In our 1H 2022 FortiGuard Labs Threat Landscape Report, we examine the cyber threat landscape during the year's first half to identify trends and offer insights that CISOs can use to more effectively manage organizational risk.
The convergence of IT and OT networks, combined with today’s Work-From-Anywhere (WFA) environment, mean that bad actors are finding more opportunities to carry out both familiar and new cyberattacks while using more clever techniques to evade detection. Successful attacks now come with higher consequences, whether because of the explosive volume of new attack variants designed to evade detection, thereby gaining access to internal resources or new levels of destruction achieved by attackers through their exploits. Here’s what all of this means for CISOs and their teams.
The report findings show that attackers are increasingly going to greater lengths to achieve their goals, embracing new tactics and techniques to outsmart security teams and the technologies they have in place. The FortiGuard Labs team analyzed the functionality of detected malware strains to identify the most common approaches. Among the top eight tactics and techniques focused on the endpoint, defense evasion was the most employed tactic by malware developers. They are often using system binary proxy execution to do so. Hiding malicious intentions is one of the most important things for adversaries, therefore they are attempting to evade defenses by masking their exploits and attempting to hide commands using a legitimate certificate to execute a trusted process and carry out malicious intent. In addition, the second most popular technique was process injection, where criminals work to inject code into the address space of another process to evade defenses and improve stealth.
While the volume of attackers taking steps to evade an organization’s security defenses is increasing, the good news is that the techniques they use to carry out these tactics are familiar. This subset of methods represents a small segment of the published Common Vulnerabilities and Exposures (CVEs) – we observed roughly 15,300 CVEs in circulation out of the 180K+ known CVEs. This offers CISOs a clear path for managing risks, as security teams can prioritize monitoring for the specific techniques attackers regularly use to evade detection. Embracing integrated and AI-driven security platforms – along with sandboxing technologies – allow security teams to more quickly and accurately detect and respond to potential threats, including those in which an attacker aims to make an exploit attempt look like regular network traffic.
Ransomware remains a top threat, and cyber adversaries continue to invest significant resources into new attack techniques. This renewed investment is apparent when we look at the number of ransomware variants identified in 1H 2022 — nearly double the amount found in the previous six months. This explosive growth of ransomware is unsettling and can be attributed to the increasing popularity of Ransomware-as-a-Service (RaaS) operations, which offer cybercriminals an easy means to a quick payday.
While ransomware isn’t new, its rapid growth combined with the destructive sophistication makes it more critical for CISOs and their security teams to have real-time visibility into their networks and effective protection and remediation strategies and tools. Adding advanced endpoint detection and response (EDR) technology, coupled with AI-driven and customized behavioral-focused detections, offer an even better defense against these variants and the clever techniques we see attackers using to execute them.
The pandemic and the subsequent shift to a Work-From-Anywhere (WFA) environment forced CISOs to quickly reevaluate and update their security programs, prompting them to account for and secure numerous new endpoints in their networks. Based on observed active exploit activity, it’s clear that IT and OT endpoints remain key attack vectors. Further analysis of exploit data reveals that many vulnerabilities at the endpoint involve unauthorized users gaining access to a system, likely with a goal of moving laterally across the corporate network. OT devices weren’t spared when it comes to being vulnerable to attack, either.
As IT and OT networks continue converging and WFA becomes the new normal, security teams now have a broader attack surface to protect. Fortunately, this evolution offers an opportunity to reevaluate IT and OT endpoint security. For IT, software patching must also be a top priority. Automating these processes is ideal, helping to ensure that vulnerability gaps are closed in near-real time. And when it comes to OT systems, Intrusion Prevention Systems (IPS) need to be regularly updated with threat intelligence information to give security teams the best chance of stopping attackers in their tracks.
Analyzing wiper malware data reveals a disturbing trend of cybercriminals using more destructive and sophisticated attack techniques and doing so primarily in OT environments. In the first six months of 2022, FortiGuard Labs identified at least seven significant new wiper variants used by attackers in various targeted campaigns against government, military, and private organizations. This number is crucial because it's nearly as many total wiper variants as were publicly detected in the previous ten years. Additionally, the wipers did not stay in one geographical location but were detected in 24 countries besides Ukraine.
Threat insights like this report are critical to help CISOs prioritize patching strategies to better secure environments. Cybersecurity awareness and training are also important as the threat landscape changes to keep employees and security teams up-to-date. But, organizations need security operations that can function at machine speed to keep up with the volume, sophistication, and speed of today’s cyber threats. It is critical to maximize AI and ML-powered prevention, detection, and response strategies based on a cybersecurity mesh architecture to allow for much tighter integration, increased automation, as well as a more rapid and effective response to threats across the extended network. Consolidation and integration are essential given the threats organizations face today.
The latest Global Threat Landscape Report summarizes the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during the first half of 2022. The FortiGuard Labs Global Threat Landscape Report also leverages the MITRE ATT&CK framework to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives and threats against both IT and OT.
Download your copy of the 1H 2022 FortiGuard Labs Threat Landscape Report here.