Looking Back to Look Ahead: Cyber Threat Trends to Watch

Organizations today face an unprecedented volume of increasingly sophisticated threats as they conduct online operations. As the potential attack surface expands and attack volumes increase, it is imperative to track the most popular and successful strategies of cybercriminals to stay ahead of their malicious intentions.

The quarterly Fortinet Global Threat Landscape Report gathers the collective intelligence drawn from FortiGuard Labs' large array of sensors deployed in live production environments. The research data in the most recent report focuses on three aspects of the threat landscape: application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities and infrastructure trends to add context about the trajectory of cyberattacks affecting organizations over time.

What the Data Reveals
Below are the key findings from the latest "Threat Landscape Report" that organizations need to know about in order to prepare for what's ahead.

Application exploits, malicious software, and botnets:

• Historic Volume: The number of malware families detected in the fourth quarter of 2017 increased by 25% over the third quarter, to 3,317, and unique variants grew 19%, to 17,671. An average of 274 attacks per firm were also detected, a staggering increase of 82% over the previous quarter.
• Mining for Cryptocurrency: Cryptomining malware increased in the fourth quarter, which seems to be intertwined with the changing price of bitcoin. Cybercriminals recognize the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser; nothing is installed or stored on the computer.
• Everything Old Is New Again: Steganography is an attack that embeds malicious code in images. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit in the fourth quarter. It was found dropping multiple ransomware variants.
• A Ransomware Explosion: Ransomware continues to grow in both volume and sophistication. Several strains of ransomware topped the list of malware variants. Locky was the most prevalent malware variant, and GlobeImposter was second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting bitcoin for payment to other forms of digital currency.
• Swarm-Based Cyberattacks: The sophistication of attacks targeting organizations is accelerating at an unprecedented rate. For example, they are developing new Internet of Things (IoT)-based botnets with swarm-like capabilities that simultaneously target multiple vulnerabilities, devices, and access points.
• An Increase in IoT Attacks: Three of the top 20 attacks identified in the quarter targeted IoT devices. New IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multivector approach is much harder to combat. In addition, Reaper's new flexible framework, built around a Lua engine and scripts, means that Reaper's code can be easily updated to swarm faster by running new and more malicious attacks as they become available. Exploit volumes associated with Reaper exhibited an early October jump from 50,000 to 2.7 million over just a few days, before dropping back to normal.
• Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems and safety instrumental systems suggests these under-the-radar attacks might be climbing higher on attackers’ radar. An example is an attack code-named Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.

Infrastructure trends:
When it comes to the cyber threat landscape, infrastructure statistics offer a powerful overview because strong correlations exist between infrastructure usage and threat frequency. For example, firms that use a lot of peer-to-peer and proxy apps report seven to nine times as many botnets and malware as those that don't use them.

In the fourth quarter of 2017, firms also appear to have used more bandwidth and encrypted more web traffic than ever before, but they are actually visiting fewer sites and using fewer applications. There is also a special interest in keeping tabs on the ratio of HTTPS traffic in the network. It's continuing to trend up.

While helpful for maintaining privacy, higher encryption rates also present challenges to threat monitoring and detection. Inspecting Secure Sockets Layer traffic has a significant impact on the performance of firewalls, which means it can affect the amount of network traffic that is actually being inspected. And organizations — especially those with higher HTTPS ratios — cannot afford to ignore threats that might be lurking within encrypted communications.

Best Practices for Stronger Security
With the volume, velocity, and variety of modern threats increasing, standalone point devices and platforms are rapidly becoming inadequate and ineffective. Organizations need a more unified approach that makes it practical for security teams, large or small, to achieve and maintain a competent security posture.

To protect the network against application exploits, malicious software, botnets, and zero-day vulnerabilities, organizations need to stay abreast of and track popular and successful threats. In addition, automated security measures can help pit swarm against swarm in order to effectively counter and repel an attack.

A unified defense posture can also help companies by detecting known and unknown threats at multiple layers throughout the environment. Growing your capability to detect and sever botnet communications at key choke points in your network is another solid strategy. Additionally, an internal network segmentation strategy will help detect and automatically contain all kinds of threats.

Looking back at data from 2017 reveals that to effectively combat today's ever-evolving threats, you need to break down siloes and bring many security tools together for a collaborative approach that can help you see everything that's coming at your network.

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.