FortiGuard Labs Threat Research
Fortinet has partnered with INTERPOL over the past two years to assist in identifying and thwarting cybercrime. Today, INTERPOL announced that a new operation across the ASEAN region, built around threat intelligence provided by Fortinet and other public and private sector security organizations, has resulted in the identification of nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals.
Organizations continue to struggle against evolving threats, an expanding attack surface, and a growing security skills shortage. Law enforcement, in particular, can also be hampered by the fact that cybercrime often crosses political and jurisdictional boundaries. Actionable intelligence with global visibility is the best way to move from being reactive to proactive in order to catch elusive cybercriminals.
No single organization has a complete view into the security landscape, which is why information sharing and collaboration between public and private organizations, like that leveraged by INTERPOL, is critical. This latest operation, run out of the INTERPOL Global Complex for Innovation (IGCI), brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime in each country. Additional cyber intelligence was also provided by China. In addition, experts from private sector security companies, including Fortinet, took part in pre-operational meetings to develop actionable information packages using the latest global threat intelligence that played a critical role in the success of this operation.
The next big challenge, however, is context, which is why this latest operation is so impressive. It was essential to put the raw information being shared by different teams into the larger context of who, what, when, where, and how. For intelligence sharing to be effective, it needs to meet three basic requirements:
1. You need to start with good threat intelligence
There are a lot of threat feeds available to organizations. But much of the data they provide is redundant, has little to no context, and often requires a significant amount of processing. This is one of the reasons why INTERPOL carefully selects the public and private organizations it partners with. Fortinet recognizes that growing cyberthreats place the entire global digital economy at risk, and we are committed to sharing reliable and usable threat information.
2. Intelligence is only as good as your ability to use it
Threat information needs to be integrated and correlated together to produce actionable intelligence. This intelligence then needs to be converted into consistent policies and alerts in order to accurately identify threats in real time.
3. Security needs to operate at the speed of cybercriminals
Many cybercriminal operations operate on a short attack cycle. They often move devices, change addresses, use polymorphic attacks, shift attack parameters, and use sophisticated evasion techniques in order to thwart law enforcement. Threat intelligence not only needs to be accurate and usable, it also needs to be made available in as close to real time as possible.
One reason why Fortinet was chosen to participate in this and other operations is that we have been a leader in the production of actionable global threat intelligence for over 15 years. FortiGuard Labs leverages over 200 dedicated threat researchers and data specialists to continuously analyze threat data collected from over 3 million sensors, honeypots, and threat analysis devices deployed across the globe to ensure good, accurate intelligence. This information is then converted into highly actionable reports and data sets to ensure that it can be used when it is needed. And finally, Fortinet’s patented artificial intelligence, machine learning, and neural network technologies accelerate threat intelligence processing in order to detect and attacks and catch criminals in the act.
Leveraging these tools and experience, Fortinet provided INTERPOL with region-specific reports based on actionable intelligence that detailed the top malware and most prevalent threat domains, along with tactical analysis of compromised systems and threat actor attribution. The reports also included trend data, with predictive models highlighting malware strategies that would most likely occur in a specific region. These reports, combined with those from other private and public sector participants, were used to help law enforcement proactively defend organizations, as well as track existing attacks back to the source.
Analysis identified nearly 270 websites infected with a malware code which exploited a vulnerability in the website design application. Among them were several government websites, which may have contained personal data of their citizens. A number of phishing website operators were also identified, including one with links to Nigeria. Further investigations into other suspects are still ongoing.
Most impressive were the number of command and control (C2) servers that were identified. 8,800 C2 servers have been found to be active across eight countries, and are being used to distribute a variety of malware families, including those designed to target financial institutions, spread ransomware, launch Distributed Denial of Service (DDoS) attacks, and distribute spam. Investigations into these C2 servers are still ongoing.
IGCI Executive Director Noboru Nakatani said the operation was a perfect example of how the public and private sectors can work efficiently together in combating cybercrime.
“With direct access to the information, expertise, and capabilities of the private sector and specialists from the Cyber Fusion Centre, participants were able to fully appreciate the scale and scope of cybercrime actors across the region and in their countries,” said Mr Nakatani. “Sharing intelligence was the basis of the success of this operation, and such cooperation is vital for long term effectiveness in managing cooperation networks for both future operations and day to day activity in combating cybercrime.”
According to Derek Manky, global security strategist at Fortinet, “Cybercrime is an increasingly organized endeavor built around a sophisticated web of compromised systems that make it easier for criminals to scale attacks and discourage attribution of their activities. Compounding these challenges, cybercriminals have no regard for political boundaries or national lines, and consistently leverage various geopolitical protocols to their advantage. Cooperation between the private sector and both local and international law enforcement is necessary to turn the tide against organized cybercrime.”
Such collaborative efforts also advance the development of a cooperative framework that will enable law enforcement to not only respond, but also actually go on the offensive against organized cybercrime. Fortinet is dedicated to continuing its work with INTERPOL and their efforts to build a framework for a proactive and coordinated approach to the global threat landscape.