Global cybersecurity provider Fortinet recently announced its findings on the latest semiannual Global Threat Landscape report through its FortiGuard Labs. The report reveals that cyberattacks are evolving to become more destructive, as evidenced by the widespread distribution of wiper malware.
According to the report: “Ransomware threats remain at peak levels with no evidence of slowing down globally with new variants enabled by Ransomware-as-a-Service (RaaS).
The most prevalent malware was more than a year old and had gone through a large amount of speciation, highlighting the efficacy and economics of reusing and recycling code. And Log4j continues to impact organisations in all regions and industries, most notably across technology, government, and education.”
FortiGuard Labs has reported that the analysis of wiper malware data has uncovered a disturbing trend where cyber adversaries are consistently using destructive attack methods against their targets. With the internet having no borders, these attacks can be easily scaled, thanks to the Cybercrime-as-a-Service (CaaS) model.
In 2022, FortiGuard Labs detected the presence of several new wipers during the Russia-Ukraine war, which later expanded to other countries, causing a 53% increase in wiper activity in Q3 to Q4 alone. Although some of this activity was initially developed and deployed by nation-state actors during the war, it is now being picked up by cybercriminal groups and spreading beyond Europe.
The surge in wiper malware activity during Q4 indicates that the trend of destructive cyberattacks is likely to continue, posing a potential threat to all organizations, regardless of their location.
Cybercriminals’ focus on exploit trends can reveal their targets and intentions for future attacks. FortiGuard Labs maintains a vast database of known vulnerabilities and uses data enrichment techniques to track and identify actively exploited vulnerabilities in real-time, enabling them to map zones of active risk across the attack surface.
In the latter half of 2022, a small fraction (less than 1%) of detected vulnerabilities within a large organization were actively under attack on endpoints, providing CISOs with a clear picture of the vulnerable areas they should prioritize for risk reduction and patching.
FortiGuard Labs’ Incident Response (IR) efforts found that financially-motivated cybercrime made up the majority of incidents (73.9%), with espionage being a distant second (13%). In addition, ransomware or malicious scripts were involved in 82% of financially-motivated cybercrime incidents in 2022, demonstrating the continued prevalence of the global ransomware threat, largely due to the rise of RaaS on the dark web.
At the same time, ransomware volume increased by 16%. Out of the 99 observed ransomware families, the top five were responsible for nearly 37% of all ransomware activity.
At the forefront of ransomware families is GandCrab, a RaaS malware that emerged in 2018 and generated over US$2 billion in profits before its operators claimed to retire.
However, numerous iterations of GandCrab surfaced during its active period, indicating the potential continuation of its legacy through code alteration and re-release. This highlights the need for collaborative efforts among global organisations to permanently dismantle criminal operations.
Cybercriminals are innovative and constantly seek to optimize their attacks for maximum gain. Code reuse is an effective and lucrative strategy for fine-tuning attacks and overcoming defensive obstacles.
Therefore, it’s crucial for cybersecurity stakeholders across public and private organisations and industries to establish strong, trusted relationships and work together to disrupt cybercriminal supply chains.
FortiGuard Labs’ analysis of prevalent malware in the second half of 2022 revealed that the top spots were dominated by more than one-year-old malware. Upon further examination of Emotet, it was discovered that this malware has undergone significant speciation, with variants breaking into approximately six different “species.” Moreover, cyber adversaries are automating threats and retrofitting code to increase their effectiveness.
In addition to code reuse, adversaries also leverage existing infrastructure and older threats to maximise opportunities. Morto, a botnet threat first observed in 2011, experienced a resurgence in late 2022, while Mirai and Gh0st.Rat continue to be prevalent across all regions.
Though considered “vintage,” these botnets are still pervasive because they are effective. Resourceful cybercriminals will continue to leverage existing botnet infrastructure and evolve it into increasingly persistent versions with highly specialised techniques, as they offer a good return on investment.
In the second half of 2022, Mirai’s significant targets were MSSPs, the telco/carrier sector, and the manufacturing sector, which is known for its pervasive OT.
Log4j, one of the most notable vulnerabilities in history, was still heavily active in all regions during the second half of 2022, despite receiving significant publicity in 2021 and early 2022. FortiGuard Labs found that 41% of organisations detected Log4j activity, showing how widespread the threat remains.
Log4j IPS activity was most prevalent across the technology, government, and educational sectors, given the popularity of Apache Log4j as open-source software. Therefore, organisations across any sector must remain vigilant and apply appropriate security controls to protect themselves against these threats.
According to Derek Manky, chief security strategist and global VP threat intelligence, FortiGuard Labs: “For cyber adversaries, maintaining access and evading detection is no small feat as cyber defences continue to advance to protect organisations today. To counter, adversaries are augmenting with more reconnaissance techniques and deploying more sophisticated attack alternatives to enable their destructive attempts with APT-like threat methods such as wiper malware or other advanced payload.”
Manky continued: “To protect against these advanced persistent cybercrime tactics, organisations need to focus on enabling machine learning-driven coordinated and actionable threat intelligence in real time across all security devices to detect suspicious actions and initiate coordinated mitigation across the extended attack surface.”
“Organisations must remain vigilant against the latest attacks as cyber threats continue to become increasingly complex. According to the latest report from FortiGuard Labs, destructive wiper malware has seen an increase of more than 50 % in recent times. This is particularly concerning, given the irreparable damage it can cause to critical infrastructure,” says Glenn Maiden, director of threat intelligence operations at FortiGuard Labs ANZ.
