FortiGuard Labs Reports Destructive Wiper Malware Increases Over
50%
Derek Manky, Chief Security Strategist & Global VP
Threat Intelligence, FortiGuard Labs“For cyber
adversaries, maintaining access and evading detection is no small
feat as cyber defenses continue to advance to protect organizations
today. To counter, adversaries are augmenting with more
reconnaissance techniques and deploying more sophisticated attack
alternatives to enable their destructive attempts with APT-like
threat methods such as wiper malware or other advanced payloads. To
protect against these advanced persistent cybercrime tactics,
organizations need to focus on enabling machine learning–driven
coordinated and actionable threat intelligence in real time across
all security devices to detect suspicious actions and initiate
coordinated mitigation across the extended attack surface.”
News Summary:
Fortinet® (NASDAQ: FTNT), the global cybersecurity leader
driving the convergence of networking and security, today announced
the latest semiannual Global Threat Landscape Report from
FortiGuard Labs. The threat landscape and organizations’ attack
surface are constantly transforming, and cybercriminals’ ability to
design and adapt their techniques to suit this evolving environment
continues to pose significant risk to businesses of all sizes,
regardless of industry or geography. For a detailed view of the
report, as well as some important takeaways, read the blog.
Highlights of the 2H 2022 report follow:
- The mass distribution of wiper malware continues to showcase
the destructive evolution of cyberattacks.
- New intelligence allows CISOs to prioritize risk mitigation
efforts and minimize the active attack surface with the expansion
of the “Red Zone” approach.
- Ransomware threats remain at peak levels with no evidence of
slowing down globally with new variants enabled by
Ransomware-as-a-Service (RaaS).
- The most prevalent malware was more than a year old and had
gone through a large amount of speciation, highlighting the
efficacy and economics of reusing and recycling code.
- Log4j continues to impact organizations in all regions and
industries, most notably across technology, government, and
education.
Destructive APT-like Wiper Malware Spreads Wide in
2022 Analyzing wiper malware data reveals a trend of cyber
adversaries consistently using destructive attack techniques
against their targets. It also shows that with the lack of borders
on the internet, cyber adversaries can easily scale these types of
attacks, which have been largely enabled by the
Cybercrime-as-a-Service (CaaS) model.
In early 2022, FortiGuard Labs reported the presence of several
new wipers in parallel with the Russia-Ukraine war. Later in the
year, wiper malware expanded into other countries, fueling a 53%
increase in wiper activity from Q3 to Q4 alone. While some of this
activity was enabled by wiper malware that may have been initially
developed and deployed by nation-state actors surrounding the war,
it is being picked up by cybercriminal groups and is spreading
beyond just Europe. Unfortunately, the trajectory of destructive
wiper malware does not appear to be slowing any time soon based on
the activity volume seen in Q4, which means any organization
remains a potential target, not just organizations based in the
Ukraine or surrounding countries.
Mapping CVEs Reveals Vulnerability Red Zone to Help
CISOs PrioritizeExploit trends help show what
cybercriminals are interested in attacking, probing for future
attacks, and are actively targeting. FortiGuard Labs has an
extensive archive of known vulnerabilities, and through data
enrichment was able to identify actively exploited vulnerabilities
in real time and map zones of active risk across the attack
surface. In the second half of 2022, less than 1% of the total
observed vulnerabilities discovered in an enterprise-size
organization were on endpoints and actively under attack, giving
CISOs a clear view of the Red Zone through intelligence of the
active attack surface that they should prioritize efforts to
minimize their risk and where to focus patching efforts.
Financially Motivated Cybercrime and Ransomware Threat
Holding at Peak Levels FortiGuard Labs Incident Response
(IR) engagements found that financially motivated cybercrime
resulted in the highest volume of incidents (73.9%), with a distant
second attributed to espionage (13%). In all of 2022, 82% of
financially motivated cybercrime involved the employment of
ransomware or malicious scripts, showing that the global ransomware
threat remains in full force with no evidence of slowing down
thanks to the growing popularity of Ransomware-as-a-Service (RaaS)
on the dark web.
In fact, ransomware volume increased 16% from the first half of
2022. Out of a total of 99 observed ransomware families, the top
five families accounted for roughly 37% of all ransomware activity
during the second half of 2022. GandCrab, a RaaS malware that
emerged in 2018, was at the top of the list. Although the criminals
behind GandCrab announced that they were retiring after making over
$2 billion in profits, there were many iterations of GandCrab
during its active time. It is possible that the long-tail legacy of
this criminal group is still perpetuating, or the code has simply
been built upon, changed, and re-released, demonstrating the
importance of global partnerships across all types of organizations
to permanently dismantle criminal operations. Effectively
disrupting cybercriminal supply chains requires a global group
effort with strong, trusted relationships and collaboration among
cybersecurity stakeholders across public and private organizations
and industries.
