Phil Quade, chief information security officer, Fortinet
“The volume, sophistication, and variety of cyber threats continue to accelerate with the digital transformation of our global economy. Cybercriminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many. The stark reality is that traditional security strategies and architectures simply are no longer sufficient for a digital-dependent organisation. There is incredible urgency to counter today’s attacks with a security transformation that mirrors digital transformation efforts. Yesterday’s solutions, working individually, are not adequate. Point products and static defenses must give way to integrated and automated solutions that operate at speed and scale.”
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, announced the findings of its latest Global Threat Landscape Report. The research reveals that attacks per firm increased over the previous quarter. In addition, automated and sophisticated swarm attacks are accelerating making it increasingly difficult for Australian organisations to protect users, applications, and devices. For a detailed view of the findings and some important takeaways for CISOs read the blog. Highlights of the report follow:
Swarm Cyberattacks Increase in Volume, Variety, and Velocity
The sophistication of attacks targeting organisations is accelerating at an unprecedented rate. Digital transformation isn’t just reshaping business, cybercriminals are leveraging the expanding attack surface it creates for new disruptive opportunities to attack. They are implementing newer swarm-like capabilities while simultaneously targeting multiple vulnerabilities, devices, and access points. The combination of rapid threat development combined with the increased propagation of new variants is increasingly difficult for many organisations to combat.
• Cryptocurrency Mining on the Rise: Cryptomining malware increased globally and in APAC, which seems to be intertwined with the changing price of Bitcoin. Cybercriminals recognise the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser, nothing is installed or stored on the computer.
• Unprecedented Volume: An average of 274 exploit detections per firm were detected, which is a significant increase of 82 per cent over the previous quarter. The number of malware families also increased by 25 per cent and unique variants grew by 19 per cent. The data not only indicates growth in volume, but also an evolution of the malware as well. In addition, encrypted traffic using HTTPS and SSL grew as a percentage of total network traffic to a high of nearly 60% on average. While encryption can certainly help protect data in motion as it moves between core, cloud, and endpoint environments, it also represents a real challenge for traditional security solutions.
In Australia, it’s been observed that attacks have seen more concentration in the healthcare and education sectors, similar to when WannaCry hit last year. This can potentially be attributed to the lower cyber-hygiene knowledge of those employed in these sectors, as well as the widespread adoption of bring-your-own-device.
• IoT Attack Intensity: Three of the top twenty attacks identified targeted IoT devices and exploit activity quadrupled against devices like Wi-Fi cameras. None of these detections were associated with a known or named CVE, which is one of the troubling aspects of vulnerable IoT devices. In addition, unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime can target multiple vulnerabilities simultaneously. This multi-vector approach is much harder to combat. Reaper’s flexible framework means that, rather than the static, pre-programmed attacks of previous IoT exploits, Reaper’s code is easily updated to swarm faster by running new and more malicious attacks as they become available. Demonstrating its swarm abilities, exploit volume associated with Reaper exhibited a jump from 50,000 to 2.7 million over a few days before dropping back to normal.
In Asia Pacific, the top prevalent exploits detected exhibits a similar pattern. For example, exploits targeting the Apache Struts and IP camera/DVR vulnerabilities make up some of the top exploits detected in APAC for Q4 2017 as well. IP camera/DVR vulnerabilities in APAC are quite prevalent as these devices are popular, available at low cost, but do not have sufficient security designed into them.
• Ransomware Still Prevalent: Several strains of ransomware topped the list of malware variants. Locky was the most widespread malware variant and GlobeImposter followed as the second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting Bitcoin for payment to other forms of digital currency such as Monero.
In APAC, new malware variants and ransomware droppers account for the top prevalent malware seen in Q4 2017.
• Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems (ICS) and safety instrumental systems (SIS) suggests these under-the-radar attacks might be climbing higher on attackers’ radar. An example is an attack codenamed Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.
• Attack Variety: Steganography is an attack that embeds malicious code in images. It’s an attack vector that has not had much visibility over the past several years, but it appears to be on the resurgence. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organisations than any other exploit kit. It was found dropping multiple ransomware variants.
Fighting Swarm Attacks Requires Integrated Security
The threat data in this quarter’s report reinforces many of the predictions unveiled by the Fortinet FortiGuard Labs global research team for 2018, which predicted the rise of self-learning hivenets and swarmbots on the horizon. Over the next couple of years, the attack surface will continue to expand while visibility and control over today’s infrastructures diminish. To address the problems of speed and scale by adversaries, organizations need to adopt strategies based on automation and integration. Security should operate at digital speeds by automating responses as well as applying intelligence and self-learning so that networks can make effective and autonomous decisions.
The Fortinet Global Threat Landscape Report is a quarterly view that represents the collective intelligence of FortiGuard Labs drawn from Fortinet’s vast array of sensors during Q4 2017. Research data covers global, regional, industry sector, and organisational perspectives. It focuses on three central and complementary aspects of that landscape, namely application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities and infrastructure trends to add context about the trajectory of cyberattacks affecting organisations over time. To complement the report, Fortinet publishes a free, subscription-based Threat Intelligence Brief that reviews the top malware, virus, and web-based threats discovered every week, along with links to that week’s most valuable Fortinet research.
• Read our blog for more information about the research or to access the full report.
• View our video and infographic summarising valuable take-aways from the report.
• Share your ideas, discuss the future of cybersecurity, and learn from the best in industry, at #Accelerate18.
• Sign up for our weekly FortiGuard Threat Intelligence Briefs or participate in the open beta for our FortiGuard Threat Intelligence Service.
• Learn more about the Fortinet Security Fabric.
• Follow Fortinet on Facebook, Instagram, and YouTube.
Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organisations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future. Only the Fortinet Security Fabric architecture can deliver security without compromise to address the most critical security challenges, whether in networked, application, cloud, or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 330,000 customers trust Fortinet to protect their businesses. Learn more at http://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.
Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.
Cybersecurity Insights - Attack
No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?
Cybersecurity Insights - People
Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.