FortiGuard Labs has just released our 2021 mid-year Global Threat Landscape Report. The first six months of 2021 saw a significant increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. Here is a quick review of the highlights from this mid-year report:
Last year at this time, attackers had shifted their resources away from enterprise infrastructure devices to home networks and consumer-grade products. But now, they are aggressively targeting both. Top IPS detections, for example, show that while criminals continue to aggressively target small business and consumer-grade technologies to exploit home workers, they have also returned to targeting corporate networks and content management and application development platforms (CMS).
Another trend documented by FortiGuard Labs over the past six months has been the sheer increase in the volume of attacks. For example, the percentage of organizations detecting botnet activity jumped from 35% to 51% by the mid-year mark.
That increase was led by a surge in the use of TrickBot, designed initially as a banking trojan but since evolved into a sophisticated, modular, and multi-stage toolkit supporting a range of illicit activities. Mirai was the most prevalent botnet, overtaking Gh0st in early 2020 and never looking back. Mirai has continued adding new cyberweapons to its arsenal. Its dominance partially stems from criminals seeking to exploit IoT devices used by WFA or remote-learning individuals. Gh0st, however, continues to play a significant role in botnet activity.
But the most significant increase in cyber threats has been ransomware, which saw a staggering more than tenfold increase over the past 12 months. This is being fueled, in part, by the continued growth of Ransomware-as-a-Service (RaaS). In addition to renting ransomware, some operators have begun selling access to compromised corporate networks, making it that much easier for less technical criminals to get involved.
Organizations in the telecommunications sector were the most heavily targeted during the first half of 2021, followed by government agencies, managed security service providers, automotive, and manufacturing sectors. Numerous high-profile attacks crippled sectors of critical importance, impacting daily life, productivity, and commerce. These include the Colonial Pipeline attack that disrupted oil and gasoline distribution across the East Coast of the US, the JBS Foods attack that led to concerns about a global meat shortage, and the supply chain attack against Kaseya VSA that resulted in downstream customers being impacted.
But it's not just the volume of ransomware attacks that have increased, but their ferocity as well. Cybercriminals have been adding levels of extortion to get victims to pay. This includes combining encryption with doxing (the threat of publicly exposing internal data), adding a DDoS attack to create additional confusion and panic, and now, reaching out directly to a victim's customers and stakeholders so they will put further pressure on the victim to pay.
Operational Technology (OT) may not get the same attention as IT, but its connection to our physical world, including critical infrastructure, means that a disruption can impact lives long after the workday is over. FortiGuard Labs has documented steady interest from threat actors in identifying OT vulnerabilities and then building them into exploit tools. The result is that script kiddies are now at least as likely to find your exposed OT devices as APT groups focused explicitly on exploiting unprotected and unpatched ICS.
Cybersecurity is a long game, and not all actions have an immediate effect. But increasing pressure from critical voices is having an impact. In response to escalating ransomware incidents and their threat to the safety and security of the American people, the White House has announced the formation of a cross-government task force to develop and coordinate defensive and offensive measures against ransomware. At the same time, groups like Interpol and the World Economic Forum's Centre for Cybersecurity have begun international dialogues on overcoming geopolitical limitations to enable more and better cooperation to detect and stop threats and cybercriminal organizations. Public-private actions taken in the first half of 2021 may be a game-changer. Public sector organizations are now partnering with industry vendors, threat intelligence organizations, and global organizations to combine resources and real-time threat intelligence to take direct action against cyber adversaries. Fortinet is proud to play an active role in many of these activities.
Some results of this cooperation was the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, and the disruption of the Egregor, NetWalker, and Cl0p ransomware operations which represent significant wins by global governments and law enforcement to curb cybercrime. Also encouraging was the voluntary exit of cybercrime groups such as DarkSide, Avaddon, and Ziggy and the refusal by some underground forums to deal in ransomware in the aftermath of the Colonial Pipeline attacks. In addition, the original developer of TrickBot was arraigned on multiple charges in June. Also, the US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate who walked away with $28M. This response to increased pressure by crucial players represents a significant step forward in governments and law enforcement efforts to curb cybercrime.
But this cooperation also needs to be combined with advances in technology and threat intelligence. FortiGuard Labs has begun analyzing the specific functionality inherent to detected malware by detonating threat samples to determine their intended objectives. The result is a list of adverse outcomes that current malware is designed to accomplish, including escalating privileges, evading defenses, moving laterally across internal systems, and exfiltrating compromised data.
Documenting this higher-resolution threat intelligence reveals valuable takeaways about how attack techniques are evolving currently that organizations can use to better secure their critical digital resources. For example, 55% of observed privilege escalation functionality leveraged hooking, and 40% utilized process injection. The takeaway is that there is a specific focus by cybercriminals on defensive evasion and privilege escalation tactics.
The data used in this Global Threat Landscape Report was drawn from Fortinet sensors collecting billions of threat events worldwide. It encapsulates the collective intelligence of FortiGuard Labs. This report provides global and regional perspectives on threat trends and cybersecurity from the first half of 2021. It also leverages the MITRE ATT&CK framework to classify adversary tactics and techniques to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. This knowledge empowers defenders to better identify and respond to current and emerging threats that put their participation in today's global economy at risk.
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.