Adversary Code Reuse Showcases the Resourceful Nature of
AdversariesCyber adversaries are enterprising in nature
and always looking to maximize existing investments and knowledge
to make their attack efforts more effective and profitable. Code
reuse is an efficient and lucrative way for cybercriminals to build
upon successful outcomes while making iterative changes to
fine-tune their attacks and overcome defensive obstacles.
When FortiGuard Labs analyzed the most prevalent malware for the
second half of 2022, the majority of the top spots were held by
malware that was more than one year old. FortiGuard Labs further
examined a collection of different Emotet variants to analyze their
tendency to borrow and reuse code. The research showed that Emotet
has gone through significant speciation with variants breaking into
roughly six different “species” of malware. Cyber adversaries are
not just automating threats but actively retrofitting code to make
it even more effective.
Older Botnet Resurrection Demonstrates the Resiliency of
Adversarial Supply ChainsIn addition to code reuse,
adversaries are also leveraging existing infrastructure and older
threats to maximize opportunity. When examining botnet threats by
prevalence, FortiGuard Labs discover that many of the top botnets
are not new. For example, the Morto botnet, which was first
observed in 2011, surged in late 2022. And others like Mirai and
Gh0st.Rat continue to be prevalent across all regions.
Surprisingly, out of the top five observed botnets, only RotaJakiro
is from this decade.
Although it may be tempting to write off older threats as past
history, organizations across any sector must continue to stay
vigilant. These “vintage” botnets are still pervasive for a reason:
They are still very effective. Resourceful cybercriminals will
continue to leverage existing botnet infrastructure and evolve it
into increasingly persistent versions with highly specialized
techniques because the ROI is there. Specifically, in the second
half of 2022, significant targets of Mirai included managed
security service providers (MSSPs), the telco/carrier sector, and
the manufacturing sector, which is known for its pervasive
operational technology (OT). Cybercriminals are making a concerted
effort to target those industries with proven methods.
Log4j Remains Widespread and Targeted by
CybercriminalsEven with all the publicity that Log4j
received in 2021 and the early parts of 2022, a significant number
of organizations still have not patched or applied the appropriate
security controls to protect their organizations against one of the
most notable vulnerabilities in history.
In the second half of 2022, Log4j was still heavily active in
all regions and was second. In fact and FortiGuard Labs found that
41% of organizations detected Log4j activity, showing just how
widespread the threat remains. Log4j IPS activity was most
prevalent across tech, government, and educational sectors, which
should come as no surprise, given Apache Log4j’s popularity as
open-source software.
Analyzing a Piece of the Malware Story: Delivery Shifts
Demonstrate Urgency for User AwarenessAnalyzing
adversarial strategies gives us valuable insights into how attack
techniques and tactics are evolving to better protect against
future attack scenarios. FortiGuard Labs looked at the
functionality of detected malware based on sandbox data to track
the most common delivery approaches. It is important to note that
this only looks at detonated samples.
In reviewing the top eight tactics and techniques viewed in
sandboxing, drive-by-compromise was the most popular tactic used by
cybercriminals to gain access into organizations' systems across
all regions globally. Adversaries are primarily gaining access to
victims’ systems when the unsuspecting user browses the internet
and unintentionally downloads a malicious payload by visiting a
compromised website, opening a malicious email attachment, or even
clicking a link or deceptive pop-up window. The challenge with the
drive-by tactic is that once a malicious payload is accessed and
downloaded, it is often too late for the user to escape compromise
unless they have a holistic approach to security.
Shifting to Meet the Threat Landscape
Head-OnFortinet is a leader in enterprise-class
cybersecurity and networking innovation, helping CISOs and security
teams break the attack kill chain, minimize the impact of
cybersecurity incidents, and better prepare for potential
cyberthreats.
Fortinet's suite of security solutions includes a variety of
powerful tools like next-generation firewalls (NGFW), network
telemetry and analytics, endpoint detection and response (EDR),
extended detection and response (XDR), digital risk protection
(DRP), security information and event management (SIEM), inline
sandboxing, deception, security orchestration, automation, and
response (SOAR), and more. These solutions provide advanced threat
detection and prevention capabilities that can help organizations
quickly detect and respond to security incidents across their
entire attack surface.
To complement these solutions and support short-staffed teams
strained by the cybersecurity talent shortage, Fortinet also offers
machine learning–enabled threat intelligence and response services.
These provide up-to-date information on the latest cyberthreats and
enable businesses to quickly respond to security incidents,
minimizing the impact on their organization. Fortinet’s human-based
SOC augmentation and threat intelligence services also help
security teams better prepare for cyberthreats and provide
real-time threat monitoring and incident response capabilities.
This comprehensive suite of cybersecurity solutions and services
enables CISOs and security teams to focus on enabling the business
and higher-priority projects.
