Global Threat Trends Demonstrate Political and Economic Intentions of Cybercriminals

FortiGuard Labs Threat Landscape Report Reveals a New Perspective on Global Trade and the Allure of Election Disruption

SUNNYVALE, Calif. - 26 февраля 2020


Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs

“In the cyber arms race, the criminal community has often had a distinct advantage due to the growing cyberskills gap, the expanding digital attack surface, and by leveraging the element of surprise with tactics such as social engineering to take advantage of unsuspecting individuals. To get out ahead of the cycle of increasingly sophisticated and automated threats, organizations need to use the same sorts of technologies and strategies to defend their networks that criminals are using to attack them. That means adopting integrated platforms that leverage the power and resources of AI-driven threat intelligence and playbooks to enable protection and visibility across the digital infrastructure.”

News Summary:

Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, today announced the findings of the latest FortiGuard Labs Global Threat Landscape Report.

  • The research from Q4 2019 not only shows that cybercriminals continue to attempt to exploit any possible opportunity throughout the digital infrastructure, but that they are maximizing global economic and political realities to further enable their goals.
  • Global trends demonstrate that the prevalence and detection of threats may differ by geography, but the sophistication and automation of attacks remain consistent everywhere. In addition, the need to prioritize cybersecurity hygiene remains urgent around the world as threats are scaling faster than ever before.
  • For a detailed view of the report, as well as some important takeaways, read the blog. Highlights of the report follow.

1) A Not So Charming Kitten: Research shows significant levels of activity across regions associated with Charming Kitten, an Iran-linked advanced persistent threat (APT) group in Q4. Active since around 2014, the threat actor has been associated with numerous cyberespionage campaigns. Recent activity suggests that the threat actor has expanded into the election disruption business, having been linked to a series of attacks on targeted email accounts associated with a presidential election campaign. In addition, Charming Kitten was observed employing four new tactics against intended victims that were all designed to trick victims into parting with sensitive information.

2) Security Risks for IoT Devices Magnify: IoT devices continue to be challenged with exploitable software and these threats can affect unexpected devices such as wireless IP cameras. This situation is magnified when components and software are embedded into different commercial devices sold under a variety of brand names, sometimes by different vendors. Many of these components and services are often programmed using bits and pieces of pre-written code from a variety of common sources. These common components and pre-written code are sometimes vulnerable to exploit, which is why some of the same vulnerabilities crop up repeatedly across a wide range of devices. The scale combined with the inability to easily patch these devices is a growing challenge, and spotlights the difficulties of supply chain security. A lack of patch awareness or availability, the prevalence of vulnerabilities in some IoT devices, and the documented attempts to “enslave” these devices in IoT botnets all contributed to these exploits having the third-highest volume among all IPS detections during the quarter.

3) Senior Threats Help Junior Threats: Amidst the constant pressure to keep ahead of new threats, organizations sometimes forget that older exploits and vulnerabilities really have no expiration date, and threat actors will continue to use them as long as they work. A case in point is EternalBlue. The malware has been adapted over time to exploit common and major vulnerabilities. It has been used in numerous campaigns, including, most notably, the WannaCry and NotPetya ransomware attacks. In addition, a patch was issued last May for BlueKeep, a vulnerability that if exploited could be wormable, which had the potential to spread at the same speed and scale as WannaCry and NotPetya. And now, a new version of the EternalBlue Downloader Trojan surfaced last quarter with the ability to exploit the BlueKeep vulnerability. Fortunately, the version currently in the wild is not completely ironed out, forcing targeted devices to crash before loading. But looking at the traditional development cycle of malware, determined cybercriminals are likely to have a functional version of this potentially devastating malware package in the near future. And while a patch for BlueKeep has been available since May, far too many organizations still have not updated their vulnerable systems. The continuing and evolving threat actor interest in EternalBlue and BlueKeep is a reminder for organizations to ensure their systems are properly patched and secured against both threats.

4) Trends Demonstrate a New Perspective on Global Spam Trade: Spam continues to be one of the top issues for organizations and individuals to deal with. This quarter’s report combines the volume of spam flow between nations with data showing the ratios of spam sent vs. spam received, visually revealing a new perspective on an old problem. The majority of spam volume seems to follow economic and political trends. For example, the heaviest “spam trade partners” of the United States include Poland, Russia, Germany, Japan, and Brazil. In addition, in terms of exported spam volumes from geographic regions, Eastern Europe is the largest net producer of spam in the world. Most of the outbound-heavy spammers beyond that hail from Asian sub-regions. The remaining European sub-regions lead those with net negative spam ratios, receiving more than they send, followed by the Americas and Africa.

