FortiGuard Labs Threat Research

Report: Cybercriminals Are Building an Army of Things Creating a Tipping Point for Cybersecurity

By Derek Manky | March 28, 2017

Cybercrime is big business, and is growing at an exponential rate. British insurer Lloyd’s of London estimated the cybercrime market at $400 Billion in 2015. Today, just two years later, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion. And Cybersecurity Ventures is predicting that cybercrime will cost the world in excess of $6 trillion annually by 2021.

One of the forces behind this explosive growth of cybercrime is that illegal business can be safely conducted deep in a part of the Internet that most people have never seen, and have no idea how to access. The “darknet” lies beyond normal web browsers, is protected by layers of anonymity, and has become a haven for criminal commerce.

To get a handle on this explosion of cyberthreats and online criminal activity, we need to start with good information. Today, Fortinet released our quarterly Threat Landscape Report for Q4 of 2016. The data in it was drawn from millions of security devices located around the world that analyze up to 50 billion threats a day. Which means that the conclusions and trends detailed in this report are based on over a trillion security events that occurred between Oct 1 and Dec 31, 2016. View our Threat Landscape Report infographic. Watch a video with more details on the research.

The importance of this sort of threat intelligence cannot be overstated. While most IT security professionals spend their days (and far too many nights) poring over log files and security reports, it is essential to place local threat intelligence into a larger context. New and emerging threats are characterized by attributes and actionable IOCs (indications of compromise) that can help reduce their impact, and in some cases, even stop and/or prevent them. It is always easier to find and prevent sophisticated threats if you know what to look for.

Of course, this becomes increasingly complicated as network infrastructures continue to evolve. Exploits, malware, and botnets do not happen in a vacuum, so considering infrastructure trends and how they relate to and shape the threat landscape is important. Threats evolve and adapt over time as applications, technologies, configurations, controls, and behaviors change.

According to the Q4 report, for example, encrypted traffic using SSL accounted for more than half of all web traffic traversing the network. HTTPS traffic usage is an important trend to monitor because, while it is good for privacy, it presents challenges to detecting threats that are able to hide in encrypted communications. And far too much SSL traffic goes uninspected because of the huge processing overhead required to open, inspect, and re-encrypt traffic. Which forces IT teams to choose between protection and performance.

We also documented that the number of cloud applications being used by organizations also trended up over the year. The new challenge is that nearly a third of all applications running in an organization are now cloud based. This trend, sometimes called Shadow IT, has significant implications for security since IT teams have less visibility into the data residing in cloud applications, how that data is being used, and who has access to it. The problem becomes even worse when that data is accessed off network.

While the report covers and examines a wide range of threats and data, it focuses on three central trends of the threat landscape currently being exploited by cybercriminals - application exploits, malicious software (malware), and botnets. For most organizations, these are the exact issues you have been wrestling with every single day.

1. The application exploits described in this report were collected primarily through network IPS systems. In addition to exploit information, they also provides a view into attacker reconnaissance activities used to identify vulnerable systems, and attempts to exploit those vulnerabilities. One of the best ways to stop an attack is to understand how cybercriminals are going about getting into your network.

2. The malware samples described in this report were collected from perimeter devices, sandboxes, or endpoints. For the most part, this data is focused on the weaponization or delivery stages of an attack, rather than successful installation in target systems.

3. Finally, the botnet activity we report on was collected from a variety of network devices, and represents command and control (C2) traffic observed between compromised internal systems and malicious external hosts.

In addition, the last quarter of 2016 also continued the trend of increasing the volume, prevalence, and intensity of cyber attacks. For example, the quarter sent the security industry reeling from a 1-2 punch of the largest data breach and largest DDoS attack in history, doubling the volume and impact of the previously worst attacks on record.

However, while such targeted attacks often grab the headlines, this report also reminds us that the bulk of threats faced by most organizations, and the therefore majority of financial losses, are opportunistic in nature.

