While many of us may have taken a well-earned vacation over the summer, cybercriminals were hard at work looking for new ways to target and exploit our networks, devices, and services. The Fortinet Threat Landscape Report provides insights into the top threats and trends discovered and tracked by the FortiGuard Labs team, and the report for last quarter shows that cybercriminals are continuing to focus on finding ways to stay a step ahead of their cybersecurity professional adversaries.
When people consider cybercrime, they tend to think of some of the more high-profile events of the past that used sophisticated malware or exploited zero-day vulnerabilities. And while some efforts continue to be made in those areas, most criminals focus on leveraging their existing resources. The top issues for Q3 are no different.
Cybercriminals are targeting edge services
Because over 90% of malware is still delivered via email, many organizations have responded by aggressively focusing on training users to identify phishing emails and not click on email attachments. They are also more aware of the importance of email security solutions. As a result, criminals have begun to expand their tactics by simply targeting other areas of the attack surface that aren’t being focused on.
For example, over the past quarter FortiGuard Labs has observed attacks targeting publicly available edge services with remote code execution exploits. Once criminals establish a foothold at the edge, they then use that attack vector to begin delivering their malware to targets inside the network, with the same result as having used phishing to deliver those same payloads.
Bypassing adblockers whitelist malicious sites
Another strategy is to prevent adblocker security tools from blocking access to malicious content. Adblock Plus, for example, is an open-source browser extension that provides content-filtering and ad blocking for all of the major browsers, including Firefox, Chrome, Internet Explorer, Edge, Opera, Safari, Yandex, and Android. It also uses a key to tag approved advertisement sites so they can be whitelisted. However, this key has been identified by attackers and is being exploited to also whitelist their malicious sites. These webpages can then serve their malicious advertisements, or even function as a phishing page to users who rely on the adblocker solution to block malicious sites and content.
The HTML/Framer.INF!tr IPS signature that detects these webpages is at the top of our list of most prevalent malware variants detected in Q3 2019 across all global regions. However, it is important to note that some of these detections may be false positives because of the way Adblock is designed, making it difficult to produce a fully reliable signature.
New Ransomware-as-a-Service offerings on the dark web
The GandCrab ransomware and its Ransomware-as-a-Service (RaaS) offering netted its developers as much as $2 billion before they retired last year. As a result, many cybercriminal organizations are keen to jump on the bandwagon. Last quarter, FortiGuard Labs observed that at least two other significant ransomware families – Sodinokibi and Nemty – are now available on the dark web as ransomware-as-a-service offerings. By using this RaaS model, the authors of these malware tools are significantly lowering the bar, both in terms of overhead and expertise, for launching such attacks.
Emotet offers a new spin on MaaS
Emotet, a popular and successful banking trojan, has launched a similar service that rents access to devices infected with the Emotet trojan. This is especially malicious because the Emotet developers have added the ability for the malware to deliver malicious payloads. This means that attackers using this new malware-as-a-service offering can infect targeted networks with additional malware, such as the Trickbot trojan and Ryuk ransomware, launched from a previously compromised device.
Another new Emotet trick significantly increases the efficiency of distributing malware through phishing. Cybercriminals naturally want to deliver phishing email with the highest likelihood of being opened. This new Emotet phishing strategy steals email threads, not just email addresses, from infected devices. It then develops an infected reply from someone in the thread and sends it to the other thread participants disguised as being part of the thread. This strategy has proven to be exponentially more effective than trying to hook victims using a cold initial phishing attempt, or even a targeted spearphishing tactic.
It is important to remember that attacks don’t need to be new to be successful. According to the Q3 Threat Landscape Report, FortiGuard Labs saw more attempts to target vulnerabilities from 2007 than from 2018 and 2019 combined. And every year in between equaled 2018/19 levels. This trend shows how unpatched vulnerabilities—regardless of age—can heighten exposure. The point is that attackers (and their tools) don’t ignore older vulnerabilities and neither should you.
Segment your networks
Many of these attacks and exploits are successful because vulnerable systems are not being adequately protected. Older vulnerabilities can be successfully protected by conducting a risk assessment and then prioritizing the likelihood of a device being exploited using the FortiGuard Security Rating Service. In addition to patching and upgrading devices, organizations should also consider implementing intent-based network segmentation and zero trust access strategies to prevent critical devices and vulnerable systems from being exploited. Segmentation also minimizes the risks of a successful intrusion by shrinking the available attack surface.
Deploy a security fabric that spans all attack vectors
In addition, organizations cannot afford to over-focus on the latest threat trends. As shown with the targeting of edge services, it is essential that organizations adopt a holistic approach to securing their distributed networked environment. That requires the deployment of a comprehensive security fabric, the implementation of a centralized, single-pane-of-glass monitoring, management, and configuration solution, and the integration of real-time threat intelligence to ensure that the network is constantly tuned to the latest threat landscape.
It’s a common refrain, but the reality is that the majority of network and device compromises are the direct result of a failure to patch, upgrade, or replace vulnerable systems or implement adequate proximity controls. Of course, patching is hard – especially when dealing with thousands of devices, or embedded systems that can’t be easily updated without taking down essential systems.
Read the full Threat Landscape Report here to find out more about these threat trends.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.