FortiGuard Labs Reports Destructive Wiper Malware Increases Over 50%

Adversarial Supply Chains Strengthen in Complexity and Sophistication to Counter Evolving Defenses

Fortinet, the global cybersecurity provider driving the convergence of networking and security, today announced the latest semiannual Global Threat Landscape Report from FortiGuard Labs.The threat landscape and organizations’ attack surface areconstantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose significant risk to businesses of all sizes, regardless of industry or geography. For a detailed view of the report, as well as some important takeaways, read the blog.

Highlights of the 2H 2022 report follow:

• The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks.
• New intelligence allows CISOs to prioritize risk mitigation efforts and minimize the active attack surface with the expansion of the “Red Zone” approach.
• Ransomware threats remain at peak levels with no evidence of slowing down globally with new variants enabled by Ransomware-as-a-Service (RaaS).
• The most prevalent malware was more than a year old and had gone through a large amount of speciation, highlighting the efficacy and economics of reusing and recycling code.
• Log4j continues to impact organizations in all regions and industries, most notably across technology, government, and education.

Vishak Raman, Vice President of Sales, India, SAARC & Southeast Asia at Fortinet said, “For cyber adversaries, maintaining access and evading detection is no small feat as cyber defenses continue to advance to protect organizations today. To counter, adversaries are augmenting with more reconnaissance techniques and deploying more sophisticated attack alternatives to enable their destructive attempts with APT-like threat methods such as wiper malware orother advanced payloads. To protect against these advanced persistent cybercrime tactics, organizations need to focus on enabling machine learning–driven coordinated and actionable threat intelligence in realtime across all security devices to detect suspicious actions and initiate coordinated mitigation across the extended attack surface.”

Destructive APT-like Wiper MalwareSpreads Wide in 2022

Analyzing wiper malware data reveals atrend of cyber adversaries consistently using destructive attack techniques against their targets. It also shows that with thelack of borderson the internet, cyber adversaries can easily scale these types of attacks, which have been largely enabled by the Cybercrime-as-a-Service (CaaS) model.

In early 2022,FortiGuard Labs reported the presence of several new wipers in parallel with the Russia-Ukraine war. Later in the year, wiper malwareexpanded into other countries,fuelinga 53%increase in wiper activity from Q3 to Q4 alone.While some of this activity was enabled by wiper malware that may have been initially developed and deployed by nation-state actors surrounding the war, it isbeing picked up by cybercriminal groups and is spreading beyond just Europe. Unfortunately, the trajectory of destructive wiper malwaredoes not appear to be slowing any time soon based on the activity volume seen in Q4, which means any organization remains a potential target, not just organizations based in the Ukraine or surrounding countries.

Wiper Malware Volume

Mapping CVEs Reveals VulnerabilityRed Zone to Help CISOsPrioritize

Exploit trends help show what cybercriminals are interested in attacking, probing for future attacks, and are actively targeting.FortiGuard Labs has an extensive archive of known vulnerabilities, and through data enrichment was able to identify actively exploited vulnerabilities in realtime and map zones of active riskacross the attack surface.

In the second half of 2022, less than 1% of the total observed vulnerabilities discovered in an enterprise-size organizationwere on endpoints and actively under attack, giving CISOsa clear view of the Red Zonethrough intelligenceof the active attack surface that they should prioritize efforts to minimize their risk and where to focus patching efforts.

Financially Motivated Cybercrime andRansomware Threat Holding at Peak Levels

FortiGuard Labs Incident Response (IR) engagements found that financially motivated cybercrime resulted in the highest volume of incidents (73.9%), with a distant second attributed to espionage (13%). In all of 2022, 82% of financially motivated cybercrime involved the employment of ransomware or malicious scripts, showing that the global ransomware threat remains in full force with no evidence of slowing down thanks to the growing popularity of Ransomware-as-a-Service (RaaS) on the dark web.

In fact,ransomware volume increased 16% from the first half of 2022.Out of a total of 99 observed ransomware families, the top five families accounted for roughly 37% of all ransomware activity during the second half of 2022.GandCrab, a RaaS malwarethat emerged in 2018, was at the top of the list. Although the criminals behind GandCrab announced that they were retiring after making over $2 billion in profits, there were many iterations of GandCrab during its active time. It is possible that the long-tail legacy of this criminal group is still perpetuating, or the code has simply been built upon, changed, and re-released, demonstrating the importance of global partnerships across all types of organizations to permanently dismantle criminal operations. Effectively disrupting cybercriminal supply chains requires a global group effort with strong, trusted relationships and collaboration among cybersecurity stakeholders across public and private organizations and industries.

