Infrastructure trends influencing threats
Exploits, malware, and botnets do not happen in a vacuum and finding or preventing threats gets increasingly complicated as network infrastructure evolves. Data shows encrypted traffic using SSL stayed steady at about 50% and accounted for roughly half of overall web traffic traversing within an organisation. HTTPS traffic usage is an important trend to monitor, because while it is good for privacy, it presents challenges to detecting threats that are able to hide in encrypted communications. Often SSL traffic goes uninspected because of the huge processing overhead required to open, inspect, and re-encrypt traffic, forcing teams to choose between protection and performance.
In terms of total applications detected per organisation, the number of cloud applications trended up at 63, which is roughly a third of all applications detected. This trend has significant implications for security since IT teams have less visibility into the data residing in cloud applications, how that data is being used, and who has access to it. Social media, streaming audio and video, and P2P applications did not trend up sharply.
Things powered by the digital underground
In Q416, the industry was reeling from the Yahoo! data breach and Dyn DDoS attack. Although both occurred in the US they affected people around the world as Yahoo account holders can be from any country whereas the Dyn clients which suffered outages included global services such as Twitter, Netflix and Reddit. Before the quarter was halfway done, the records set by both events were not only broken, but doubled.
Unlike other parts of the world, vulnerabilities in home routers formed the majority of IoT-based attacks in Asia Pacific. Many home routers are manufactured and deployed in this region, resulting in attacks on them being centred here.
Mobile malware has become a larger problem. Though it accounted for only 1.7% of the total malware volume, one in five organisations reporting malware encountered a mobile variant, nearly all on Android. Substantial regional differences were found in mobile malware attacks, with 36% coming from African organisations, 23% from Asia, 16% from North America, and only 8% in Europe. This data has implications for the trusted devices on corporate networks today.
Automated and high-volume attacks
The correlation between exploit volume and prevalence implies growing attack automation and lowering costs for malware and distribution tools available on the dark web, where cybercriminals operate. This is making it cheaper and easier than ever for attacks to be initiated.
Ransomware not going anywhere
Phil Quade, CISO, Fortinet said, “The cybersecurity challenges facing organisations today are complex with a threat landscape that is rapidly evolving. Threats are intelligent, autonomosaus, and increasingly difficult to detect, with new ones emerging and old ones returning with enhanced capabilities. In addition, the accessibilty of threat creation tools and services combined with the reward potential is driving the growth of the global cybercrime market into tens of billions of US dollars. To protect themselves, CISOs need to ensure that the data and security elements across all of their environments and devices are integrated, automated, and able to share intelligence, across an organisation, from IoT to the cloud.”
Interested?
Read more details about the report on the Fortinet blog
Things powered by the digital underground
Internet of Things (IoT) devices are sought-after commodities for cybercriminals around the world. Adversaries are building their own armies of "things" and the ability to cheaply replicate attacks at incredible speed and scale is a core pillar of the modern cybercrime ecosystem.
In Q416, the industry was reeling from the Yahoo! data breach and Dyn DDoS attack. Although both occurred in the US they affected people around the world as Yahoo account holders can be from any country whereas the Dyn clients which suffered outages included global services such as Twitter, Netflix and Reddit. Before the quarter was halfway done, the records set by both events were not only broken, but doubled.
IoT devices compromised by the Mirai botnet - used in the Dyn attack - initiated multiple record-setting DDoS attacks. The release of Mirai’s source code increased botnet activity by 25 times within a week, with activity increasing by 125 times by year’s end.
IoT-related exploit activity for several device categories showed scans for vulnerable home routers and printers topped the list, but digital video recorders/network video recorders (DVRs/NVRs) briefly eclipsed routers as the thing of choice with a massive jump spanning six-plus orders of magnitude.
Unlike other parts of the world, vulnerabilities in home routers formed the majority of IoT-based attacks in Asia Pacific. Many home routers are manufactured and deployed in this region, resulting in attacks on them being centred here.
 |
| Source: Fortinet infographic. Regional differences in mobile malware and botnets. |
Mobile malware has become a larger problem. Though it accounted for only 1.7% of the total malware volume, one in five organisations reporting malware encountered a mobile variant, nearly all on Android. Substantial regional differences were found in mobile malware attacks, with 36% coming from African organisations, 23% from Asia, 16% from North America, and only 8% in Europe. This data has implications for the trusted devices on corporate networks today.
Automated and high-volume attacks
The correlation between exploit volume and prevalence implies growing attack automation and lowering costs for malware and distribution tools available on the dark web, where cybercriminals operate. This is making it cheaper and easier than ever for attacks to be initiated.
- SQL Slammer ranked at the top of the exploit detection list with a high or critical severity ranking, mainly affecting educational institutions.
- An exploit indicating attempted brute force attacks on Microsoft Remote Desktop Protocol (RDP) ranked second in prevalance. It launched RDP requests at a rate of 200 times every 10 seconds, explaining the high volume detected across global enterprises.
- Ranking third in prevalence is a signature tied to a memory corruption vulnerability in Windows File Manager that allows a remote attacker to execute arbitrary code within vulnerable applications with a ,jpg (image) file.
- H-Worm and ZeroAccess had two of the highest prevalence and volume for botnet families in Asia Pacific. Both give cybercriminals control of affected systems to siphon data or perform click fraud and bitcoin mining. The technology and government sectors faced the highest numbers of attempted attacks by these two families of botnets.
Ransomware not going anywhere
Ransomware warrants attention regardless of industry and this high-value attack method will likely continue with the growth of ransomware-as-a-service (RaaS), where potential criminals with no training or skills can simply download tools and point them at a victim.
- Thirty-six percent of organisations detected botnet activity related to ransomware. TorrentLocker was the winner and Locky placed third.
- Two malware families, Nemucod and Agent, went on a crime spree. Eight in 10 (81.4%) malware samples captured belonged to these two families. The Nemucod family is infamously affiliated with ransomware. In Asia Pacific, the majority of malware infections are related to ransomware droppers such as Nemucod.
- Ransomware was present in all regions and sectors, but particularly widespread in healthcare institutions. This remains significant because when patient data is compromised the ramifications can be much more severe, as it has greater longevity and personal value than other types of data.
Phil Quade, CISO, Fortinet said, “The cybersecurity challenges facing organisations today are complex with a threat landscape that is rapidly evolving. Threats are intelligent, autonomosaus, and increasingly difficult to detect, with new ones emerging and old ones returning with enhanced capabilities. In addition, the accessibilty of threat creation tools and services combined with the reward potential is driving the growth of the global cybercrime market into tens of billions of US dollars. To protect themselves, CISOs need to ensure that the data and security elements across all of their environments and devices are integrated, automated, and able to share intelligence, across an organisation, from IoT to the cloud.”
Interested?
Read more details about the report on the Fortinet blog
*The Fortinet Global Threat Landscape report represents the collective intelligence of FortiGuard Labs in Q416 with research data covering global, regional, sector, and organisational perspectives. It focuses on three central and complementary aspects of the threat landscape: application exploits, malicious software (malware) and botnets.
No comments:
Post a Comment