Skip to content Skip to navigation Skip to footer

FortiGuard Labs Reports Disruptive Shift of Cyber Threats

Scale and Evolution Across the Entire Attack Surface Impacts Organizations Everywhere, Across All Edges and the Digital Supply Chain

SUNNYVALE, Calif. - Feb 24, 2021


Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs

“2020 witnessed a dramatic cyber threat landscape from beginning to end. Although the pandemic played a central role, as the year progressed cyber adversaries evolved attacks with increasingly disruptive outcomes. They maximized the expanded digital attack surface beyond the core network, to target remote work or learning, and the digital supply chain. Cybersecurity risk has never been greater as everything is interconnected in a larger digital environment. Integrated and AI-driven platform approaches, powered by actionable threat intelligence, are vital to defend across all edges and to identify and remediate threats organizations face today in real time.”

News Summary:

Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, today announced the findings of the latest semiannual FortiGuard Labs Global Threat Landscape Report. Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber threat landscape where cyber adversaries maximized the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks. They targeted the abundance of remote workers or learners outside the traditional network, but also showed renewed agility in attempts to target digital supply chains and even the core network. For a detailed view of the report, as well as some important takeaways, read the blog. Highlights of the 2H 2020 report follow:

  • Onslaught of Ransomware Continues: FortiGuard Labs data shows a sevenfold increase in overall ransomware activity compared to 1H 2020, with multiple trends responsible for the increase in activity. The evolution of Ransomware-as-a-Service (RaaS), a focus on big ransoms for big targets, and the threat of disclosing stolen data if demands were not met combined to create conditions for this massive growth. In addition, with varying degrees of prevalence, the most active of the ransomware strains tracked were Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING and BazarLoader. Sectors that were heavily targeted in ransomware attacks included healthcare, professional services firms, consumer services companies, public sector organizations, and financial services firms. To effectively deal with the evolving risk of ransomware, organizations will need to ensure data backups are timely, complete, and secure off-site. Zero-trust access and segmentation strategies should also be investigated to minimize risk.
  • Supply Chain Takes Center Stage: Supply chain attacks have a long history, but the SolarWinds breach raised the discussion to new heights. As the attack unfolded, a significant amount of information was shared by affected organizations. FortiGuard Labs monitored this emerging intelligence closely, using it to create IoCs to detect related activity. Detections of communications with internet infrastructure associated with SUNBURST during December 2020 demonstrates that the campaign was truly global in nature, with the “Five Eyes” exhibiting particularly high rates of traffic matching malicious IoCs. There is also evidence of possible spillover targets that emphasizes the interconnected scope of modern supply chain attacks and the importance of supply chain risk management.
  • Adversaries Target Your Online Moves: Examining the most prevalent malware categories reveals the most popular techniques cybercriminals use to establish a foothold within organizations. The top attack target was Microsoft platforms, leveraging the documents most people use and consume during a typical workday. Web browsers continued to be another battlefront. This HTML category included malware-laden phishing sites and scripts that inject code or redirect users to malicious sites. These types of threats inevitably rise during times of global issues or periods of heavy online commerce. Employees who typically benefit from web-filtering services when browsing from the corporate network continue to find themselves more exposed when doing so outside that protective filter.
  • The Home Branch Office Remains a Target: The barriers between home and office eroded significantly in 2020, meaning that targeting the home puts adversaries one step closer to the corporate network. In the second half of 2020, exploits targeting Internet of Things (IoT) devices, such as those existing in many homes, were at the top of the list. Each IoT device introduces a new network “edge” that needs to be defended and requires security monitoring and enforcement at every device.
  • Cast of Actors Joins Global Stage: Advanced Persistent Threat (APT) groups continue to exploit the COVID-19 pandemic in a variety of ways. The most common among them included attacks focused on gathering personal information in bulk, stealing intellectual property, and nabbing intelligence aligned with the APT group’s national priorities. As the end of 2020 neared, there was an increase in APT activity targeting organizations involved in COVID-19-related work including vaccine research and development of domestic or international healthcare policies around the pandemic. Targeted organizations included government agencies, pharmaceutical firms, universities, and medical research firms.
  • Flattening the Curve of Vulnerability Exploits: Patching and remediation are ongoing priorities for organizations as cyber adversaries continue to attempt to exploit vulnerabilities for their benefit. By tracking the progression of 1,500 exploits in the wild over the last two years, data demonstrates how fast and how far exploits propagate. Even though it is not always the case, it seems that most exploits do not seem to spread far very fast. Among all exploits tracked over the last two years, only 5% were detected by more than 10% of organizations. With all things being equal, if a vulnerability is picked at random, data shows there is about a 1-in-1,000 chance that an organization will be attacked. About 6% of exploits hit more than 1% of firms within the first month, and even after one year, 91% of exploits have not crossed that 1% threshold. Regardless, it remains prudent to focus remediation efforts on vulnerabilities with known exploits, and among those, prioritize the ones propagating most quickly in the wild.

