Industry Trends

Threat Landscape Evolution – Following the Attack Trends

By Derek Manky and Aamir Lakhani | November 26, 2021

There is no shortage of targets for attackers, leading to a nonstop battle between cybercriminals and defenders. Over the last year, cybercriminals have continued to increase their attacks against critical infrastructures as well as all sectors across the board. Concurrently, cybercriminals continue to evolve their methods of attack and find new ways to exploit organizations for their critical data.

FortiGuard Labs' Derek Manky and Aamir Lakhani offer their perspectives on current mainstream attack trends for cybercriminals and how organizations can defend against them. For more detail about expected upcoming threats, read our 2022 Threat Landscape Predictions

The Threat Landscape Evolution

The threat landscape is constantly changing and new trends arise all the time. What is “mainstream” for attackers right now?

Derek - We’re definitely seeing movement in terms of things that are mainstream for attackers. These shifts typically follow advances in technology or new trends arising in the threat landscape. For example, ten years ago we saw a big shift going from PC to mobile and Android. IoT was the same thing. Currently, we're seeing Linux taking center stage, partially because of IoT and botnets like Mirai, but we're also seeing it in various flavors of attack. Linux integrations, like the Windows subsystem for Linux, are also targeted, leading to a much wider attack surface.

Aamir - Many IoT devices and mission-critical applications running on container-based solutions are running Linux operating systems. This is mainly due to the popularity of Docker and LXCs in the cloud and real-time operating systems (RTOS) for IoT and ICS devices. As the popularity of Linux has grown, so has its popularity as a target for attackers. Attacks against Linux operating systems and applications running on those systems are just as prevalent as attacks on Windows operating systems. In addition, Windows has added more Linux-type capabilities, so the same types of attacks are becoming more common across platforms, which makes it easier for attackers when targeting Linux systems. Most defenders are not used to the idea of keeping up with Linux from a defensive and malware analysis standpoint in comparison to Windows. Linux systems are also data-rich environments, which allows attackers to go after things like SSH credentials, certificates, applications usernames, and passwords. Improving the education around Linux and other operating systems is key to defending against these mainstream attacks.

What stands out in terms of the attack techniques for some of the recent threats you have analyzed in your threat signals?

Derek - One of our most recent threat signals on MysterySnail RAT revealed that a zero-day vulnerability was being leveraged and was affecting Windows 11. Even new operating systems, which have been in beta for some time, are already starting to see vulnerabilities, and can share vulnerabilities with predecessors. Further, cybercriminals are becoming more sophisticated in their techniques with each attack. Blockchain is a rising topic in recent cyberattacks as well, as some attack groups have begun requesting ransom payments in Monero or other types of cryptocurrency. The Tortilla ransomware attack is a prime example of this, where previous ransom demands have been almost seven-figure payments, this group requested a smaller amount, but in cryptocurrency.

Aamir - When threat actors come up with attack techniques like a remote access trojan (RAT), rootkits, and other types of malware, they use it as long as it is successful. In the example of Windows and MysterySnail RAT, as soon as the Windows vulnerability and zero-day came out, attackers started leveraging the same entry point in all of their attacks. In other words, they attempted to leverage the same vulnerability with other exploits. From a defensive solution standpoint, the antivirus or other defensive tools may catch the original exploit, but the same vulnerability in a new exploit may start working because attackers are able to leverage new avenues to compromise systems. This is why we see the same vulnerabilities remain popular for long periods of time even after they have been initially disclosed.

Protect Against Today’s Advanced Threats

How are the increasing attacks against critical infrastructure changing how organizations should view security?

Derek - There has been a recent rise in attacks against critical infrastructure and the phrase “killware” has been used to describe some of these incidents. These attacks aren't explicitly coded to go after human lives per se but they are attacks against healthcare and medical systems with detrimental effects on real people, hence the term. Attacks against critical infrastructure differ from regular ransomware exploits because of the direct impact they can have on every day people. They know the risk so they are using this to speed up the clock on ransom payments. We saw this with DarkSide and the Colonial Pipeline attacks as well. What is changing most is the strategy cybercriminals use in these ransomware attacks and how they are becoming more connected, rather than just the internal organization and its direct stakeholders. Given the level of convergence seen between cybercriminal attack methods and advanced persistent threats (APTs), it is just a matter of time before destructive capabilities like wiper malware are added to ransomware toolkits. This could be a concern for emerging edge environments, critical infrastructure, and supply chains.

Aamir - The more we see ransomware or malware affect our physical reality, the more we see how it affects the population directly. Malware that disrupts hospitals, pipelines, water treatment plants, and of course, IT systems. The way all these systems are integrated with critical infrastructure means attacks or disruptions on these systems influences people's lives. The growing concern is that malware is shifting away from smaller targets and moving into something that can affect the physical world on a bigger scale. We need to be more vigilant about the potential risk a cyber-attack can have on, not just the organization, but the wider community of victims.

How can organizations secure against these evolving attack trends?

Derek - Ransomware attacks continue to evolve and organizations need to update their defenses to remain ahead. Keeping employees educated on typical cyber-criminal attack techniques can effectively improve an organization's overall security posture. Establishing an effective security strategy that includes zero-trust access, segmentation, and micro-segmentation can help prevent ransomware attacks and protect your data. In addition, regular backup of data, offline and off network storage can provide backups for rapid recovery if needed.

Aamir - Pay attention to attack trends and use shared data to identify any patterns in behavior. Cybercriminals sometimes use the same technique because they remain unpatched or unnoticed.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.