Cyber Adversaries Up the Ante on Evasion and Anti-analysis to Avoid Detection
Phil Quade, Chief Information Security Officer, Fortinet
“The ever-widening breadth and sophistication of cyber adversaries’ attack methods is an important reminder of how they are attempting to leverage speed and connectivity to their advantage. Therefore, it is important for defenders to do the same and to relentlessly prioritize these important cybersecurity fundamentals, to position organizations to better manage and mitigate cyber risks. A security fabric approach across every security element that embraces segmentation and integration, actionable threat intelligence, and automation combined with machine learning is essential to enable these fundamentals to bear fruit.”
Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, today announced the findings of its latest quarterly Global Threat Landscape Report.
- The research reveals that cybercriminals continue to look for new attack opportunities throughout the digital attack surface and are leveraging evasion as well as anti-analysis techniques as they become more sophisticated in their attempts.
- The Threat Landscape Index crossed a milestone this quarter. It is up nearly 4% from its original opening position year-over-year. The high point during that year-long timeframe is the peak and closing point of Q2 CY2019. The upsurge was driven by increased malware and exploit activity.
- For a detailed view of the Threat Landscape Index and subindices for exploits, malware, and botnets, as well as some important takeaways for CISOs read the blog. Highlights of the report follow.
Upping the Ante on Evasion Tactics
Many modern malware tools already incorporate features for evading antivirus or other threat detection measures, but cyber adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection.
For example, a spam campaign demonstrates how adversaries are using and tweaking these techniques against defenders. The campaign involves the use of a phishing email with an attachment that turned out to be a weaponized Excel document with a malicious macro. The macro has attributes designed to disable security tools, execute commands arbitrarily, cause memory problems, and ensure that it only runs on Japanese systems. One property that it looks for in particular, an xlDate variable, seems to be undocumented.
Another example involves a variant of the Dridex banking trojan which changes the names and hashes of files each time the victim logs in, making it difficult to spot the malware on infected host systems.
The growing use of anti-analysis and broader evasion tactics is a reminder of the need for multi-layered defenses and behavior-based threat detection.
Under the Radar Attacks Aim for the Long-haul
The Zegost infostealer malware, is the cornerstone of a spear phishing campaign and contains intriguing techniques. Like other infostealers, the main objective of Zegost is to gather information about the victim’s device and exfiltrate it. Yet, when compared to other infostealers, Zegost is uniquely configured to stay under the radar. For example, Zegost includes functionality designed to clear the application, security, and system event logs. This type of cleanup is not seen in typical malware. Another interesting development in Zegost’s evasion capabilities is a command that kept the infostealer “in stasis” until after February 14, 2019, after which it began its infection routine.
The threat actors behind Zegost utilize an arsenal of exploits to ensure they establish and maintain a connection to targeted victims, making it far more of a long term threat compared to its contemporaries.
Ransomware Continues to Trend to More Targeted Attacks
The attacks on multiple cities, local governments, and education systems serve as a reminder that ransomware is not going away, but instead continues to pose a serious threat for many organizations going forward. Ransomware attacks continue to move away from mass-volume, opportunistic attacks to more targeted attacks on organizations, which are perceived as having either the ability or the incentive to pay ransoms. In some instances, cybercriminals have conducted considerable reconnaissance before deploying their ransomware on carefully selected systems to maximize opportunity.
For example, RobbinHood ransomware is designed to attack an organization's network infrastructure and is capable of disabling Windows services that prevent data encryption and to disconnect from shared drives.
Another newer ransomware called Sodinokibi, could become another threat for organizations. Functionally, it is not very different from a majority of ransomware tools in the wild. It is troublesome because of the attack vector, which exploits a newer vulnerability that allows for arbitrary code execution and does not need any user interaction like other ransomware being delivered by phishing email.
Regardless of the vector, ransomware continues to pose a serious threat for organizations going forward, serving as a reminder of the importance of prioritizing patching and infosecurity awareness education. In addition, Remote Desktop Protocol (RDP) vulnerabilities, such as BlueKeep are a warning that remote access services can be opportunities for cybercriminals and that they can also used as an attack vector to spread ransomware.
New Opportunities in the Digital Attack Surface
Between the home printer and critical infrastructure is a growing line of control systems for residential and small business use. These smart systems garner comparably less attention from attackers than their industrial counterparts, but that may be changing based on increased activity observed targeting these control devices such as environmental controls, security cameras, and safety systems. A signature related to building management solutions was found to be triggered in 1% of organizations, which may not seem like much, but it is higher than typically seen for ICS or SCADA products.
Cybercriminals are searching for new opportunities to commandeer control devices in homes and businesses. Sometimes these types of devices are not as prioritized as others or are outside the scope of traditional IT management. The security of smart residential and small business systems deserves elevated attention especially since access could have serious safety ramifications. This is especially relevant for remote work environments where secure access is important.
How to Protect Your Organization: Broad, Integrated, and Automated Security
Threat intelligence that is dynamic, proactive, and available in real-time can help identify trends showing the evolution of attack methods targeting the digital attack surface and to pinpoint cyber hygiene priorities. The value and ability to take action on threat intelligence is severely diminished if it cannot be actionable in real-time across each security device. Only a security fabric that is broad, integrated, and automated can provide protection for the entire networked environment, from IoT to the edge, network core and to multi-clouds at speed and scale.
Report and Index Overview
The latest Fortinet Threat Landscape Report is a quarterly view that represents the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of global sensors during Q2 2019. Research data covers global and regional perspectives. Also included in the report is the Fortinet Threat Landscape Index (TLI), comprised of individual indices for three central and complementary aspects of that landscape which are exploits, malware, and botnets, showing prevalence and volume in a given quarter.
- Read our blog for more information about this research.
- View the Fortinet Threat Landscape Index and subindices for botnets, malware, and exploits for Q2, 2019 or access the full report.
- For a more detailed view into the changing threats and events driving the Fortinet Threat Landscape Index each week, check out our weekly Threat Brief.
- Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio.
- Learn more about the FortiGuard Security Rating Service, which provides security audits and best practices.
- Read more about Fortinet’s Network Security Expert program , Network Security Academy program, and the FortiVets program.
- Read more about the Fortinet Security Fabric.
- Follow Fortinet on Twitter, LinkedIn, Facebook, YouTube, and Instagram.
Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future. Only the Fortinet Security Fabric architecture can deliver security features without compromise to address the most critical security challenges, whether in networked, application, cloud or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 400,000 customers trust Fortinet to protect their businesses. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.
Copyright © 2019 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiCare, FortiManager, FortiAnalyzer, FortiOS, FortiADC, FortiAP, FortiAppMonitor, FortiASIC, FortiAuthenticator, FortiBridge, FortiCache, FortiCamera, FortiCASB, FortiClient, FortiCloud, FortiConnect, FortiController, FortiConverter, FortiDB, FortiDDoS, FortiExplorer, FortiExtender, FortiFone, FortiCarrier, FortiHypervisor, FortiIsolator, FortiMail, FortiMonitor, FortiNAC, FortiPlanner, FortiPortal, FortiPresence , FortiProxy, FortiRecorder, FortiSandbox, FortiSIEM, FortiSwitch, FortiTester, FortiToken, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLCOS and FortiWLM.
Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments. This news release may contain forward-looking statements that involve uncertainties and assumptions, such as statements regarding technology releases among others. Changes of circumstances, product release delays, or other risks as stated in our filings with the Securities and Exchange Commission, located at www.sec.gov, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements.