FortiGuard Labs Perspectives
In our increasingly digital world, the threat landscape is rapidly changing and expanding, leaving organizations to wonder how they can keep up with evolving threats—especially as cybercriminals swiftly take advantage of new threat vectors and global events as lures. To provide some insight into the minds of cybercriminals and their various tactics and targets, Derek Manky and Aamir Lakhani of FortiGuard Labs offer their observations from the trenches.
Derek - April and May were the months where the most COVID lures came about, and of these, email-based threats were by far the most dominant in the threat space. These threats played off of layoff notices sent to employees, false purchasing orders, messages from HR departments, really anything that could exploit the huge shift in the work environment that employees were experiencing. Outside of the workplace, people were being targeted by health authority impersonators for example offering more information about the pandemic. In our trackers, the traditional COVID lures have dropped down quite a bit, going from almost 350 a day to double digits now. Now that things are shifting to a different normal, we’re seeing the old threats kickoff once again, but with a change in general focus. For example, as some organizations begin hiring again, we’re seeing lures that are specifically targeting candidates, particularly with man-in-the-middle attacks. For example, bad actors are injecting themselves into the middle with classic threat attempts such as sending malicious PDFs as resumes.
Derek - Cybercriminals are often going to jump on the freshest opportunity they see for the element of surprise but that varies from place to place. The start of Q4 means a lot of people are heading back to work, but also students are heading back to school—both remotely and in-person, or a combination of the two. And that’s been a huge challenge for some institutions that weren’t fully prepared with remote learning capabilities, particularly in K-12 learning where this is all very new to them. They have new platforms and classroom setups, as well as a lot more connections that are happening, so education is a big target right now.
Aamir - Yes, I certainly agree. Attackers have also shifted their focus to areas where people are becoming more digitally populated. Things like remote learning are still ongoing in places like the U.S., so we’re seeing more service and online attacks aiming to disrupt these organizations. It’s almost the perfect situation for attackers because a lot of schools are set up with a hybrid learning model, where teachers are headed to classrooms while doing remote work and teaching. All attackers have to do is target the internet connections being used in the classrooms, rather than targeting cloud applications or other platforms. By doing this, these bad actors can target more institutions and users much quicker.
Derek - There are a lot of systems that are now publicly exposed, especially with increased usage of Remote Desktop Protocol (RDP). Attacks like Wannacry, for example, leveraged public RDPs as points of entry and we know that was a big concern. This is something that I think, from a security architectural standpoint, needs to be addressed still. When it comes to remote learning especially, it’s such an easy way for attackers that are trying to hijack these sessions to try to get into these networks.
Aamir - Last year, I remember doing a search on Shodan to see how many publicly available RDP ports were indexed and the number then was a little over 2 million. I searched again a few days ago and it was over 4 million worldwide. We’ve definitely seen an increase in public RDP connections out there, which means this is a growing risk. At this point, most RDP connections are on the public network and it’s an easy win for attackers.
Derek - This is where our world of threat intelligence really comes into play. We often say you can only protect against what you can see and I think, in the past, a lot of these attacks were not seen. There was a lot of persistence and stealth in these attacks. Companies didn’t have the proper inspections or management in place for all of their traffic flow, similar to the RDP case. Another key to defending against cybercriminals is getting the right model for securing, segmenting and monitoring business-critical applications. I believe the next 2-3 months in cybersecurity will be quite critical and it’s really the time to set up a strong foundation built on actionable threat intelligence. This is the new normal we’re heading into and it’s important to have a structured security plan.
Aamir - Visibility is a key, especially these days when most traffic is encrypted. If you put in a regular firewall or other devices that are not capable of that filtration at high speed, you may miss critical threats entering your network. You need a setup that is capable of decryption and encryption as well as having the proper policies and inspections in place to sort them. Timely information is also important because you need to know the second the attack has happened and be prepared to address it, rather than finding out months after the attack actually happened.
Derek - In the future, I think we will see more discussion around critical areas like healthcare and education, but also around operational technology (OT) as we move into more integrations. The wide adoption of technology to facilitate OT by combining old and new technology will lead to a collision between old, sometimes vulnerable technology with new technology capable of combatting modern threats. The entire ecosystem of OT is becoming a larger attack space that is often challenged with threat visibility, and this needs to be top of mind for these organizations.