransomware threats remain high
According to the FortiGuard Labs incident response (IR) survey, cybercrime threats for illegal financial gain accounted for the highest number of incidents (73.9%), followed by espionage (13%). In all of 2022, 82% of all illicit cybercrime will involve ransomware or malicious scripts. This phenomenon shows that the global ransomware threat attack is still active and shows no signs of slowing down, as the ransomware-as-a-service (RaaS) model is increasingly sought after on the dark web.
The analysis shows that compared to the first half of 2022, the number of ransomware has increased by 16%. Out of all 99 known ransomware families, the top five families accounted for approximately 37% of all ransomware activity in the second half of 2022. Topping the list is GandCrab, a RaaS malware that came out in 2018. Although the criminal gang that manipulated GandCrab claimed that it had retired after making huge illegal profits of more than 2 billion U.S. dollars, GandCrab has spawned many variants during its active period. Therefore, the expansion of the criminal group's interests may have never stopped and is still active today, or its original code was simply changed and republished. This shows that a global coalition partnership with organizations from all walks of life is extremely important in permanently combating cybercrime. There is an urgent need to build a strong, stable and trustworthy collaborative relationship between global public and private organizations and industry cybersecurity stakeholders to work together to effectively defeat and disrupt the cybercrime supply chain.
04
Code Reuse Has Been in Cyber Attackers' Bottom Line
Cyber threat actors are often innovative and adept at leveraging existing assets and knowledge to make attacks more effective and profitable. As an efficient method of digging money, cybercriminals use code reuse to successfully attack repeatedly, and continuously iteratively update to fine-tune attack tactics and successfully bypass the continuously upgraded defense mechanism.
FortiGuard Labs analysis of the most prevalent malware in the second half of 2022 shows that malware that was prevalent more than a year ago is still at the top. FortiGuard Labs further examined a set of different Emotet variants to analyze their code borrowing and reuse. The research revealed a staggering number of iterations of Emotet, resulting in roughly six different malware "variants." Not only are criminals adept at leveraging automated threat techniques, they are also actively updating code to make attack techniques more efficient and destructive.
05
Resurrection of traditional botnets increases attack supply chain resilience
In addition to code reuse, attackers are also good at exploiting existing infrastructure and traditional threat techniques to maximize attack opportunities. When dissecting botnet threats by prevalence, FortiGuard Labs found that many of the top botnets are not uncommon. For example, the Morto botnet, first detected in 2011, will see a surge in numbers in late 2022. Other malware, such as Mirai and Gh0st.Rat, continue to thrive around the world. It is worth noting that among the top five botnets detected so far, only RotaJakiro has been released in the past ten years, and the others are all "elder-level" members.
The past threats seem to be quiet, but the possibility of another outbreak cannot be ruled out. Enterprises and organizations in any industry still need to maintain a high degree of vigilance. The reason why these "elderly" botnets can still stir up trouble is that criminals can still use this as a means to obtain high profits. Lured by high returns on investment, cunning criminals will continue to take advantage of existing botnet infrastructure and upgrade it into a popular tool with persistent attack capabilities through highly specialized techniques. For example, in the second half of 2022, Mirai's main attack targets include managed security service providers (MSSPs), telecom/carriers, and manufacturing industries that rely heavily on operational technology (OT). It can be seen that cybercriminals are making concerted efforts to target these "lambs to be slaughtered" with proven methods.
06
Log4j Vulnerabilities Rampant, Has Been Targeted by Everyone
From 2021 to the beginning of 2022, the Log4j vulnerability was once very popular and frequently attracted the attention of the industry, but there are still a large number of enterprise organizations that have not fixed the vulnerability or deployed appropriate security controls to protect themselves from this well-known vulnerability.
In the second half of 2022, Log4j is still very active in all regions, ranking second. FortiGuard Labs research found that 41 percent of organizations have detected Log4j exploit activity, enough to judge the prevalence of this threat. Given Apache Log4j's popularity as open source software, it's no surprise that Log4j IPS attacks are most frequent in technology, government, and educational institutions.
