Fortinet, the global cybersecurity provider driving the convergence of networking and security, has announced the latest semiannual Global Threat Landscape Report from FortiGuard Labs. 

According to the report, “The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks.”

“New intelligence allows chief information security officers (CISOs) to prioritise risk mitigation efforts and minimise the active attack surface with the expansion of the ‘red zone’ approach.”

“Ransomware threats remain at peak levels with no evidence of slowing down globally with new variants enabled by Ransomware-as-a-Service (RaaS). The most prevalent malware was more than a year old and had gone through a large amount of speciation, highlighting the efficacy and economics of reusing and recycling code. And Log4j continues to impact organisations in all regions and industries, most notably across technology, government, and education.”

Analysing wiper malware data reveals a trend of cyber adversaries consistently using destructive attack techniques against their targets. It also shows that with the lack of borders on the internet, cyber adversaries can easily scale these attacks, which the Cybercrime-as-a-Service (CaaS) model has largely enabled.

In early 2022, FortiGuard Labs reported the presence of several new wipers in parallel with the Russia-Ukraine war. Later in the year, wiper malware expanded into other countries, fuelling a 53% increase in wiper activity from Q3 to Q4 alone. 

While some of this activity was enabled by wiper malware that may have been initially developed and deployed by nation-state actors surrounding the war, it is being picked up by cybercriminal groups and is spreading beyond just Europe. 

Unfortunately, the trajectory of destructive wiper malware does not appear to be slowing any time soon based on the activity volume seen in Q4, which means any organisation remains a potential target, not just organisations based in Ukraine or surrounding countries.

Exploit trends help show what cybercriminals are interested in attacking, probing for future attacks, and actively targeting. FortiGuard Labs has an extensive archive of known vulnerabilities and, through data enrichment, was able to identify actively exploited vulnerabilities in real-time and map zones of active risk across the attack surface.

In the second half of 2022, less than one percent of the total observed vulnerabilities discovered in an enterprise-size organisation were on endpoints and actively under attack, giving CISOs a clear view of the red zone through the intelligence of the active attack surface that they should prioritise efforts to minimise their risk and where to focus patching efforts.

FortiGuard Labs Incident Response (IR) engagements found that financially motivated cybercrime resulted in the highest volume of incidents (73.9%), with a distant second attributed to espionage (13%). Additionally, in all of 2022, 82% of financially motivated cybercrime involved the employment of ransomware or malicious scripts, showing that the global ransomware threat remains in full force with no evidence of slowing down, thanks to the growing popularity of RaaS on the dark web.

Ransomware volume increased by 16% from the first half of 2022. 

Out of 99 observed ransomware families, the top five families accounted for roughly 37% of all ransomware activity during the second half of 2022. 

GandCrab, a RaaS malware that emerged in 2018, was at the top. Although the criminals behind GandCrab announced that they were retiring after making over US$2 billion in profits, there were many iterations of GandCrab during its active time. This criminal group's long-tail legacy may still be perpetuating, or the code has simply been built upon, changed, and re-released, demonstrating the importance of global partnerships across all types of organisations to dismantle criminal operations permanently. Effectively disrupting cybercriminal supply chains requires a global group effort with strong, trusted relationships and collaboration among cybersecurity stakeholders across public and private organisations and industries.

Cyber adversaries are enterprising and always looking to maximise existing investments and knowledge to make their attack efforts more effective and profitable. Code reuse is an efficient and lucrative way for cybercriminals to build upon successful outcomes while making iterative changes to fine-tune their attacks and overcome defensive obstacles.

When FortiGuard Labs analysed the most prevalent malware for the second half of 2022, most of the top spots were held by more than one year old malware. FortiGuard Labs further examined a collection of different Emotet variants to analyse their tendency to borrow and reuse code. The research showed that Emotet has undergone significant speciation, with variants breaking into roughly six different "species" of malware. In addition, cyber adversaries are automating threats and actively retrofitting code to make it even more effective.

