FortiGuard Labs Threat Research
As organizations continue to embrace digital transformation, the phenomenon of convergence is taking place in several different ways. For example, more and more use cases are being developed where previously distinct and separate technologies—such as IT and OT—are being integrated.
This presents a double-edged sword for organizations everywhere. Businesses are undoubtedly reaping the benefits of digital transformation—finding business efficiencies, saving costs, and successfully enabling their employees to Work From Anywhere (WFA). But these rapid changes are opening the floodgates for cybercriminals who now have more attack surfaces than ever at their disposal for carrying out malicious activities.
It’s not surprising that bad actors are catching on and upping the ante accordingly. We’re increasingly seeing cybercriminals targeting the expanding digital attack surface by executing more complex and destructive attacks, resulting in more widespread impact.
Meanwhile, the threat landscape is also converging. Recent attack trends are showing an evolution of cybercriminals "borrowing" and converging models traditionally seen only among Advanced Persistent Threat (APT) groups. Here's a closer look at what our FortiGuard Labs team is observing, along with what it means when it comes to managing your organization's ever-changing risk.
While a traditional attacker might use straightforward methods of infiltrating a network, such as deploying a Trojan or relatively simple malware, APT attackers use more advanced techniques. For example, an APT attacker might use elaborate espionage tactics over a longer period and involve multiple actors at an organization to meet a specific goal, such as getting behind that company's firewalls.
The reality is that a business of any size can be a target, but high-profile APT attacks have historically targeted prominent businesses, public figures,or governments. Yet APT-style attacks---meaning more converged attack types---are on the rise, and what’s concerning is that traditional cybercrime groups are now carrying them out.
Wiper malware is a prime example of the convergence between APT-style activity and general cybercrime. Wipers are a tactic we typically observe being used by nation state actors, while non-APT cybercrime groups usually distribute malware such as ransomware.
Wiper malware isn't new—the first instance surfaced in 2012—yet we’re seeing a growing trend of cybercriminals using these more destructive and sophisticated attack techniques and doing so in OT environments. In the first six months of 2022, we observed at least eight significant new wiper variants—WhisperGate, HermeticWiper, AcidRain, IsaacWiper, DesertBlade, CaddyWiper, DoubleZero, and Industroyer.V2—used by attackers in various targeted campaigns against government, military, and private organizations. This number is important because it's nearly as many total wiper variants as have been publicly detected in the past 10 years. While we saw a substantial increase in the use of this attack vector in conjunction with the war in Ukraine, the use of disk-wiping malware was also detected in 24 additional countries.
In addition to the convergence of the types of threats attackers rely on to achieve their new, more destructive goals, we’re also seeing general cybercrime attack playbooks become more targeted. This is a shift among general cybercrime, as targeted playbooks are typically a hallmark of APT groups.
This trend is especially evident when we look at ransomware activity. In fact, according to a recent survey, 85% of organizations are more worried about a ransomware attack than any other cyber threat.
And attackers are becoming stealthier as they seek to fly under an organization’s radar. In the past six months, we’ve observed defense evasion as the top tactic employed by malware developers. Hiding malicious intentions is one of the essential skills for malware developers to master, so it makes sense that they’d try to achieve this by hiding commands to evade a business’s defenses.
As advanced persistent threats begin to converge with general cybercrime, cybercriminals are increasingly focused on trying to evade security, detection, intelligence, and controls. They’re spending more time on reconnaissance and are finding ways to weaponize new technologies.
Like all security challenges, there's no single solution or a quick fix to protecting your organization against this type of activity. Yet one of the best protective measures you can take is proactively creating behavioral-based detections based on updated, real-time threat intelligence. Organizations will be better positioned to secure against the broad toolkits of adversaries armed with this actionable intelligence. Integrated, AI and ML-driven cybersecurity platforms with advanced detection and response capabilities powered by actionable threat intelligence are important to protect across all edges of hybrid networks.
To protect against more destructive ransomware, organizations, regardless of industry or size, need a proactive approach that can evolve as ransomware evolves. Real-time visibility, protection, and remediation coupled advanced endpoint detection and response (EDR) is critical. Inline sandbox on a firewall can hold suspicious files for malware analysis until it is safe to be let onto the network.
In addition, services such as a digital risk protection service (DRPS) can be used to do external threat surface assessments, find and remediate security issues, and help gain contextual insights on current and imminent threats.
Regardless of “in-the-office” or “work-from-anywhere” zero-trust network access (ZTNA) is critical for securing access to applications regardless of where work or learning are taking place.
Managing a constantly evolving array of threats, tactics, and techniques, often feels like treading water in the open ocean. You can’t touch the bottom, and you’re not sure when the next boat will pass by. But the more we become aware of our surroundings and take steps to protect our organization from them, the better prepared we’ll be when the next storm inevitably starts to brew.
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.