Industry Trends

FortiGuard Labs Threat Landscape Report Highlights Preferred Cyber Adversary Attack Techniques

By Derek Manky and Aamir Lakhani | September 20, 2021

FortiGuard Labs Perspectives

The threat landscape is unpredictable, with many moving parts as well as social and economic changes affecting it all of the time. Researchers have long relied on data and trends to monitor the behavior of cybercriminals, and although this is only one part of the solution to cybercrime, it is a crucial one. 2021 has been an unprecedented year for the world of cybersecurity with attack outbreaks affecting thousands of organizations, following an already immensely eventful year in 2020 with lures and attacks scaling around the world as a result of the pandemic.

FortiGuard Labs' Derek Manky and Aamir Lakhani review some of the findings of the 1H 2021 Global Threat Landscape Report, to offer perspective on protections, priorities, and where cyber adversaries are focusing next. 

What was the most common attack trend found in the Global Threat Landscape Report?

Derek - Not surprisingly, ransomware is one of the most concerning and lead stories to come out of the report. We've discussed this problem quite a bit but it's always important to look at the bigger picture of what's going on with ransomware. Observing the entire year of data on ransomware, it increased nearly eleven-fold. That's a lot of activity. In our last report, we saw over a seven-fold increase. The ransomware wave started to build after shift of cybercriminals focusing on low-hanging fruit and fear tactics during the initial COVID-19 waves. They went back to the drawing board in December last year and ransomware has been snowballing ever since. This has resulted in more families, ransom to service models, ransom settlements, and a lot more high-profile attacks. In the graph from the report, you can see how prevalent it was in various verticals.

Ransomware Detections

Aamir - In our previous threat reports, ransomware repeatedly seems to be one of the top stories. I'm always amazed by just how much more ransomware is occurring, how big the payouts are, and the impact it's having on organizations. As a researcher and a reverse malware engineer, I don’t find most ransomware interesting when compared to other types of malware such as rootkits, remote access trojans, and cryptocurrency attacks. However, the impact of ransomware is always top-of-mind for most organizations. It continues to be a significant attack technique that researchers, want to be able to identify and mitigate, and they remain focused on working to protect against.

FortiGuard Labs Threat Landscape Report Highlights 

How has the threat landscape changed in regards to hybrid work and work from anywhere?

Derek - Over the first half of 2021, there was a big trend in malvertising. The common theme was more web-borne threats vs. email. Due to more web traffic being accessed from the edge, the attack surface began to expand and in turn, was a direct target cybercriminals capitalized on. One in four organizations detected web-born malvertising, things like heavily obfuscated JavaScript, even new versions of scareware, and impersonations of technical support systems and IT staff. We also saw botnets continue to be pushed out into these environments, specifically IoT.

Aamir - The edge is traditionally defined as a barrier between the network, the local area network (LAN), and Internet access. That “edge” is no longer defined as it used to be. Now we have cloud services, mobile services, web services, and so on. One could say there is no edge anymore because Internet access is not defined by borders. In my opinion, it is why access solutions such as SD-WAN and advanced VPNs are going to be critical in not only securing data, but providing basic connectivity access to organizational data. We're accessing the internet in all sorts of matters through the cloud, IoT devices and web devices. However, that means these attacks can come from anywhere, anytime, and in any form. Web scripts, javascript, drive-by-downloads, API injections, malvertising, and many other techniques introduce cybersecurity risks in an ever-expanding attack surface. Hackers are taking advantage of that and once they have one way into an organization, they move through the network laterally and find ways to hit more valuable targets. 

How have botnets evolved in the past few years? 

Aamir - When Mirai came out, it was infecting traditional consumer devices that people used at home, and many people did not notice that they were infected with a botnet. One of the main problems with botnets is that not only does it infect your system but it's used as a potential jumping point to attack other systems outside your network or organization. 

Botnets now are more sophisticated. In cases like Mirai, the source code leaked on the Internet years ago and has been leveraged and improved upon continuously by attackers. These improvements are all focused on causing more harm. Modern botnets have evolved into content delivery networks where are used to carry other types of malware, including ransomware. 

I think the difference between what I would define as a botnet today versus even a couple of years ago is that current botnets lay a foundation for attackers to spread many different types of cyberattacks and malware through infections. As soon as botnet connections are established, attackers may have shell access to a system and have the ability to upload more attacks, run other types of commands, or start disabling things like Windows Defender, firewalls, UAC, and other types of security mitigation tools that might be on the system as well.

Derek - What we saw this year with Mirai, one of the first IoT-based botnets, was how it surged into the number one botnet in terms of prevalence for the first half of 2021. IoT botnets are going to be present for the foreseeable future. They seem to be a preferred tactic for cybercriminals and while that's not a surprise, it is a reality to face. 

There was an over 50% jump in botnet activity in the first half of 2021. I suspect that number will continue to grow with IoT botnets like Mirai but also other botnets that come back on the radar. TrickBot, for example, was one of the most prolific botnets in 2020. It was taken offline in Q2 of 2020 but resurfaced in Q2 (June) of this year. When these things come back online, we start to see a big difference in activity and different forms. TrickBot returned, not nearly as prolific as before, and significantly weaker. Cybercriminals go back to the drawing board, refactor their game plan, and then come out of the gates again so it's interesting to see that with TrickBot. At the end of the day, a botnet is about having command and control to remotely operate compromised devices and be able to exfiltrate data. I expect that we're always going to see a lot of this activity, but it's interesting to see how they're adapting to new technologies like this.

Cyber Adversary Attack Techniques with the Threat Landscape Report 

How can threat intelligence provide insight into cyber attackers movements in the threat landscape?

Derek - This is brand new in this report, but we're now able to start to show dynamic TTP data on the strategies of attackers, a method we're calling high-resolution threat intelligence. This includes looking at MITRE attack TTP data to identify the preferred methods of attackers and watching lateral movement on systems to try to execute code or privilege escalation. This is real-time dynamic data that we're able to see, and some of the things we called out are, not surprising but very tactically interesting, is the big focus on defense evasion. As an example, techniques like privilege escalation also showed up prominently, so it's pretty interesting to see the different tools cybercriminals are dealing with. 

At FortiGuard Labs, we've been able to implement this and show dynamic TTP data, which is a new lens to look at the threat landscape through. It’s useful because it helps to prioritize response and put a spotlight on effective defense techniques. There are well over 200 MITRE TTPs so it is difficult to defend everything at once, you need to prioritize. This data starts to look at the verticals in different regions and all the different techniques that attackers are using. It helps to be able to identify those with heavy activity because then you can start to understand the digital DNA of these cyber attackers. Finally, we have a way to reduce noise and extract the signal in focus.

Based on these takeaways, how can organizations continue to defend against these evolving attacks? 

Aamir - Pay attention to attack trends and patterns of behavior. If cybercriminals are continuously using the same technique, think about why that is. Is it because there’s something there that no one has noticed yet or because it’s just that easy of a target? High-resolution threat intelligence is also a great approach to defending your organization. I find it interesting to not only look at the techniques that attackers are using but what the likelihood of those techniques being used in attacks. This unique insight may help organizations focus and prioritize their efforts when it comes to defending their organizations. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.