In addition to code reuse, adversaries also leverage existing infrastructure and older threats to maximise opportunity. When examining botnet threats by prevalence, FortiGuard Labs discovered that many top botnets are not new. For example, the Morto botnet, first observed in 2011, surged in late 2022. And others like Mirai and Gh0st.Rat continues to be prevalent across all regions. Surprisingly, out of the top five observed botnets, only RotaJakiro is from this decade.

Although writing off older threats as history may be tempting, organisations across any sector must continue to stay vigilant. These "vintage" botnets are still pervasive for a reason: They are still very effective. Resourceful cybercriminals will continue to leverage existing botnet infrastructure and evolve it into increasingly persistent versions with highly specialised techniques because the return on investment is there. Specifically, in the second half of 2022, significant targets of Mirai included managed security service providers (MSSPs), the telco/carrier sector, and the manufacturing sector, known for its pervasive operational technology (OT). Cybercriminals are making a concerted effort to target those industries with proven methods.

Even with all the publicity that Log4j received in 2021 and the early parts of 2022, a significant number of organisations still have not patched or applied the appropriate security controls to protect their organisations against one of the most notable vulnerabilities in history.

In the second half of 2022, Log4j was still heavily active in all regions and was second. FortiGuard Labs found that 41% of organisations detected Log4j activity, showing how widespread the threat remains. Log4j IPS activity was most prevalent across technology, government, and educational sectors, which should be no surprise, given Apache Log4j's popularity as open-source software.

Analysing adversarial strategies gives valuable insights into how attack techniques and tactics evolve to better protect against future attack scenarios. FortiGuard Labs looked at the functionality of detected malware based on sandbox data to track the most common delivery approaches. It is important to note that this only looks at detonated samples.

In reviewing the top eight tactics and techniques viewed in sandboxing, drive-by-compromise was the most popular tactic used by cybercriminals to gain access to organisations' systems across all regions globally. 

Adversaries are primarily gaining access to victims’ systems when the unsuspecting user browses the internet and unintentionally downloads a malicious payload by visiting a compromised website, opening a malicious email attachment, or even clicking a link or deceptive pop-up window. The challenge with the drive-by tactic is that once a malicious payload is accessed and downloaded, it is often too late for the user to escape compromise unless they have a holistic approach to security.

 “For cyber adversaries, maintaining access and evading detection is no small feat as cyber defences continue to advance to protect organisations today. To counter, adversaries are augmenting with more reconnaissance techniques and deploying more sophisticated attack alternatives to enable their destructive attempts with APT-like threat methods such as wiper malware or other advanced payloads. To protect against these advanced persistent cybercrime tactics, organisations need to focus on enabling machine learning-driven coordinated and actionable threat intelligence in real time across all security devices to detect suspicious actions and initiate coordinated mitigation across the extended attack surface,” says Derek Manky, chief security strategist and global VP threat intelligence, FortiGuard Labs.

“Organisations must remain vigilant against the latest attacks as cyber threats continue to become increasingly complex. According to the latest report from FortiGuard Labs, destructive wiper malware has seen an increase of more than 50 % in recent times. This is particularly concerning, given the irreparable damage it can cause to critical infrastructure,” says Glenn Maiden, director of threat intelligence operations at FortiGuard Labs ANZ. 

“Wiper malware has evolved into a more sophisticated form, which hostile nation-states or even terrorists can now deploy. Its devastating impact has already been witnessed in Ukraine, where wiper malware was used extensively against critical infrastructure. This form of attack has now proliferated to other countries and purposes, resulting in a 53% increase in wiper activity from 2022 Q3 to 2022 Q4 alone.” 

“It is important to note that wiper malware is different from ransomware. With ransomware attacks, victims can usually pay a ransom to regain access to their encrypted data. However, with wiper malware, the damage is irreversible, and there is no way to recover the lost data. In light of these evolving threats, businesses must remain vigilant and adopt best practices to stay ahead of the curve.”