• United States



Addressing New Challenges Starts with Resilience

Nov 13, 20197 mins

infected computer picture id517165668
Credit: iStock

The third quarter of 2019 saw a number of new cyberthreat trends emerge or expand, and organizations need to be aware of these trends if they wish to stay ahead of cybercriminal strategies. One of the most effective attacks strategies does not require cybercriminals to build new malware, but simply change their tactics.

Cybercriminals are Focusing on Vulnerable Edge Services

Phishing attacks are top of mind across all industries. That’s because over 90% of all malware is still delivered using compromised email attachments. As a result, organizations are aggressively training users on how to identify malicious email, report them to the Help Desk team, and never click on unexpected email attachments. They are also reviewing and updating their secure email gateway solutions to more effectively filter out unwanted and malicious email. But over-rotating on a single attack vector can leave an organization exposed to threats that target other, potentially neglected systems.

To that point, according the latest Threat Landscape Report from FortiGuard Labs, remote code execution attacks targeting vulnerable edge services – publicly available services available to customers and/or employees – topped the list of identified threats across all geographic regions during the third quarter. Generally, attack trends tend to focus on one, or at most, a handful of geographic regions. Seeing attacks at the top of every list globally strongly indicates that these attack vectors are increasingly gaining the attention of cybercriminals.

These publicly-facing services and systems provide similar opportunities for breaching the perimeter of the network as phishing does. And unlike efforts to shore up protections against phishing, many of these edge services are vulnerable to a wide range of attacks, usually due to inconsistent patching and updating of the operating systems and applications running on these servers.

In fact, FortiGuard Labs saw more attempts to target system vulnerabilities that were more than a decade old than those that had been identified in 2018 and 2019 combined. And targeted vulnerabilities from every year between 2007 also equaled 2018/19 levels. The vast majority of these vulnerabilities have patches available that simply have not been applied.

Once criminals establish a foothold at the edge, they can then use that attack vector to begin delivering their malware to targets inside the network, with the same result as having used phishing to deliver those same payloads. Although this attack tactic is not new, it does show that cybercriminals are paying attention to cybersecurity trends, such as organizational awareness of phishing. And it also demonstrates that changing tactics by exploiting systems where defenders may not be watching as closely can be a successful way to catch organizations off guard and increase chances for success. It’s a common refrain, but the reality is that the majority of network and device compromises are the direct result of a failure to patch, upgrade, or replace vulnerable systems or implement adequate proximity controls. Of course, patching is hard – especially when dealing with thousands of devices, or embedded systems that can’t be easily updated without taking down essential systems. As mentioned previously, using the FortiGuard Security Rating Service allows IT teams to prioritize the patching and upgrading of vulnerable systems.

Malware-as-a-Service continues to grow

In addition to redoubling efforts on additional attack vectors to breach networks, the volume of attacks is also likely to continue over the next several quarters. One of the gating factors for many wannabe cybercriminals is that they simply don’t have the technical skills necessary to develop the tools needed to successfully identify and exploit a victim. That all changed when criminal malware developers began offering Malware as a Service (MaaS) on the dark web. For a share of the profits, criminals had access to tools that were not only designed to help them overcome their lack of technical skills, but that had ongoing development teams behind them to ensure those tools remained effective.

The GandCrab Ransomware Ransomware-as-a-Service (RaaS), for example, netted its developers as much as $2 billion before they retired last year. And now it appears that more cybercriminal organizations are jumping on the bandwagon. Last quarter, FortiGuard Labs identified two additional ransomware families – Sodinokibi and Nemty – being made available on the dark web as ransomware-as-a-service offerings. By using this RaaS model, the authors of these malware tools are significantly lowering the bar, both in terms of overhead and expertise, for launching such attacks.

The MaaS model is also expanding

Cybercriminals aren’t content to just move traditional malware such as ransomware or access to botnets to a service model. Emotet, a highly successful and lucrative banking trojan, just launched a new kind of MaaS service that rents access to devices already infected with the Emotet trojan. This tactic is especially malicious because Emotet now has the ability to deliver malicious payloads. This service provides attackers with access to previously compromised devices to deliver additional malware, such as the Trickbot trojan and Ryuk ransomware, directly into the network – bypassing the time and effort needed to breach system defenses to achieve their criminal objectives.

And this isn’t the only new trick up Emotet’s sleeve. They have also raised the bar on phishing itself. In addition to changing tactics, as was outlined above, another strategy is to simply significantly increase the efficiency of distributing malware through phishing.

Cybercriminals naturally want to deliver a phishing email that will be opened. But with heightened awareness by end users, phishing success is more difficult to achieve. This new Emotet phishing strategy addresses this challenge by stealing active email threads, not just passive email addresses, from infected devices. It then inserts an infected reply into the thread disguised as coming from one of the participants. This strategic shift has proven to not only be exponentially more effective than traditional phishing attempt, bit even targeted spearphishing tactics as well. 

Addressing New Challenges Starts with Resilience

While there are many valuable approaches to addressing evolving security challenges, there are a handful that every organization needs to adopt that will remain effective even as the threat landscape continues to evolve.

First, organizations cannot afford to over-focus on the latest threat trends. As shown with the increased targeting of edge services, it is essential that organizations adopt a holistic approach to securing their entire distributed networked. That begins with a comprehensive security fabric that includes integrated security devices, a centralized, single-pane-of-glass monitoring, management, and configuration system, and the integration of real-time threat intelligence to ensure that the network is constantly tuned to the latest threat landscape.

In addition, many new attacks and exploits are successful because vulnerable systems are not being adequately patched or updated. Exploits targeting older vulnerabilities can be successfully stopped by conducting a risk assessment, using a rating service to prioritize at-risk devices and systems, and then either applying patches and upgrades or replacing vulnerable systems.

Finally, organizations should also consider implementing intent-based network segmentation and zero trust access strategies to prevent critical devices and vulnerable systems from being exploited. Segmentation also minimizes the risks of a successful intrusion by shrinking the available attack surface.

By starting with these basic strategies, organizations can build resilience into their security systems that enable them to successful weather the shifting storms of today’s cybercriminal organizations.

Read the blog for more information about this research.  View the Fortinet Threat Landscape Index and subindices for botnets, malware, and exploits for Q3, 2019 or access the full report.


For a more detailed view into the changing threats and events driving the Fortinet Threat Landscape Index each week, check out our weekly Threat Brief.