5) Tracking the Tracks of Cybercriminals to See What is Next: Looking at IPS triggers detected in a region not only shows what resources are being targeted, but may also indicate what cybercriminals might focus on in the future, either because enough of those attacks were ultimately successful, or simply because there is more of a certain type of technology deployed in some regions. But that’s not always the case. For example, the vast majority of ThinkPHP deployments are in China, which has almost 10x more installations than the U.S., according to shodan.io. Assuming that companies patch their software at about the same rate in each region, if a botnet was simply probing for vulnerable instances of ThinkPHP before deploying an exploit, the number of detected triggers should be much higher in APAC. However, only 6% more IPS triggers were detected in all of APAC than in North America from a recent exploit, indicating that these botnets are simply deploying the exploit to any ThinkPHP instance they find. In addition, when taking a similar look at malware detections, the majority of threats targeting organizations are Visual Basic for Applications (VBA) macros. This is likely because they are still effective and producing results. In general, detections for things that are not working won’t remain high for long and if there are a significant amount of detections for something, someone is falling prey to these attacks.

The Need for Broad, Integrated, and Automated Security

As applications proliferate and the number of connected devices expands the perimeter, billions of new edges are being created that have to be managed and protected. In addition, organizations are facing increased sophistication of attacks targeting the expanding digital infrastructure, including some being driven by artificial intelligence and machine learning. To effectively secure their distributed networks, organizations have to shift from protecting just security perimeters to protecting the data spread across their new network edges, users, systems, devices, and critical applications. Only a cybersecurity platform designed to provide comprehensive visibility and protection across the entire attack surface–including devices, users, mobile endpoints, multi-cloud environments, and SaaS infrastructures–is able to secure today’s rapidly evolving networks driven by digital innovation.

Report Overview
This latest Threat Landscape Report is a quarterly view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during Q4 of 2019. It covers global and regional perspectives as well as research into three central and complementary aspects of that landscape: exploits, malware, and botnets.

Additional Resources

About FortiGuard Labs

FortiGuard Labs is the global threat intelligence and research organization at Fortinet. Its mission is to provide our customers with the global threat intelligence and contextualized analysis needed to protect them from malicious cyberattacks. To do so, FortiGuard Labs employs over 200 threat researchers and analysts in 31 countries around the world and utilizes one of the most effective and proven artificial intelligence (AI) and machine learning (ML) systems in the industry. This platform analyzes approximately 10 billion events every day to generate actionable threat intelligence updates for Fortinet products and to keep our customers up-to-date with the latest threat identification and protection information available. Additionally, FortiGuard Labs maintains an integrated threat intelligence ecosystem with over 200 security intelligence partnerships and collaborations. The combination of our industry-leading research and analyst team, innovative and proven AI and ML systems, and extensive security intelligence ecosystem enables Fortinet to provide the leading-edge detection and protection our customers and partners need. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

About Fortinet

Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers our customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and into the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in networked, application, multi-cloud or edge environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 440,000 customers trust Fortinet to protect their businesses. Both a technology company and a learning company, the Fortinet Network Security Expert (NSE) Institute has one of the largest and broadest cybersecurity training programs in the industry. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Copyright © 2020 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiCare, FortiManager, FortiAnalyzer, FortiOS, FortiADC, FortiAP, FortiAppMonitor, FortiASIC, FortiAuthenticator, FortiBridge, FortiCache, FortiCamera, FortiCASB, FortiClient, FortiCloud, FortiConnect, FortiController, FortiConverter, FortiDB, FortiDDoS, FortiExplorer, FortiExtender, FortiFone, FortiCarrier, FortiHypervisor, FortiIsolator, FortiMail, FortiMonitor, FortiNAC, FortiPlanner, FortiPortal, FortiPresence , FortiProxy, FortiRecorder, FortiSandbox, FortiSIEM, FortiSwitch, FortiTester, FortiToken, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLCOS and FortiWLM.

Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments. This news release may contain forward-looking statements that involve uncertainties and assumptions, such as statements regarding technology releases among others. Changes of circumstances, product release delays, or other risks as stated in our filings with the Securities and Exchange Commission, located at www.sec.gov, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements.