subscribe: Daily Newsletter

 

Common exploits, swarms threaten users

0 comments

High botnet reoccurrence rates as well as an increase of automated malware demonstrate that cybercriminals are leveraging common exploits combined with automated attack methods at unprecedented speed and scale.
These are among the findings from Fortinet’s Global Threat Landscape Report.
“Whether it’s WannaCry in May or Apache Struts in September, long-known and yet still-unpatched vulnerabilities serve as the gateway for attacks time and time again,” says Phil Quade, chief information security officer at Fortinet.
“Remaining vigilant of new threats and vulnerabilities in the wild is critical, but organizations also need to keep sight of what is happening within their own environment.
“There is an incredible urgency to prioritise security hygiene and embrace fabric-based security approaches that leverage automation, integration, and strategic segmentation,” he adds. “Our adversaries are adopting automated and scripted techniques, so we need to raise their price of attacking to combat today’s new normal.”
Keeping up with swarm attacks, botnet reoccurrences, or the latest ransomware attack is daunting for the most strategic or staffed security team. If caught off guard, any organisation can fall victim to the enormous amount of attacks at play today.
To facilitate learning from what is happening in the wild, the intelligence included in the latest report offers views of the cyberthreat landscape from many perspectives. It focuses on three central and complementary aspects of that landscape, namely application exploits, malicious software, and botnets.
It also examines important zero-day vulnerabilities and infrastructure trends of the corresponding attack surface to add context about the trajectory of cyberattacks affecting organizations over time.
* Severity of attacks creates urgency: 79% of firms saw severe attacks in Q3 2017. Research data overall during the quarter quantified 5 973 unique exploit detections, 14 904 unique malware variants from 2 646 different malware families, and 245 unique botnets detected. In addition, Fortinet identified 185 zero-day vulnerabilities to date this year.
* Botnet ereoccurrence: Many organisations experienced the same botnet infections multiple times. This is an alarming data point. Either the organizations did not thoroughly understand the total scope of the breach and the botnet went dormant only to return again after business operations went back to normal, or the root cause was never found and the organization was re-infected with the same malware.
* Swarming vulnerabilities: The exact application exploit used by attackers to breach Equifax was the most prevalent with more than 6 000 unique detections recorded last quarter, and it is once again the most prevalent this quarter. In fact, three exploits against the Apache Struts framework made the top 10 list of most prevalent. This is an example of how attackers swarm when they catch scent of widespread, vulnerable targets.
* Mobile threats: One in four firms detected mobile malware. Four mobile malware specific families stood out for the first time because of their prevalence. This is an indication that mobile is increasingly becoming a target and that the threats themselves are becoming automated and polymorphic. With holiday shopping season in full swing this trend is concerning as purchases from mobile devices will be frequent and IoT devices will be popular gifts to be purchased.
* Pervasive and evasive malware: The most common functionality among top malware families was downloading, uploading, and dropping malware onto infected systems. This behaviour helps slip malicious payloads through legacy defences by wrapping them in dynamic packaging. In addition, malware strains that establish remote access connections, capture user input, and gather system information were common as well. These advanced techniques are becoming the norm recently and both data points demonstrate the increased intelligent and automated nature of malware today.
* Ransomware is always there: After a hiatus during the first half of the year, the Locky ransomware ramped up in a big way with three new campaigns. Roughly 10% of firms reported it. In addition, at least 22% of organisations detected some type of ransomware during the quarter.
* Cybercriminals target all sizes: Midsize firms saw higher rates of botnet infections, demonstrating that they deal with more than their fair share of security problems. Cybercriminals potentially view midsize organizations as a “sweet spot” because often they do not have the same level of security resources and technologies as large enterprises but are seen as having valuable data assets. At the same time, the attack surface for midsize firms is growing at a fast pace because of their cloud adoption rates.
* SCADA is critical: In addition to high-volume attacks like those against Apache Struts, some threats fly below the radar or have severe consequences that spill over beyond the organization in which they occur. Among the exploits tracked that target various types of supervisory control and data access (SCADA) systems, only one crossed the 1:1 000 threshold of prevalence and none were observed by more than 1% of reporting firms. Unfortunately, enterprise network intrusions and outages are bad, but breaches into SCADA environments put the physical infrastructure on which many lives depend at risk, demonstrating the importance of this statistic.