Threat Research

Cyber and Physical Convergence is Creating New Attack Opportunities for Cybercriminals

By FortiGuard SE Team | February 20, 2019

Fortinet has just released its latest Global Threat Landscape Report for Q4 of 2018. As with previous editions, this latest report is based on data culled from billions of threat events collected by millions of Fortinet devices deployed in live production environments around the world. Fortinet’s team of cybersecurity professionals then takes those key finding for deep analysis and to add critical context.

Two of the key takeaways are that while the number of exploits per firm continues to grow, more alarmingly, botnet infection time has increased as well. Exploits impacting individual firms grew 10% over the quarter, while the number of unique exploits they experienced increased 5%, which indicates that cybercriminals remain hard at work even during the holiday season. At the same time, botnets have also continued to grow, becoming more complex and harder to detect. Time for infection of botnets increased by 15%, growing to an average of nearly 12 infection days per firm.


Other key takeaways:

  • The Convergence of Physical Security and the IP Network is Expanding the Attack Surface:  Half of the top 12 global exploits targeted IoT devices, and four of the top 12 were related to IP-enabled cameras. Ironically, cybercriminals are increasingly targeting security cameras because many lack the requisite network security protocols. Access to IoT IP cameras could enable cybercriminals to snoop on private interactions, enact malicious onsite activities (e.g., shut off cameras so they can physically access restricted areas), as well as use them as a launching pad to break into cyber systems to launch DDoS attacks, steal proprietary information, initiate a ransomware attack, and more. The adage “monitor the monitoring devices” is quite apropos for organizations here.
  • The rise of Opensource Malware Tools. Opensource malware tools—made on sharing sites such as GitHub—enable security teams to test their defenses, threat researchers to analyze exploits, and security instructors to use real-life examples when building instructional labs or training students. But because these openware tools are available to anyone, cybercriminals also access them for nefarious activities, such as evolving and weaponizing them into new threats, especially ransomware. A classic example of openware being weaponized is the Mirai IoT botnet in 2016. Since then, an explosion of variants and activity have been released into the wild.
  • The Proliferation of Steganography: Developments in steganography are bringing new life into an old attack type. Steganography is typically not used in high-frequency threats, although the botnet Vawtrak made the list of “bursty” botnets. This demonstrates increased persistence for this attack type. In addition, during the quarter, malware samples used steganography to conceal malicious payloads in memes passed along on social media. During the attack process after attempting to contact a C2 host, the samples then look for images in an associated Twitter feed, download those images, and look for hidden commands within the images to propagate activity. This undercover approach demonstrates adversaries continue to experiment in how they advance their malware.
  • Adware Infiltration: Adware continues to be a threat and not just a nuisance. Globally, Adware sits at the top of the list of malware infections for most regions—exceeding one-quarter of all infection types for North America and Oceania, and almost one-quarter for Europe. With adware found to be in published apps, this attack type can pose a serious threat especially to unsuspecting mobile device users.

What next?

To address the challenges highlighted in the report from Fortinet, organization need to take the following steps:

Evolve defenses to address the increase in cyberattack complexity. Just as cybercriminals employ machines to propagate botnet attacks, organizations also need to leverage technology advances in the area of AI/ML to combat new, machine-generated attacks. Firms also need to remain vigilant and understand that the threat landscape continues to evolve quarter to quarter—far faster than their usual rate of security review.

Rely on advanced threat intelligence. Cybercriminals are becoming increasingly innovative in the development of their attack methods, as their adoption and refitting of openware malware tools shows, while the complexity of botnets and other attack methods is also increasing. As a result, organizations must remain vigilant, and relying on advanced threat intelligence—including real-time threat-intelligence sharing across all security elements—enables them to keep pace with the volume, velocity, and sophistication of the threat landscape.

Watch for attacks from unexpected vectors that can be mobilized quickly. Though steganography has historically been a low-frequency attack vector, cybercriminals are now using social media to conceal malicious payloads in memes. Security professionals need to guard against these attacks and similar with ongoing cybersecurity awareness training and by ensuring that they have transparent visibility of the entire attack surface, including out to social media sites and into mobile devices that combine personal and business data and applications.


We suddenly find ourselves in a position of monitoring the systems used to monitor our physical safety and security. The threats occurring at the convergence of physical and cyber systems are only going to grow in scope in coming months and years. Cybercriminals are closely watching and developing exploits that specifically target these physical systems, such as IP-enabled cameras.

Likewise, cybercriminals are constantly evolving the complexity of their other attack vectors—from morphing opensource malware tools into new threats, to quickly turning a few steganography exploits into a much larger strategy, to continuing to maximize the attack opportunity with the vast insecurity of IoT.

Addressing these challenges requires a consistent and integrated security strategy, tools designed to operate within the framework of today’s digital marketplace, the ability to utilize fresh threat intelligence sources in real time, and the adoption of things like AL and ML to stay ahead of the cyberthreat curve.

View the full report or the Fortinet Threat Landscape Indices for botnets, malware, and exploits for Q4, 2018.

Learn more about the FortiGuard Security Services portfolio or the FortiGuard Security Rating Service, which provides security audits and best practices.

Sign up for the weekly FortiGuard Threat Intelligence Briefs

Sign up for this webinar to hear more trends and insights from our latest Threat Landscape Report.