While analyzing the threat landscape over the last half of 2020, one word comes to mind: disruption. This has been more than just a disruption to business. The first half of 2020 precipitated one of the most rapid transformations to how organizations run their businesses and interface with their customers ever seen. We also witnessed that cybercriminals were quick to exploit fears and concerns about the pandemic to gather personal information, steal financial data, and load malicious payloads.
While much of that continued to spill over into the second half of 2020, what is documented in the new Global Threat Landscape Report from FortiGuard Labs is an extension of that initial disruption. But this time, it was more than just a business disruption. It has also been a disruption in every vertical and across all geographical regions.
In the midst of having to deal with the sudden transition to work from home (WFH), compounded by the growing cybersecurity skills gap, security teams have also had to redesign their security strategies to deal with threats targeting their organizations on three fronts simultaneously: a spike in attacks targeting the WFH office; risks to the digital supply chain; and increased ransomware attacks on core networks that has left many organizations reeling from the effects.
The barriers that existed between logging into work from a corporate office and connecting to the network from home were eroded in 2020. Networks were turned inside out, with the vast majority of workers now accessing critical networked resources and applications from their home offices. This change happened suddenly, which left little time to plan an effective cybersecurity strategy. As a result, ‘pwning’ an outdated and sometimes insufficiently secured home office now puts adversaries one step closer to pwning the corporate network.
Some organizations are still trying to figure out how to effectively scale their enterprise security protections out to their employee’s homes. In the meantime, especially during the second half of 2020, exploits targeting Internet of Things (IoT) devices, such as home entertainment systems, home routers, and connected security devices, were among the top threats we documented. Each of these IoT devices introduces a new network “edge” that needs to be defended. This has put pressure on security teams to figure out how to extend security monitoring and enforcement out to every device.
In the meantime, user-based resources that were once hidden behind a full stack of enterprise-grade security solutions are now protected with little more than an SSL connection in some situations. As a result, we are seeing success by cybercriminals targeting home networks using older exploits aimed at aging connected devices, and then using them as a beachhead from which to launch attacks against the corporate network as well as cloud-based applications and resources.
Supply chain attacks have a long history, but the SolarWinds breach raised the discussion to new heights. As the attack unfolded, a significant amount of information was shared by affected organizations. FortiGuard Labs monitored this emerging intelligence closely, using it to create IoCs to detect related activity. Detections of communications with internet infrastructure associated with SUNBURST during December 2020 demonstrates that the hack made victims all around the world, with the “Five Eyes” exhibiting particularly high rates of traffic matching malicious IoCs.
There is also evidence of possible spillover targets that emphasizes the interconnected scope of modern supply chain attacks and the importance of supply chain risk management.
Ransomware activity jumped an astounding sevenfold in the second half of 2020 when compared with the first six months. Threat actors had already discovered that crypto-locking critical systems and demanding a ransom for the decryption key is a relatively easy way to extort money from organizations regardless of their size or the industry to which they belong. But the continued evolution of Ransomware-as-a-Service, an emphasis on “Big Game Hunting” (big ransoms from big targets), and the threat of disclosing compromised data if demands aren’t met created a market for massive growth that cybercriminals turned into big profits. By the end of the year, this use of data theft as additional leverage in ransomware campaigns had been used in a majority of attacks.
The most active of the ransomware strains tracked between July and December of 2020 were Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING and BazarLoader. Sectors that were heavily targeted in ransomware attacks were spread across a wide range of markets, included healthcare, professional services firms, consumer services companies, public sector organizations, and financial services firms.
To effectively deal with the evolving and rapidly expanding risk of ransomware, organizations will need to make foundational changes to the frequency, location, and security of their data backups. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
Patching and remediation are ongoing priorities for organizations as cyber adversaries continue to attempt to exploit vulnerabilities for their benefit. Specifically, the challenge is often “which one?” and “when?” This is difficult to answer and analyze because so few organizations have data at the scale necessary to properly study it. Fortinet is one such organization, and FortiGuard Labs has been collaborating with others to help shine light on this topic.
We found by tracking the progression of 1,500 exploits over the last two years, that data demonstrates how fast and how far exploits propagate. Even though it is not always the case, it seems that most exploits do not seem to spread far very fast. Among all exploits tracked over the last two years, only 5% were detected by more than 10% of organizations. With all things being equal, if a vulnerability is picked at random, data shows there is about a 1-in-1000 chance that an organization will be attacked. About 6% of exploits hit more than 1% of firms within the first month, and even after one year, 91% of exploits have not crossed that 1% threshold.
Regardless it remains prudent to focus remediation efforts on vulnerabilities with known exploits, and among those, prioritize the ones propagating most quickly in the wild.
The latest Global Threat Landscape Report represents the collective intelligence of FortiGuard Labs. Its data is drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world and processed using one of the world’s most advanced AI systems during the second half of 2020. Using the first three groupings of reconnaissance, resource development, and initial access from the MITRE ATT&CK framework, the FortiGuard Labs Global Threat Landscape Report classifies adversary tactics and techniques to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives to provide security professionals with both broad and specific insight into the threat landscape, empowering them to make decisions calculated to reduce their risks and better protect and preserve their critical digital resources.