Fortinet - FortiGuard Labs Threat Report: Disruption most important threat trend 2020
March 5, 2021
Bastian Seibel
Fortinet
Fortinet
When Fortinet's FortiGuard Labs analyses the threat landscape in the last half of 2020, only one word comes to mind for IT security experts: disruption. And this means more than just business disruption. The first half of 2020 has demanded rapid changes in how companies do business and engage with their customers. At the same time, cybercriminals have been quick to exploit the fears and concerns of the pandemic to collect personal information or steal financial data.
While much of this continued into the second half of 2020, what is documented in FortiGuard Labs' new "Global Threat Landscape Report" is more of an extension of this initial, large-scale disruption across every vertical and geography.
More or less overnight, IT security personnel have had to reshape their security strategies to defend their corporate networks on three fronts simultaneously: Attacks targeting the WFH office, attacks on the digital supply chain, and increased ransomware attacks on core networks.
1. the home branch office remains a popular target
The barrier that existed between logging into the corporate network from a corporate office and from home was broken in many companies in 2020. Corporate networks were turned upside down, with many employees now accessing key network resources and applications from their home offices. This transition happened so suddenly that there was little time to plan an effective cybersecurity strategy. The result: when an outdated and sometimes inadequately secured home office is "cracked", attackers are already a big step closer to cracking the corporate network as well.
Some companies are still trying to figure out how to effectively extend their company's IT security to their employees' home offices. In the second half of 2020 in particular, exploits targeting Internet-of-Things (IoT) devices such as home entertainment systems, home routers and connected security devices were among the top threats. Each of these IoT devices provides a new attack surface that must be defended against.
Meanwhile, resources that were once hidden behind a variety of enterprise-class security solutions are being protected in some situations with little more than SSL encryption. This is leading to increased success for cybercriminals who attack home networks with legacy exploits and then use them as a beachhead from which to launch attacks on the corporate network and cloud-based applications and resources.
2 Digital supply chains are coming into focus
Attacks on supply chains have a long history, but the SolarWinds affair has raised the discussion to a new level. FortiGuard Labs closely tracked the information released and used it to create Indicators of Compromise (IoCs). The identification of traffic related to SUNBURST in December 2020 shows that the hack found victims around the world, with Five Eyes revealing particularly high rates of IoCs.
3. ransomware onslaught continues
Ransomware activity increased sevenfold in the second half of 2020 compared to the first half of the year. The ongoing development of Ransomware-as-a-Service, the emphasis on 'big game hunting' (large ransoms from large targets) and the threat of exposing compromised data if demands are not met created a shadow market with massive growth. By the end of the year, these practices were used as additional leverage in ransomware campaigns in a large proportion of attacks.
The most active of the ransomware campaigns tracked between July and December 2020 were "Egregor", "Ryuk", "Conti", "Thanos", "Ragnar", "WastedLocker", "Phobos/EKING" and "BazarLoader". The sectors targeted by the ransomware attacks were diverse and included healthcare, professional services firms, public sector organisations and financial services providers.
To effectively address the rapidly evolving and growing risk of ransomware, organisations need to make fundamental changes to the security of their data. Coupled with the compromise of the digital supply chain and a workforce that telecommutes into the corporate network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions such as SASE to protect devices outside the network, advanced endpoint security solutions such as EDR (Endpoint Detection and Response) that can disrupt malware in the midst of an attack, and zero-trust access and network segmentation strategies that restrict access to applications and resources based on policy must be implemented to reduce the risk and impact of a successful ransomware attack.
Trends in the spread of vulnerability exploits
Patching is an ongoing priority for organisations to close vulnerabilities and security holes within an enterprise network. Specifically, however, the challenge is often "what patches?" and "when should they be rolled out?" These questions are difficult to answer, as few companies have the scale of data needed to provide an appropriate response. Nevertheless, Fortinet, with the expertise of FortiGuard Labs, would like to try and shed some light on this:
By tracking the evolution of 1500 exploits over the past two years, FortiGuard Labs has been able to determine how quickly and how widely exploits spread. It appears that most exploits do not, in fact, spread quickly and widely. Specifically, of all the exploits tracked over the last two years, only about 5% were discovered by more than 10% of organisations. If a vulnerability is randomly selected, the data shows that the chance of an organisation being attacked is about 1 in 1000. About 6% of exploits hit about 1% of organisations within the first month, and even after a year, 91% of exploits have not crossed that 1% threshold.
Regardless, it is still advisable to focus on vulnerabilities with known exploits and to prioritise among these vulnerabilities those that spread fastest in the wild. Specialised solutions such as Greenbone can help with this.
Original article by Derek Manky, FortinetTranslated from English with DeepL
Abridged and corrected by Simon Schmischke