Fortinet announced the findings of its latest quarterly Global Threat Landscape Report. The research reveals that half of the top 12 global exploits targeted IoT devices, and four of the top 12 were related to IP-enabled cameras. The report shows cybercriminals are constantly evolving the sophistication of their attacks—from continuing to exploit the vast insecurity of IoT devices, to morphing open source malware tools into new threats.
Key takeaways: IoT Botnets become more complex and botnet infection time increases
Two of the key takeaways from the Fortinet Global Threat Landscape Report are that while the number of exploits per firm continues to grow, more alarmingly, botnet infection time has also increased. Exploits impacting individual firms grew 10% over the quarter, while the number of unique exploits they experienced increased with 5%. This indicates that cybercriminals are active even during the holiday season. At the same time, botnets have also continued to grow, becoming more complex and harder to detect. Time for infection of botnets increased by 15%, growing to an average of nearly 12 infection days per firm.
Exploit Index All-time High
After a dramatic start, the Exploit Index of Fortinet settled in the latter half of the quarter. While cyber adversary activity overall subsided slightly, the number of exploits per firm grew 10%, while unique exploits detected increased 5%. At the same time, botnets become more complex and harder to detect. Time for infection of botnets increased by 15%, growing to an average of nearly 12 infection days per firm. As cybercriminals employ automation and machine learning to propagate attacks, security organizations need to do the same to combat these advanced methods.
Monitor the Monitoring Devices
The convergence of physical things and Cyber Security is creating an expanded attack surface, one that cybercriminals are increasingly targeting. Especially IoT Security, being one of the top Cyber Security threats for 2019, deserves more attention.
The figure above shows the prevalence and volume of IoT exploits by device category.
Half of the top 12 global exploits targeted IoT devices, and four of the top 12 were related to IP-enabled cameras. Access to these devices could enable cybercriminals to snoop on private interactions, enact malicious onsite activities, or gain an entry point into cyber systems to launch DDoS or ransomware attacks.
It is important to be aware of hidden attacks even in devices used to monitor or that provide security.
"Malware samples were found to use steganography to conceal malicious payloads in memes passed along on social media."
Open Source malware and Tools Open to Anyone
Open source malware tools are very beneficial to the Cyber Security community, enabling teams to test defenses, researchers to analyze exploits, and instructors to use real-life examples.
These openware tools are generally available from sharing sites such as GitHub, and as these are available to anyone, adversaries can also access them for nefarious activities. They are evolving and weaponizing these malware tools into new threats, with ransomware comprising a significant number of them. An example where openware source code has been weaponized is the Mirai IoT botnet. An explosion of variants and activity continues to be catalogued since its release in 2016. As mentioned before in our Top 5 Cyber Security Threats 2019, several spin-offs of Mirai are already active.
The Proliferation of Steganography
Developments in steganography are bringing new life into an old attack type. While steganography is typically not used in high-frequency threats, the botnet Vawtrak made the list of “bursty” botnets.
Cyber-threat actors have been known to incorporate this technique into various aspects of their schemes and wares. Examples include the Sundown Exploit Kit and the Vawtrak and Gatak/Stegoloader malware families. Due to its nature, steganography isn’t generally used in high-frequency threats, but it’s worth noting that the Vawtrak botnet did make Fortinet's list of “bursty” botnets in Q4 2018.
This demonstrates increased persistence for this attack type. In addition, during the quarter, malware samples were found to use steganography to conceal malicious payloads in memes passed along on social media. During the attack process after attempting to contact a C2 host, the malware then looks for images in an associated Twitter feed, downloads those images, and looks for hidden commands within the images to propagate activity. This undercover approach demonstrates adversaries continue to experiment in how they advance their malware while evading detection.
Adware Infiltration: Found to be in published apps and posted on authorized app stores
Adware has become a pervasive threat. Globally, Adware sits at the top of the list of malware infections for most regions—exceeding one-quarter of all infection types for North America and Oceania, and almost one-quarter for Europe. With adware now found to be in published apps and posted on authorized app stores, this attack type can pose a serious threat especially to unsuspecting mobile device users.
Keeping an Eye on OT Security
With the ongoing convergence of Information Technology (IT) and Operations Technology (OT), a year in review shows the relative change in prevalence and frequency in attacks targeting industrial control systems (ICS). Unfortunately, most attacks gained ground on both scales of volume and prevalence. A cyberattack that successfully targets an OT system, could result in devastating physical consequences to such things as critical infrastructure and services, the environment, and even human life.
Addressing the Cyber Security challenges of 2019
Rely on advanced threat intelligence. Cybercriminals are becoming innovative in the development of their attack methods, as adoption and refitting of openware malware tools shows, while the complexity of botnets and other attack methods is also increasing. Therefore organizations must remain vigilant, and rely on advanced threat intelligence—including real-time threat-intelligence sharing across all security elements—enabling them to keep pace with the volume, velocity, and sophistication of the evolving threat landscape.
Watch for attacks from unexpected vectors that can be mobilized quickly. Though steganography has historically been a low-frequency attack vector, cybercriminals are now using social media to conceal malicious payloads in memes. Security professionals need to guard against these attacks and similar with ongoing cybersecurity awareness training and by ensuring that they have transparent visibility of the entire attack surface, including out to social media sites and into mobile devices that combine personal and business data and applications.
Evolve defenses to address the increase in cyberattack complexity. Just as cybercriminals employ machines to propagate botnet attacks, organizations also need to leverage technology advances in the area of AI/ML to combat new, machine-generated attacks. Firms also need to remain vigilant and understand that the threat landscape continues to evolve quarter to quarter—far faster than their usual rate of security review.
4 March 2019