FortiGuard Labs Threat Research
Fortinet just released its Threat Landscape Report for Q3 of 2017. Its findings are drawn from millions of sensors deployed inside production environments across the globe.
This quarter’s report focuses on three key threat indicators: exploits, malware, and botnets. The first two provide a view into criminal attempts to identify and compromise vulnerable systems. The third, botnets, provides insight into malware that has managed to penetrate a network and its communications back to its command and control center. It also examines important zero-day vulnerabilities and infrastructure trends of the corresponding attack surface to add context about the trajectory of cyberattacks affecting organizations over time. Combined, they provide insight into what cybercriminals value, and the techniques they rely on to access those resources. This information, in turn, provides valuable information on what sorts of security measures organizations should be focused on.
All exploits can be traced back to a zero-day attack designed to target a newly discovered vulnerability. As these exploits show signs of success, we see copycat variations begin to swarm around those vulnerabilities.
So to start, we have a dedicated team of expert researchers and analysts dedicated to examining third-party products and software applications looking for previously undiscovered weaknesses and exploitable vulnerabilities. So far this year, the FortiGuard Labs research team has uncovered and reported on 185 zero-day vulnerabilities.
This approach is critical because there are two truths about cyber threats: the first is that someone will always find a vulnerability to exploit. Which is why we always disclose new zero-day discoveries to manufacturers so that a patch can be produced. The second, however, is that in spite of this most organizations will fail to patch those vulnerabilities. So we also produce IPS signatures and release updates so that when a cybercriminal discovers one of these flaws and launches a zero-day attack, our customers are already protected.
In terms of exploits, 79% of organizations being monitored saw severe attacks in the third quarter, with an average of 153 attacks per firm. The top exploit of the quarter, targeted at the Apache.Struts vulnerability, was reported by 35% of organizations. That is the exploit that attackers leveraged to nab approximately 145 million records from credit bureau Equifax, which was first reported on September 7th.
One of the key takeaways from this data is that whether it’s WannaCry in Q2 or Apache Struts in Q3, long-known and yet still-unpatched vulnerabilities continue to bite organizations time and time again. Which is why it is imperative that IT teams pay close attention to critical patch releases and establish an aggressive patch and replace protocol. In addition to lapses in regular patching, network and device hygiene are the next most neglected elements of security. They may not be the most fun or sexy part of security, but they are critically important.
According to Phil Quade, Fortinet’s Chief Information Security Officer, “long-known and yet still-unpatched vulnerabilities consistently serve as the gateway for attacks. Remaining vigilant of new threats and vulnerabilities in the wild is critical, but organizations also need to keep sight of what is happening within their own environment. Of course, continually removing unnecessary application services, stamping out vulnerabilities, and maintaining good order in IT environments is easier said than done. However, there is an increased urgency for prioritizing security hygiene, along with a need to embrace fabric-based security approaches that leverage automation, integration, and strategic segmentation. Our adversaries are adopting automated and scripted techniques, so we need to raise their price of attacking to combat today’s new normal.”
As with exploits, malware analysis helps uncover adversary intent and capability. During Q3 the FortiGuard Labs team detected nearly 15,000 unique malware variants from over 2,600 different families, which while down slightly from Q2, still represents a huge variety of ways to compromise a network. Of the total number of organizations analyzed, 22% reported attempts to infect their systems with ransomware, with the Locky ransomware family roaring back to take the top spot after a summer of relative quiet with three new variants: Diablo6, Lukitus, and Ykcol.
In addition, 25% of organizations detected malware targeted at their mobile devices, up from 18% in Q2. This is a clear indicator that cybercriminals are looking for new ways to infiltrate networks by targeting devices without the level of control, visibility, and protection that traditional systems receive. Effective mobile security strategies must deal with this reality through mobile application controls and malware protections built into the network to cover any device anywhere.
The most common functionality among top malware families was dropping malware onto vulnerable systems. This technique helps malicious payloads wrapped in dynamic packaging to slip through legacy defenses. Once deployed, the majority of malware strains attempted to establish remote access connections, capture user input, and gather system information, demonstrating the increased intelligence and automated nature of today’s malware.
The fact that so many high-variant downloaders and droppers topped our charts is a good reminder that single-point, signature-based AV alone is not an effective security strategy. It is essential that IT teams integrate layers of malware defenses together capable of detecting known and unknown threats, and deploy them at multiple layers throughout the environment.
While exploit and malware trends highlight efforts to compromise a device or network, botnets provide a post-compromise viewpoint. Once a network has been breached, installed botnet malware attempts to communicate with the remote malicious hosts for updates and instructions or to deliver pilfered data. Detecting command and control traffic in a corporate environment clearly indicates that something went wrong from a defense perspective in the earliest stages of the attack chain. Of course, this is to be expected since no security system is ever 100% effective. But it is also why ensuring that your security strategy spans the entire attack chain is so critical.
In Q3 there were about two active botnets per organization detected inside their networks, with 3% of organizations seeing 10 or more infections. Interestingly, while botnet activity was down in Q3, those botnets that were most active Gh0st, Pushdo, Andromeda, Necurs, and Conficker remained the most prevalent, which was an exact repeat of Q2.
One of the most compelling data points is that 75% of the organizations that reported Gh0st botnet infections in July also reported them in August, and 70% of those also reported September infections. The first takeaway is that while most organizations seem to be focused on responding to the symptoms of an infection, many are not very good at understanding the scope of a breach, or are not thorough enough in their incident response. They need to have a plan of steps to follow, and either they don’t have a plan or they are skipping some essential steps. They may also be too focused on remediating systems but are not being very effective at getting at the root cause.
The other is that while all organizations are vulnerable, midsize companies seem to be more frequently compromised over both small and large firms. While smaller firms likely have less protection, they also have less – and less valuable – data, so they tend to be ignored. Larger firms, on the other hand, certainly have the data cybercriminals want, but also greater resources to protect it. It’s midsize firms, however, that typically have enough valuable data to make them a worthwhile target, and yet not nearly the same security resources of their larger counterparts. Simply put, we see more botnets in mid-sized companies because they have a higher infection rate (malware is somehow successfully dropped onto their systems) than other companies.
As the threat landscape becomes more intelligent and automated, organizations will need to respond in kind. The time between breach and compromise will soon be measured in milliseconds, which makes it imperative that organizations automate basic security hygiene, such as patch and replace, hardening systems, and implementing two-factor authentication. AI and automation need to fill this gap by replacing basic security functions and day-to-day tasks currently being performed by people with an integrated expert security system that can determine device vulnerabilities, track and patch devices, and apply security protocols or policies, and configure and monitor security and network devices.
As the volume, velocity, and automation of attacks continue to increase, organizations need to ensure that a strategic threat detection and incident-response strategy is in place. Only a security framework that utilizes advanced threat detection, comprehensive threat intelligence sharing, an effective IR strategy, and an open architecture that can tie security and networking components into an integrated defense and response system is going to be able to protect organizations going forward. The evolving attack surface requires flexibility to quickly implement security strategies and solutions and seamlessly add advanced techniques and technologies as they emerge.
You can read more important takeaways in the full Global Threat Landscape Report. Also, view our video (above) and infographic (below) summarizing valuable data points from the report.
Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.