Exploiting the global pandemic

Issue 7 2020 Information Security

Fortinet announced the findings of the latest semi-annual FortiGuard Labs Global Threat Landscape Report. This latest Global Threat Threat Landscape Report is a view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during the first half of 2020. It covers global and regional perspectives as well as research into three central and complementary aspects of that landscape: exploits, malware, and botnets.

The first six months of 2020 witnessed an unprecedented cyber threat landscape. The dramatic scale and rapid evolution of attack methods demonstrate the nimbleness of adversaries to quickly shift their strategies to maximise the current events centred around the COVID-19 pandemic.

There has never been a clearer picture than now of why organisations need to adjust their defence strategies going forward to fully take into account the network perimeter extending into the home. It is critical for organisations to take measures to protect their remote workers and help them secure their devices and home networks for the long term. Cyber social distancing is all about recognising risks and keeping our distance.

Some of the findings include:

• FortiGuard Labs threat intelligence from the first half of 2020 demonstrates the dramatic scale at which cybercriminals and nation-state actors leveraged a global pandemic as an opportunity to implement a variety of cyber-attacks around the world. The adaptability of adversaries enabled waves of attacks targeting the fear and uncertainty in current events as well as the sudden abundance of remote workers outside the corporate network, which quickly expanded the digital attack surface overnight.

• Although many compelling threat trends were related to the pandemic, some threats still had their own drivers. For example, ransomware and attacks targeting Internet of Things (IoT) devices as well as operational technology (OT) are not diminishing, but are instead evolving to become more targeted and more sophisticated.

• At a global level, the majority of threats are seen worldwide and across industries, with some regional or vertical variation. Similar to the COVID-19 pandemic, a certain threat might have started in one area but eventually spreads almost everywhere, meaning most organisations could face the threat. There are of course regional differences in infection rates based on factors such as policies, practices, or response.

Seizing the opportunity in global events

Attackers have used subjects in the news as social engineering lures before, but this moved to the next level in the first half of 2020. From opportunistic phishers to scheming nation-state actors, cyber adversaries found multiple ways to exploit the global pandemic for their benefit at enormous scale. This included phishing and business email compromise schemes, nation-state-backed campaigns and ransomware attacks. They worked to maximise the global nature of a pandemic that affected everyone around the world, combined with an immediately expanded digital attack surface. These trends were seen with other newsworthy items and demonstrate how quickly attackers can move to take advantage of major developments with broad social impact at a global level.

The perimeter gets more personal

The increase in remote work created a dramatic inverse of corporate networks almost overnight, which cyber adversaries immediately started to leverage as an opportunity. In the first half of 2020, exploit attempts against several consumer-grade routers and IoT devices were at the top of the list for IPS detections. In addition, Mirai and Gh0st dominated the most prevalent botnet detections, driven by an apparent growing interest of attackers targeting old and new vulnerabilities in IoT products.

These trends are noteworthy because they demonstrate how the network perimeter has extended to the home with cybercriminals seeking to gain a foothold in enterprise networks by exploiting devices that remote workers might use to connect to their organisations’ networks.

Browsers are targets too

For attackers, the shift to remote work was an unprecedented opportunity to target unsuspecting individuals in multiple ways. For example, web-based malware used in phishing campaigns and other scams outranked the more traditional email delivery vector earlier this year. In fact, a malware family that includes all variants of web-based phishing lures and scams ranked at the top for malware in January and February and only dropped out of the top five in June.

This may demonstrate the attempt of cybercriminals to target their attacks when individuals are the most vulnerable and gullible – browsing the web at home. Web browsers, not just devices, are also prime targets for cybercriminals, perhaps more than usual, as cybercriminals continue to target remote workers.

Ransomware not running away

Well-known threats such as ransomware have not diminished during the last six months. COVID-19-themed messages and attachments were used as lures in a number of different ransomware campaigns. Other ransomware was discovered rewriting the computer’s master boot record (MBR) before encrypting the data. In addition, there was an increase in ransomware incidents where adversaries not only locked a victim organisation’s data, but stole it as well and used the threat of wide scale release as additional leverage to try and extort a ransom payment.

The trend significantly heightens the risks of organisations losing invaluable information or other sensitive data in future ransomware attacks. Globally, no industry was spared from ransomware activity and data shows that the five most heavily targeted sectors for ransomware attacks are telco, MSSPs, education, government, and technology. Unfortunately, the rise of ransomware being sold as a service (RaaS) and the evolution of certain variants indicates that the situation with ransomware is not going away.

OT threats after Stuxnet

June marked the 10th anniversary of Stuxnet, which was instrumental in the evolution of threats to, and security of, operational technology. Now, many years later, OT networks remain a target for cyber adversaries. The EKANS ransomware from earlier this year shows how adversaries continue to broaden the focus of ransomware attacks to include OT environments.

Also, the Ramsay espionage framework, designed for the collection and exfiltration of sensitive files within air-gapped or highly restricted networks, is an example of threat actors looking for fresh ways to infiltrate these types of networks. The prevalence of threats targeting supervisory control and data acquisition (SCADA) systems and other types of industrial control systems (ICS) is less in volume than those affecting IT, but that does not diminish the importance of this trend.


Derek Manky.

Mapping exploitation trends

A review of the CVE List (https://cve.mitre.org/cve/) shows the number of published vulnerabilities added has risen over the last few years, sparking discussion over the prioritisation of patching. Even though 2020 looks to be on pace to break the number of published vulnerabilities in a single year, vulnerabilities from this year also have the lowest rate of exploitation ever recorded in the 20-year history of the CVE List.

Meanwhile, vulnerabilities from 2018 claimed the highest exploitation prevalence at 65%, and more than a quarter of organisations registered attempts to exploit 15-year-old CVEs. For cyber adversaries, exploit development at scale and distribution via legitimate and malicious hacking tools continues to take time.

Secure the network perimeter extending into the home

With the increase in connectivity, devices, and ongoing need for remote work, the digital attack surface is expanding. With the corporate network perimeter extending to the home, attackers are looking for the weakest link and fresh attack opportunities. Organisations need to prepare by taking concrete steps to protect their users, devices and information in ways similar to the corporate network.

Threat intelligence and research organisations can help by providing broad insight as the threat landscape evolves as well as in-depth analysis of attack methods, actors, and new tactics to help supplement the cyber knowledge of organisations. The need for secure teleworker solutions to enable secure access to critical resources while scaling to meet the demands of the entire workforce has never been greater. Only a cybersecurity platform designed to provide comprehensive visibility and protection across the entire digital attack surface – including networked, application, multi-cloud, or mobile environments – is able to secure today’s rapidly evolving networks.

Find the report at https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/Threat-Report-H1-2020.pdf, or via the short URL www.securitysa.com/*fort1




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.