Fighting Cyber Adversaries Requires an Integrated Strategy and Broad Awareness

Organizations face a threat landscape with attacks on all fronts. Threat intelligence remains central to understanding these threats and how to defend against evolving threat vectors. Visibility is also critical, particularly when a significant amount of users are outside the typical network scenario. Every device creates a new network edge that must be monitored and secured. The use of artificial intelligence (AI) and automated threat detection can enable organizations to address attacks immediately, not later, and are necessary to mitigate attacks at speed and scale across all edges. Cybersecurity user awareness training should also remain a priority as cyber hygiene is not just the domain of IT and security teams. Everyone needs regular training and instruction on best practices to keep individual employees and the organization secure.

Report Overview

This latest Global Threat Landscape Report is a view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during the second half of 2020. Similar to how the MITRE ATT&CK framework classifies adversary tactics and techniques, with the first three groupings spanning reconnaissance, resource development, and initial access, the FortiGuard Labs Global Threat Landscape Report leverages this model to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives as well.

Additional Resources

About FortiGuard Labs

FortiGuard Labs is the threat intelligence and research organization at Fortinet. Its mission is to provide Fortinet customers with the industry’s best threat intelligence designed to protect them from malicious activity and sophisticated cyberattacks. It is comprised of some of the industry’s most knowledgeable threat hunters, researchers, analysts, engineers and data scientists in the industry, working in dedicated threat research labs all around the world. FortiGuard Labs continuously monitors the worldwide attack surface using millions of network sensors and hundreds of intelligence-sharing partners. It analyzes and processes this information using artificial intelligence (AI) and other innovative technology to mine that data for new threats. These efforts result in timely, actionable threat intelligence in the form of Fortinet security product updates, proactive threat research to help our customers better understand the threats and threat actors they face, and by providing threat intelligence consulting services to help our customers better understand and defend their threat landscape. Learn more at http://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

About Fortinet

Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers our customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and into the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in networked, application, multi-cloud or edge environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 480,000 customers trust Fortinet to protect their businesses. Both a technology company and a learning organization, the Fortinet Network Security Expert (NSE) Training Institute has one of the largest and broadest cybersecurity training programs in the industry. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Copyright © 2021 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiCare, FortiManager, FortiAnalyzer, FortiOS, FortiADC, FortiAP, FortiAppMonitor, FortiASIC, FortiAuthenticator, FortiBridge, FortiCache, FortiCamera, FortiCASB, FortiClient, FortiCloud, FortiConnect, FortiController, FortiConverter, FortiDB, FortiDDoS, FortiExplorer, FortiExtender, FortiFone, FortiCarrier, FortiHypervisor, FortiIsolator, FortiMail, FortiMonitor, FortiNAC, FortiPlanner, FortiPortal, FortiPresence , FortiProxy, FortiRecorder, FortiSandbox, FortiSIEM, FortiSwitch, FortiTester, FortiToken, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLCOS and FortiWLM.

Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments. This news release may contain forward-looking statements that involve uncertainties and assumptions, such as statements regarding technology releases among others. Changes of circumstances, product release delays, or other risks as stated in our filings with the Securities and Exchange Commission, located at www.sec.gov, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements.