santiago silver - Fotolia
An average of 274 exploit detections per firm were recorded in the last quarter of 2017, up 82% from the previous quarter, according to Fortinet’s latest global threat landscape report.
The report coincides with the publication of the results of a Big Brother Watch investigation that found UK councils face an average of 19.5 million cyber attacks a year, which equates to 37 a minute.
The Fortinet report shows that the number of malware families also increased by 25% and unique variants grew by 19%, indicating not only growth in volume, but also an evolution of the malware.
Also, automated and sophisticated “swarm attacks” are accelerating, the report said, making it increasingly difficult for organisations to protect users, applications and devices.
As businesses become more digital, the report warned that cyber criminals are taking advantage of the expanding attack surface to carry out new disruptive attacks, including swarm-like assaults that target multiple vulnerabilities, devices and access points simultaneously.
The combination of rapid threat development and the increased propagation of new variants is increasingly difficult for many organisations to counter, the report said.
The researchers found that encrypted traffic using HTTPS and SSL (secure sockets layer) grew to a high of 60% of total network traffic, but the report noted that although encryption can help protect data in motion as it moves between core, cloud and endpoint environments, it also represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.
Three of the top 20 attacks identified in the quarter targeted internet of things (IoT) devices and exploit activity quadrupled against devices such as Wi-Fi cameras. None of these detections was associated with a known or named vulnerability, which the report said is one of the troubling aspects of vulnerable IoT devices.
Unlike previous IoT-related attacks, which focused on exploiting a single vulnerability, the report said new IoT botnets such as Reaper and Hajime can target multiple vulnerabilities simultaneously, which is much harder to combat.
Reaper’s flexible framework means that, rather than the static, pre-programmed attacks of previous IoT exploits, Reaper’s code is easily updated to swarm faster by running new and more malicious attacks as they become available. Demonstrating its swarm abilities, exploit volume associated with Reaper exhibited a jump from 50,000 to 2.7 million over a few days, before dropping back to normal.
The data shows ransomware is still prevalent, with several strains topping the list of malware variants. Locky was the most widespread malware variant and GlobeImposter was second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from accepting only bitcoin for payment to other forms of digital currency, such as monero.
Cryptocurrency mining malware increased in the quarter as cyber criminals recognised the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser – nothing is installed or stored on the computer.
The report highlighted an increase in sophisticated industrial malware, with the data showing an uptick in exploit activity against industrial control systems (ICS) and safety instrumental systems (SIS). This suggests these under-the-radar attacks might be climbing higher on attackers’ radar, the report said, citing an attack dubbed Triton, which has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis.
Because these platforms affect vital critical infrastructures, they are enticing for threat actors, the report said, adding that successful attacks can cause significant damage with far-reaching impact.
The report also pointed out that steganography, which embeds malicious code in images, also appears to be resurgent. The Sundown exploit kit, the report said, uses steganography to steal information, and although it has been around for some time, it was reported by more organisations than any other exploit kit, and was found dropping multiple ransomware variants.
Phil Quade, chief information security officer at Fortinet, said the volume, sophistication and variety of cyber threats continue to accelerate with the digital transformation of the global economy.
“Cyber criminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many,” he said.
The stark reality, said Quade, is that traditional security strategies and architectures are simply no longer sufficient for a digital-dependent organisation. “There is incredible urgency to counter today’s attacks with a security transformation that mirrors digital transformation efforts,” he said.
“Yesterday’s solutions, working individually, are not adequate. Point products and static defences must give way to integrated and automated solutions that operate at speed and scale.”
The threat data in the quarter’s report reinforces many of the predictions made by the Fortinet FortiGuard Labs global research team for 2018, which forecast the rise of self-learning hivenets and swarmbots.
The report predicted that the attack surface will continue to expand, while visibility and control over today’s infrastructures diminish. To address the problems of speed and scale by adversaries, the report said organisations need to adopt strategies based on automation and integration.
“Security should operate at digital speeds by automating responses as well as applying intelligence and self-learning so that networks can make effective and autonomous decisions,” the report said.
Based on the report’s findings, Fortinet recommends that organisations:
- Manage vulnerabilities by prioritising software patching based on malware volume and implementing advanced threat protection capabilities, such as sandboxing, to detect and respond to unknown threats before they can affect the network.
- Be better prepared by prioritising cyber security awareness programmes, including educating users on how to recognise social engineering attacks.
- Modernise their defence capabilities to deal with attacks that target multiple vulnerabilities and devices simultaneously across multiple access points by implementing integrated, collaborative and automated security technologies.