Threat Research

Fortinet Reports Increased YoY Threat Activity for Q2 2019

By Fortinet | August 06, 2019

Fortinet has just released its Threat Landscape Report for Q2 of 2019. This quarterly series provides key insights into the threat trends and cybercriminals behaviors to help organizations prepare for and protect themselves against their constantly evolving adversaries.

As evidence of this challenge, Fortinet's Threat Landscape Index – a barometer of threat activity across the internet – hit its highest point ever, closing at 4% higher than the same time last year. 

Upping the Ante on Evasion Tactics

Many modern malware tools already incorporate features for evading antivirus or other threat detection measures, but cyber adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection.

For example, a spam campaign demonstrates how adversaries are using and tweaking these techniques against defenders. The campaign involved the use of a phishing email with an attachment that turned out to be a weaponized Excel document with a malicious macro. The macro had attributes designed to disable security tools, execute commands arbitrarily, cause memory problems, and ensure that it would only run on Japanese systems. One property that it looked for in particular, an xlDate variable, seems to be undocumented.

Another example involves a variant of the Dridex banking trojan which changed the names and hashes of files each time the victim logged in, making it difficult to spot the malware on infected host systems.

The growing use of anti-analysis and broader evasion tactics is a reminder of the need for multi-layered defenses and behavior-based threat detection.

Threat Landscape Index

Under the Radar Attacks Aim for the Long-haul  

The Zegost infostealer malware, is the cornerstone of a spear phishing campaign and contains intriguing techniques. Like other infostealers, the main objective of Zegost is to gather information about the victim’s device and exfiltrate it. Yet, when compared to other infostealers, Zegost is uniquely configured to stay under the radar. For example, Zegost includes functionality designed to clear event logs. This type of cleanup is not seen in typical malware. Another interesting development in Zegost’s evasion capabilities is a command that kept the infostealer “in stasis” until after February 14, 2019, after which it began its infection routine.

The threat actors behind Zegost utilize an arsenal of exploits to ensure they establish and maintain a connection to targeted victims, making it far more of a long term threat compared to its contemporaries. 

Ransomware Continues to Trend to More Targeted Attacks

The attacks on multiple cities, local governments, and education systems serve as a reminder that ransomware is not going away, but instead continues to pose a serious threat for many organizations going forward. Ransomware attacks continue to move away from mass-volume, opportunistic attacks to more targeted attacks on organizations, which are perceived as having either the ability or the incentive to pay ransoms. In some instances, cybercriminals have conducted considerable reconnaissance before deploying their ransomware on carefully selected systems to maximize opportunity.

For example, RobbinHood ransomware is designed to attack an organization's network infrastructure and is capable of disabling Windows services that prevent data encryption and to disconnect from shared drives.

Another newer ransomware called Sodinokibi, could become another threat for organizations. Functionally, it is not very different from a majority of ransomware tools in the wild. It is troublesome because of the attack vector, which exploits a newer vulnerability that allows for arbitrary code execution and does not need any user interaction like other ransomware being delivered by phishing email.

Regardless of the vector, ransomware continues to pose a serious threat for organizations going forward, serving as a reminder of the importance of prioritizing patching and infosecurity awareness education. In addition, the increase of Remote Desktop Protocol (RDP) vulnerabilities, such as BlueKeep is a warning that remote access services can be opportunities for cybercriminals and that they can also be used as an attack vector to spread ransomware.

New Opportunities in the Digital Attack Surface

Between the home printer and critical infrastructure is a growing line of control systems for residential and small business use. These smart systems garner comparably less attention from attackers than their industrial counterparts, but that may be changing based on increased activity observed targeting these industrial control devices such as environmental controls, security cameras, and safety systems. A signature related to building management solutions was found to be triggered in 1% of organizations, which may not seem like much, but is much higher than typically seen for ICS or SCADA products.   

What is Next?

The goal of Fortinet’s quarterly Threat Landscape Report is to provide organizations with the information they need to properly secure their networks against current threats, prepare themselves for growing attack trends, and anticipate the next round of threats targeting their digital resources. Hopefully, this report will play a critical role in your ongoing threat intelligence gathering and threat prevention strategies, alongside intelligence from other sources, real-time threat feeds from Fortinet’s Threat Intelligence services, the FortiGuard Labs Weekly Threat Brief, and other intelligence sources.

Combining threat intelligence with proper planning and integrated security solutions provides organizations with the best possible strategy for defending themselves against the evolving threat landscape. 

Read more about the latest cybersecurity threat trends and the evolving threat landscape in our latest Quarterly Threat Landscape Report