An important takeaway from this report is the critical reminder that the most effective security work still involves reviewing your security posture and policies, minimizing the externally visible and accessible attack surface through patching and hardening, building and implementing advanced threat detection and response throughout the network, and expanding visibility and control across the distributed network, including endpoints, IoT, and the cloud.

Here are a few highlights from the Q4 report:

  • Oh Hai, Mirai. News that this record-setting DDoS attack was built around an army of everyday connected devices drove the Internet of Things (IoT) security buzz to a fever pitch. Release of the source code behind it all immediately boosted Mirai botnet activity by 25x, one of the biggest week-over-week surges we saw all quarter. And it eventually climbed to 5x that amount before the year was out. We expect to see cybercriminals escalate their use of unprotected and vulnerable IoT devices going forward.
  • Daring Exploits. The growth of cybercrime has expanded the possible attack footprint, with everyone increasingly being a potential target. As a proof point, we tracked an average of 10.7 unique application exploits per organization, with about 9 in 10 firms detecting critical or high-severity exploits.
  • Old Is New. Like any good business, cybercriminals often follow the mantra, “if it’s not broken, don’t fix it.” Which is why a full 86% of firms registered attacks attempting to exploit vulnerabilities that were over a decade old. Almost 40% of them saw exploits against CVEs (Common Vulnerabilities and Exposures) first identified during the previous millennium.
  • Ran Where? Ransomware is the hottest revenue generating opportunity for cybercriminals. Not only are we seeing new ransomware variants, but the rise of Ransomware as a Service (RaaS). As Fortinet explained in our 2017 Threat Predictions report, RaaS allows criminals with virtually no training or skills to simply download tools and point them at a victim, in exchange for sharing a percentage of the profits with the developers. Which is part of the reason why we predicted that this high-value attack method would increase dramatically in 2017. And in addition to the ransoming of data, we have also seen a rise in the ransoming of services, as evidenced by the attack on the SF Muni transportation system. Our records show that 36% of organizations detected botnet activity related to ransomware in Q4. It was present in all regions and sectors, but we found it particularly widespread in healthcare institutions.
  • Malware Mafia. Two malware families, Nemucod and Agent, went on a crime spree in Q4, comprising a staggering 81.4% of all malware samples captured. The Nemucod family is infamously affiliated with ransomware. After those top two families, the most prominent uptick in malware volume over the quarter was the Locky ransomware. All of these are the product of organized cybercrime groups.
  • Going Mobile. Cybercriminals gravitate towards the weakest link in the security chain. Mobile malware is on the rise, being reported by about one in five organizations, and now accounting for nearly 2% of all malware volume. We also found substantial regional differences in mobile malware. For example, it was observed by 36% of African organizations, compared to only 8% in Europe.
  • Not Nothing Botnet. We detected an average of 6.7 unique active botnet families per organization. This rate was the highest in the emerging regions of the Middle East, Africa, and Latin America.
  • Seasons Greed-ings. Calendars of criminal exploit activity for the retail/hospitality and educational sectors show interesting Q4 seasonal threat patterns. Like bears congregating at rivers during salmon spawning seasons, cybercriminals are most active during the busiest buying days of the year when more shoppers are online or performing electronic transactions.

In addition, the report explores all manner of Q4 2016 threats from global, regional, sector, and organizational perspectives.

When it comes to understanding your organization’s threat landscape, it’s healthy to remember two things: 1) your threat landscape is more similar to that of others than you probably think, and 2) it is also different from others in ways you may not have thought about. Understanding which strategies, tactics, and threat intelligence you can borrow from others, and which can safely be set aside, is valuable knowledge that requires patience and expertise to develop. This report can help.

As part of our commitment to combatting the growing tide of cybercrime, we’ll be publishing the Fortinet Threat Landscape Report on a quarterly basis. As one of the premiere threat research and analysis organizations in the world, we have a lot of great data we look forward to sharing. In the meantime, to keep tabs on the threat landscape between quarters, sign up for our weekly FortiGuard intel briefs and bookmark this blog site.