FortiGuard Labs Threat Research

Fortinet Threat Report Reveals an Evolution of Malware to Exploit Cryptocurrencies

By FortiGuard SE Team | May 16, 2018

Fortinet has just released its Quarterly Threat Landscape Report for Q1 of 2018, and the numbers are interesting. While some of the most common threat indicators actually dropped during the quarter, the data also shows that attackers may simply be refining their technologies and methodologies.

Another interesting trend was the variety of attack vectors that were targeted. While Meltdown and Spectre dominated the headlines in Q1, and Microsoft continued to be the number one target for exploits, routers took the number two spot in total attack volume. Growing from a tiny risk just a few years ago, over one in five organizations now report mobile malware (up 7%, to 21%). At the same time, Web oriented technologies were also heavily hunted by cybercriminals. Another technology area under attack in Q1 was web Content Management Systems (CMS).

Ransomware Continues to Disrupt Networks

The growth in both the volume and sophistication of ransomware continues to be a significant security challenge for organizations, especially in high-value segments such as healthcare, education, and financial services. Ransomware also continues to evolve, leveraging new delivery channels such as social engineering, and new techniques such as multi-stage attacks to evade detection and infect systems.

GandCrab ransomware emerged in January with the distinction of being the first ransomware to require DASH cryptocurrency as a payment. According to Europol, it claimed 50,000 victims in less than a month. BlackRuby and SamSam were two other ransomware variants that emerged as major threats during the first quarter of 2018, with SamSam achieving notoriety for its attack of administrative infrastructure of a major US city in March. And a separate ransomware attack, known as Olympic Destroyer, nearly took the Winter Olympics offline hours before the opening ceremonies.

Cryptojacking Doubles, Impacting More Than 1 in 4 Organizations

A growing trend FortiGuard Labs has been tracking is cryptojacking. While this malware only affected 13% of organizations in Q4 of 2017, it more than doubled in Q1 to impact 28% of companies. It is also showing incredible diversity for such a relatively new threat. We have documented miners targeting multiple operating systems as well as different cryptocurrencies, including BitCoin, Dash, and Monero.

A new iteration involves injecting malicious JavaScript into vulnerable websites, or delivering it via phishing campaigns. Fileless JavaScript variants have been able to embed malicious code into legitimate web pages to compromise visiting devices. Simply browsing an infected site can enable attackers to hijack CPU cycles to perform cryptomining on behalf of a cybercriminal. In addition, ETERNAL BLUE, which was used in the WannaCry attacks has been repurposed for a cryptojacking campaign called WannaMine.

Cryptojackers have clearly discovered that hijacking systems to mine for cryptocurrencies is a profitable venture, so we expect continued investment and innovation in this business model. If you are worried that your system might be mining for and lining the pockets of cybercriminals, start by checking the Task Manager (Windows), Activity Monitor (Mac), and “top” on the Linux command line. Using these tools allows IT teams to list all the processes running on a network or device and then find and kill the culprit that’s consuming resources.

IoT Devices Continue to be Targeted

We also saw attackers continue to probe far and wide for IoT vulnerabilities. Several exploits targeting IoT devices topped our charts this quarter. We recommend adopting a Learn, Segment, and Protect approach to quell the storm that seems to be brewing. This starts with establishing secure access controls and inventory systems to learn more about devices connected to networks, how they’re configured, and how they authenticate. Once complete visibility is achieved, organizations can then dynamically segment IoT devices into secured network zones with customized policies. These segments can then be linked together by an integrated, intelligent, and protective fabric across the network—especially at access points, cross-segment network traffic locations, and even into multi-cloud environments.

OT Emerging as a New Attack Vector

While OT attacks are a smaller percentage of the overall attack landscape, the trends are concerning. This sector is increasingly becoming connected to the Internet, with serious potential ramifications for security. Currently, the vast majority of exploit activity is directed against the two most common industrial communication protocols because they are widely-deployed and therefore highly-targeted. Data shows that in Asia ICS exploit attempts appear to be somewhat more prevalent when comparing the prevalence of ICS exploit activity across other regions. If your organization uses ICS, the first step is to fully assess business and operational risks associated with those technologies and define a risk-informed strategy. This will include defining the zones, conduits, boundaries, and security levels that will be invaluable for limiting communications between OT and non-OT environments.


While the number of exploit detections per firm may have dropped by 13% in Q1 of 2018, the number of unique exploit detections still grew by over 11%, to 6,623. And at the same time, 73% of companies still experienced a severe exploit during the quarter. Combined, the data seems to indicate that cybercriminals may simply be getting better at matching exploits to their targets.

Attack trends and attack vectors also continue to evolve. While ransomware continues to impact organizations, there are indications that some cybercriminals now prefer hijacking systems and using them for cryptomining rather than holding them for ransom.

However, the biggest challenge may be that IT or OT teams today are simply stretched too thin trying to adapt to the new digital economy. In addition, encrypted data has grown to nearly 60% of all network traffic, rising 6% this past quarter, which is the highest rate to date. With cybercriminals using SSL and TLP encryption to hide malicious code and exfiltrate data, inspection of encrypted traffic continues to be crucial. Unfortunately, as evolving networks significantly expand the potential attack surface, many legacy threat detection devices and signature-based antivirus tools currently in place are simply unable to keep pace with the volume, variety, and velocity of today’s evolving malware.

The threat data in this quarter’s report reinforces many of the prediction trends unveiled by the Fortinet FortiGuard Labs global research team for 2018. Digital transformation is increasing the digital connectedness of organizations while expanding the potential attack surface. These changes are driving the need for an equivalent security transformation, where security is integrated into applications, devices, and cloud networks to protect the critical business data that is being spread across these complex environments. It is becoming increasingly clear that the best defense against intelligent and automated threats is an integrated, broad, and automated security fabric. A highly aware and proactive security defense system is fundamental to keeping pace with the next generation of automated, AI-based attacks.



Read the news release or download the full Quarterly Threat Landscape report.

Also, sign up for the weekly FortiGuard Threat Intelligence Briefs or the FortiGuard Threat Intelligence Service.