FortiGuard Labs Threat Research

Report: Dissecting Our Q2 Threat Landscape Research

By Neil Matz | August 21, 2017

Today we released our Q2 Global Threat Landscape report for 2017. The data in our quarterly threat analysis is drawn from over 3 million network devices and sensors deployed within live production environments around the world.

Q2 of 2017 was unique for a number of reasons. The first is that the number of exploits detected increased nearly 30% over Q1, which shows that the cybercrime community continues to be alive and healthy. The second is that attacks are becoming increasingly sophisticated, leveraging things like machine learning and AI-like attacks to more effectively accomplish their tasks without detection. And third, breaking into networks in order to deliver these malicious payloads is easier than ever.

Visibility Attack Volume on the Rise

Exploits: The volume of exploits we are seeing continues to grow rapidly. FortiGuard Labs detected 184 billion total exploits in Q2, compared to 129 billion detections in Q1 – an increase of 30%. This represents an average daily volume of 1.8 billion attacks, compared to 1.4 billion in Q1. These aren’t the resut of just a handful of attacks. We detected 6,298 unique exploits, up from 5,542 in the first quarter of 2017. And these exploits are effective. 69% of organizations experienced high or critical exploits in Q2 of 2017.

Malware: We also recorded 62 million malware detections, for an average daily volume of 677,000. Like the growth in unique exploits, malware development is also very active. Out of the millions of malware detections we recorded, we saw 16,582 variants derived from 2,534 malware families. 1 in 5 organizations also reported malware targeting mobile devices The most common functionality among top malware families is downloading/uploading files, followed by dropping other malware onto the infected system. This technique helps slip innocuous files into devices now in order to deliver malicious payloads later.

Botnets: Botnet attacks, whether used as denial of service attacks or as part of new botnet-based ransomworms like Hajime and Devil’s Ivy, are also reaching unprecedented levels. This is in large part due to the proliferation of highly vulnerable IoT devices. Q2 saw 2.9 billion botnet detections, representing an average of 993 daily detections per organization. We also detected 243 unique botnets during the quarter. 45% of firms detected at least one active botnet in their environment during the quarter, and about 3% reported being simultaneously infested with 10 or more unique active botnets!

Leaving the Door Open

WannaCry lit up our sensors in mid May. We recorded a peak rate of 22 million hits a day for the DoublePulsar tool it used as its primary vector of attack, while the EternalBlue exploit it also leveraged in the attack spiked to over 7 million attempts before trailing off after its “Kill Switch” was flipped. But as its name suggests, EternalBlue wasn’t done; it was resurrected by NotPetya in late July, along with another SMB exploit coined EternalRomance, targeting the exact same vulnerability exploited by WannaCry.

The truth is, however, these attacks could have been largely prevented if organizations had simply practiced basic security hygiene. Both WannaCry and NotPetya targeted a vulnerability that had been patched by Microsoft a few months earlier.

But it’s not just these high-profile attacks that target recent vulnerabilities that are the problem. During Q2, 90% of organizations recorded exploits against vulnerabilities that were three or more years old. And 60% of firms experienced successful attacks targeting devices for which a patch had been available for ten or more years!

Because so many organizations are slow to patch or replace devices and systems with known vulnerabilities, cybercriminals are shifting resources away from developing new ways to break into networks, and are instead focused on developing automated and intent-based tools designed to deliver more sophisticated payloads that are also increasingly difficult to detect and remove.

Other Report Highlights

The Rise of Risky Apps: We are also seeing an increase in attacks resulting from the use of peer-to-peer (P2P) and proxy apps. Organizations that allow P2P applications report seven times as many botnets and malware as those that don’t. Similarly, organizations allowing proxy applications report almost nine times as many botnets and malware as those that don’t allow them.

More Encrypted Traffic: We saw the second straight record high for encrypted communications on the web. 57% of all traffic traversing the web is now encrypted, up from 51% in Q1. Which means that because of the overhead required to break open and inspect SSL traffic, IT teams can only inspect a fraction of the encrypted traffic traversing their networks to look for malware.

Weekend Warriors: Historically, attack volumes have often been synchronized to normal work schedules. As digital business models now operate around the clock, and many attacks have become automated, this trend has begun to change. In fact, 44% of all exploit attempts occurred on either Saturday or Sunday during Q2, with the average daily attack volume over the weekend (when IT teams are largely at home) reaching twice that of weekdays.

Cloud Safety: The one bright spot in all of this is the cloud. Chances are low that cloud applications will contribute to your next malware or botnet infection, because our analysis found that there doesn’t appear to be any correlation between cloud application usage and increased threat frequency. Which means that carriers, cloud providers, and MSPs are doing a good job of maintaining secure cloud environments.


While it is clear that the sophistication and volume of threats is on the rise, perhaps the most important takeaway from this latest Threat Landscape report is that much of the problem is well within the scope of most organizations to fix. Regularly scheduled patching, replacing older and outdated technology, and appropriately segmenting risky application and device traffic such as IoT and P2P, will go a long way towards reducing the potential attack surface and minimizing risk.

But the rise in the sheer volume of data entering networks, combined with the increasing percentage of that data now being encrypted, means that many traditional security solutions and access points are simply not up to the task. IT teams need to take a hard look at the impact that analyzing volumes of encrypted traffic will have on the performance of their current security tools.

And finally, the increased sophistication of today’s attacks requires a new approach to security. Isolated security devices and platforms are no longer adequate. The Fortinet Security Fabric allows you to tie your different security devices, regardless of where they have been deployed, into a single, holistic security framework. This allows security devices to collect and share data, centrally correlate that threat intelligence leveraging Fortinet’s advanced technologies, and then coordinate a unified response across the entire distributed network, from endpoint and IoT to the core and out to the cloud.

You can read more important takeaways in the full Global Threat Landscape Report.

Also, view our video (above) and infographic (below) summarizing valuable data points from the report.

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.