Report Overview This latest Global Threat
Landscape Report is a view representing the collective intelligence
of FortiGuard Labs, drawn from Fortinet’s vast array of
sensors collecting billions of threat events observed around the
world during the second half of 2022. Using the MITRE ATT&CK
framework, which classifies adversary tactics, techniques, and
procedures(TTPs), the FortiGuard Labs Global Threat Landscape
Report sets out to describe how threat actors target
vulnerabilities, build malicious infrastructure, and exploit their
targets. The report also covers global and regional perspectives as
well as threat trends affecting both IT and OT
environments.
Additional Resources
- Subscribe to our blog for valuable takeaways from this research
as the FortiGuard Labs team examines topics from the report in
upcoming weeks.
- Learn more about FortiGuard Labs threat intelligence and
research and Outbreak Alerts, which provide timely steps to
mitigate breaking cybersecurity attacks.
- Learn more about Fortinet’s FortiGuard Security Services
portfolio.
- Learn more about Fortinet’s free cybersecurity
training, which includes broad cyber awareness
and product training. As part of the Fortinet Training
Advancement Agenda (TAA), the Fortinet Training Institute also
provides training and certification through
the Network Security Expert (NSE) Certification, Academic
Partner, and Education Outreach programs.
- Read about how Fortinet customers are securing their
organizations.
- Follow Fortinet on Twitter, LinkedIn, Facebook,
and Instagram. Subscribe to Fortinet on our blog or
YouTube.
About FortiGuard LabsFortiGuard Labs is the
threat intelligence and research organization at Fortinet. Its
mission is to provide Fortinet customers with the industry’s best
threat intelligence designed to protect them from malicious
activity and sophisticated cyberattacks. It is composed of some of
the industry’s most knowledgeable threat hunters, researchers,
analysts, engineers, and data scientists in the industry, working
in dedicated threat research labs all around the world. FortiGuard
Labs continuously monitors the worldwide attack surface using
millions of network sensors and hundreds of intelligence-sharing
partners. It analyzes and processes this information using AI and
other innovative technology to mine that data for new threats.
These efforts result in timely, actionable threat intelligence in
the form of Fortinet security product updates, proactive threat
research to help our customers better understand the threats and
actors they face, and threat intelligence to help our customers
better understand and defend their threat landscape. Learn more
at https://www.fortinet.com, the Fortinet Blog,
and FortiGuard Labs.
About FortinetFortinet (NASDAQ: FTNT) is a
driving force in the evolution of cybersecurity and the convergence
of networking and security. Our mission is to secure people,
devices, and data everywhere, and today we deliver cybersecurity
everywhere you need it with the largest integrated portfolio of
over 50 enterprise-grade products. Well over half a million
customers trust Fortinet's solutions, which are among the most
deployed, most patented, and most validated in the industry. The
Fortinet Training Institute, one of the largest and broadest
training programs in the industry, is dedicated to making
cybersecurity training and new career opportunities available to
everyone. FortiGuard Labs, Fortinet’s elite threat intelligence and
research organization, develops and utilizes leading-edge
machine learning and AI technologies to provide customers with
timely and consistently top-rated protection and actionable threat
intelligence. Learn more at https://www.fortinet.com,
the Fortinet Blog, and FortiGuard Labs.
FTNT-O
Copyright © 2023 Fortinet, Inc. All rights reserved. The symbols
® and ™ denote respectively federally registered trademarks and
common law trademarks of Fortinet, Inc., its subsidiaries and
affiliates. Fortinet’s trademarks include, but are not limited to,
the following: Fortinet, the Fortinet logo, FortiGate, FortiOS,
FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC,
FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC,
FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam,
FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera,
FortiCarrier, FortiCASB, FortiCentral, FortiConnect,
FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS,
FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR,
FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB,
FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink,
FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest,
FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence,
FortiProxy, FortiRecon, FortiRecorder, FortiSASE,
FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch,
FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN,
FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other
trademarks belong to their respective owners. Fortinet has not
independently verified statements or certifications herein
attributed to third parties and Fortinet does not independently
endorse such statements. Notwithstanding anything to the contrary
herein, nothing herein constitutes a warranty, guarantee, contract,
binding specification or other binding commitment by Fortinet or
any indication of intent related to a binding commitment, and
performance and other specification information herein may be
unique to certain environments.
Media Contact: |
Investor Contact: |
Analyst Contact: |
|
|
|
Travis Anderson |
Peter Salkowski |
Brian Greenberg |
Fortinet, Inc. |
Fortinet, Inc. |
Fortinet, Inc. |
408-235-7700 |
408-331-4595 |
408-235-7700 |
pr@fortinet.com |
psalkowski@fortinet.com |
analystrelations@fortinet.com |
Fortinet (LSE:0IR9)
Historical Stock Chart
From Jun 2024 to Jul 2024
Fortinet (LSE:0IR9)
Historical Stock Chart
From Jul 2023 to Jul 2024