07
The way malware is delivered changes, and user security awareness needs to be improved urgently
A comprehensive analysis of attack strategies facilitates an in-depth understanding of the evolution of attack technologies and tactics, and better defense against future attack scenarios. Based on sandbox data, FortiGuard Labs drills down on captured malware functionality to track the most common methods of threat delivery. It should be noted that only the triggered attack samples are used as the research object.
A study of the top eight tactics and techniques captured by the sandbox found that "drive-by-compromise" was the most popular tactic used by cybercriminals to illegally gain access to organizational systems in all regions of the world. Attackers gain access to victim systems when unsuspecting users browse the Internet and inadvertently download malicious payloads by visiting infected websites, opening malicious email attachments, or even clicking links or deceptive pop-ups. The challenge with watering hole tactics is that once the malicious payload is accessed and downloaded, unless a comprehensive security solution is deployed on the user's system, it is usually difficult to escape the doom of the threat intrusion.
Actively change the defense strategy and calmly respond to the evolution of the threat situation
As a leader in enterprise-level network security and network innovation products, Fortinet helps chief information security officers and security teams quickly break down the attack kill chain, minimize the negative impact of network security incidents, and comprehensively and efficiently respond to potential network threats.
The Fortinet suite of security solutions covers a range of powerful tools such as Next-Generation Firewall (NGFW), Network Telemetry and Analysis, Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Digital Risk Protection (DRP), Security Information and Solutions and services such as Incident Management (SIEM), Inline Sandbox, Deception Technology, Security Orchestration, Automation and Response (SOAR). These advanced solutions provide advanced threat detection and prevention capabilities, enabling organizations to quickly detect and respond to security incidents across all attack surfaces.
In order to strengthen the security functions of its solutions and support overburdened security teams due to the shortage of network security talents, Fortinet provides users with threat intelligence and response services based on machine learning, timely providing the latest cutting-edge intelligence information on network threats, and helping enterprises quickly Respond to security incidents and minimize the negative impact of threats. Fortinet also launched people-oriented SOC enhancement services and threat intelligence services, which support real-time threat monitoring and incident response functions, and empower security teams to defend against potential cyber threats in an all-round and efficient manner.
Fortinet's comprehensive network security solutions and services help chief information security officers and security teams focus on efficient business development and guard high-priority projects throughout the process.
"With the continuous upgrading of today's network defense strategies, corporate network security defense lines are becoming more unbreakable. In order to continuously obtain illegal access and successfully bypass security detection, network attackers must resort to more reconnaissance techniques and deploy more complex alternative attack schemes. In order to effectively utilize the advanced persistent threat (APT) attack methods such as wiper malware or other advanced attack payloads to launch more persistent and destructive attacks on specific targets. In order to effectively prevent such advanced persistent cybercrime tactics, enterprise organizations It is urgent to use advanced intelligent technologies such as machine learning to obtain collaborative and actionable threat intelligence from all security devices in real time, detect suspicious behavior in all directions, and implement coordinated threat mitigation measures across the ever-expanding attack surface.”
Derek Manky
FortiGuard Labs
Chief Security Strategist
Vice President, Global Threat Intelligence
Introduction to FortiGuard Labs
FortiGuard Labs, the Fortinet Global Threat Research and Response Laboratory, is Fortinet's exclusive threat intelligence and research organization, focusing on providing Fortinet global users with the industry's most cutting-edge threat intelligence support to protect users from various malicious activities and complex network attacks. . Bring together the most authoritative threat hunters, research specialists, senior analysts, engineers and data scientists in the industry, and extensively devote themselves to threat research laboratories distributed around the world. With the support of hundreds of threat intelligence sharing partners, FortiGuard Labs continuously monitors the overall development of the attack surface with the help of millions of network sensors distributed around the world, and uses innovative technologies such as artificial intelligence (AI) to quickly analyze and process massive monitoring information, dig deep into abnormal data, and capture unknown emerging threats. These efforts eventually converged into actionable threat intelligence shared in a timely manner, which became a powerful information support for Fortinet to update security products and carry out active threat research, helping global users to fully grasp the current threat development trend and comprehensively protect network security.