Adversary Code Reuse Showcasesthe ResourcefulNature of Adversaries

Cyber adversaries are enterprising in nature and always looking to maximize existing investments and knowledgeto make their attack efforts more effective and profitable. Code reuse is an efficientand lucrative way for cybercriminals to build upon successful outcomes while making iterative changes to fine-tune their attacks and overcome defensive obstacles.

When FortiGuard Labs analyzedthe most prevalent malware for the second half of 2022, the majority of the top spots were held by malware that was more than one year old. FortiGuard Labs further examined a collection of different Emotet variants to analyze their tendency to borrow and reuse code.The research showed that Emotet has gone through significant speciation with variants breaking into roughly six different “species” of malware. Cyber adversaries are not just automating threats but actively retrofittingcode to make it even more effective.

Older Botnet Resurrection Demonstrates the Resiliency of Adversarial Supply Chains

In addition to code reuse, adversaries are also leveraging existing infrastructure and older threats to maximize opportunity.When examining botnet threats by prevalence, FortiGuard Labs discover that many of the top botnets are not new.For example, theMorto botnet, which was first observed in 2011, surged in late 2022. And others likeMiraiand Gh0st.Rat continue to be prevalent across all regions. Surprisingly, out of the top five observed botnets, only RotaJakiro is from this decade.

Although it may be temptingto write off older threats as past history, organizations across any sector must continue to stay vigilant. These “vintage” botnets are still pervasive for a reason:They are still very effective. Resourceful cybercriminals will continue to leverage existing botnet infrastructure and evolve it into increasinglypersistent versions with highly specialized techniques because the ROI is there. Specifically, in the second half of 2022, significant targets of Mirai included managed security service providers (MSSPs),the telco/carrier sector, and the manufacturing sector, which is known for its pervasive operational technology (OT).Cybercriminals are making a concerted effort to target those industries with provenmethods.

Log4jRemains Widespread and Targeted by Cybercriminals

Even with all the publicity that Log4j received in 2021 and the early parts of 2022, a significant number oforganizations still have not patched or applied the appropriate security controls to protect their organizations against one of the most notablevulnerabilities in history.

In the second halfof 2022,Log4jwas still heavily active in all regions and was second.In fact and FortiGuard Labs found that 41% of organizations detectedLog4j activity, showing just how widespread the threat remains. Log4jIPS activity was most prevalentacross tech, government, and educational sectors, which should come as no surprise, given Apache Log4j’s popularityas open-source software.

Analyzing a Piece of the Malware Story:Delivery Shifts Demonstrate Urgency for User Awareness

Analyzing adversarial strategies gives us valuable insights into how attack techniques and tactics are evolving to better protect against future attack scenarios. FortiGuard Labs looked at the functionality of detected malware based on sandbox data to track the most common delivery approaches. It is important to note that this only looks at detonated samples.

In reviewing the top eight tactics and techniques viewed in sandboxing, drive-by-compromise was the most popular tactic used by cybercriminals to gain access into organizations' systems across all regions globally. Adversaries are primarily gaining access to victims’ systems when the unsuspecting user browses the internet andunintentionally downloads a malicious payload by visiting a compromised website, opening a malicious email attachment, or even clicking a link or deceptive pop-up window. The challenge with the drive-by tactic is that once a malicious payload is accessed and downloaded, it is often too late for the user to escape compromise unless they have a holistic approach to security.

Shifting to Meet the Threat Landscape Head-On

Fortinet is a leader in enterprise-class cybersecurity and networking innovation, helpingCISOs and security teams break the attack kill chain, minimize the impact of cybersecurity incidents, and better prepare for potential cyberthreats.

Fortinet's suite of security solutions includes a variety of powerful tools like next-generation firewalls (NGFW), network telemetry and analytics, endpoint detection and response (EDR), extended detection and response (XDR), digital risk protection (DRP), security information and event management (SIEM), inline sandboxing, deception, security orchestration, automation, and response (SOAR), and more. These solutions provide advanced threat detection and prevention capabilities that can help organizations quickly detect and respond to security incidents across their entire attack surface.

To complement these solutions and support short-staffed teams strained by the cybersecurity talent shortage, Fortinet also offers machine learning–enabled threat intelligence and response services. These provide up-to-date information on the latest cyberthreats and enable businesses to quickly respond to security incidents, minimizing the impact on their organization. Fortinet’s human-based SOC augmentation and threat intelligence services also help security teams better prepare for cyberthreats and provide real-time threat monitoring and incident response capabilities.

This comprehensive suite of cybersecurity solutions and services enables CISOs and security teams to focus on enabling the business and higher-priority projects.

 In accordance with the company, this latest Global Threat Landscape Report is a view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during the second half of 2022. Using the MITRE ATT&CK framework, which classifies adversary tactics, techniques, and procedures(TTPs), the FortiGuard Labs Global Threat Landscape Report sets out to describe how threat actors target vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives as well as threat trends affecting both IT and OT environments