FortiGuard labs reports disruptive shift of cyber threats

Issue 1 2021 Editor's Choice

Fortinet announced the findings of the latest semi-annual FortiGuard Labs Global Threat Landscape Report. Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world.

Fortinet announced the findings of the latest semi-annual FortiGuard Labs Global Threat Landscape Report. Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world.

Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks. They targeted the abundance of remote workers or learners outside the traditional network, but also showed renewed agility in attempts to target digital supply chains and even the core network.

“2020 witnessed a dramatic cyber-threat landscape from beginning to end,” says Derek Manky, chief, security insights and global threat alliances, FortiGuard Labs. “Although the pandemic played a central role, as the year progressed cyber adversaries evolved attacks with increasingly disruptive outcomes. They maximised the expanded digital attack surface beyond the core network, to target remote work or learning, and the digital supply chain.

“Cybersecurity risk has never been greater as everything is interconnected in a larger digital environment. Integrated and AI-driven platform approaches, powered by actionable threat intelligence, are vital to defend across all edges and to identify and remediate threats organisations face today in real time.”

Report highlights

Onslaught of ransomware continues: FortiGuard Labs data shows a sevenfold increase in overall ransomware activity compared to the first half of 2020, with multiple trends responsible for the increase in activity. The evolution of Ransomware-as-a-Service (RaaS), a focus on big ransoms for big targets, and the threat of disclosing stolen data if demands were not met combined to create conditions for this massive growth.


Derek Manky.

In addition, with varying degrees of prevalence, the most active of the ransomware strains tracked were Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING and BazarLoader. Sectors that were heavily targeted in ransomware attacks included healthcare, professional services firms, consumer services companies, public sector organisations, and financial services firms.

To effectively deal with the evolving risk of ransomware, organisations will need to ensure data backups are timely, complete, and secure off-site. Zero-trust access and segmentation strategies should also be investigated to minimise risk.

Supply chain takes centre stage: Supply chain attacks have a long history, but the SolarWinds breach raised the discussion to new heights. As the attack unfolded, a significant amount of information was shared by affected organisations. FortiGuard Labs monitored this emerging intelligence closely, using it to create IoCs (Indicator of Compromise) to detect related activity. Detections of communications with internet infrastructure associated with SUNBURST during December 2020 demonstrates that the campaign was truly global in nature, with the ‘Five Eyes’ exhibiting particularly high rates of traffic matching malicious IoCs. There is also evidence of possible spillover targets that emphasises the interconnected scope of modern supply chain attacks and the importance of supply chain risk management.

Adversaries target your online moves: Examining the most prevalent malware categories reveals the most popular techniques cybercriminals use to establish a foothold within organisations. The top attack target was Microsoft platforms, leveraging the documents most people use and consume during a typical workday. Web browsers continued to be another battlefront. This HTML category included malware-laden phishing sites and scripts that inject code or redirect users to malicious sites.

These types of threats inevitably rise during times of global issues or periods of heavy online commerce. Employees who typically benefit from web-filtering services when browsing from the corporate network continue to find themselves more exposed when doing so outside that protective filter.

The home branch office remains a target: The barriers between home and office eroded significantly in 2020, meaning that targeting the home puts adversaries one step closer to the corporate network. In the second half of 2020, exploits targeting Internet of Things (IoT) devices, such as those existing in many homes, were at the top of the list. Each IoT device introduces a new network ‘edge’ that needs to be defended and requires security monitoring and enforcement at every device.

Cast of actors joins global stage: Advanced Persistent Threat (APT) groups continue to exploit the COVID-19 pandemic in a variety of ways. The most common among them included attacks focused on gathering personal information in bulk, stealing intellectual property, and seizing intelligence aligned with the APT group’s national priorities. As the end of 2020 neared, there was an increase in APT activity targeting organisations involved in COVID-19-related work, including vaccine research and development of domestic or international healthcare policies around the pandemic. Targeted organisations included government agencies, pharmaceutical firms, universities, and medical research firms.

Flattening the curve of vulnerability exploits: Patching and remediation are ongoing priorities for organisations as cyber adversaries continue to attempt to exploit vulnerabilities for their benefit. By tracking the progression of 1500 exploits in the wild over the last two years, data demonstrates how fast and how far exploits propagate. Even though it is not always the case, it seems that most exploits do not seem to spread far very fast.

Among all exploits tracked over the last two years, only 5% were detected by more than 10% of organisations. With all things being equal, if a vulnerability is picked at random, data shows there is about a 1-in-1000 chance that an organisation will be attacked. About 6% of exploits hit more than 1% of firms within the first month, and even after one year, 91% of exploits have not crossed that 1% threshold. Regardless, it remains prudent to focus remediation efforts on vulnerabilities with known exploits, and among those, prioritise the ones propagating most quickly in the wild.

This latest Global Threat Landscape Report is a view representing the collective intelligence of FortiGuard Labs, drawn from Fortinet’s array of sensors collecting billions of threat events observed around the world during the second half of 2020. Similar to how the MITRE ATT&CK; framework classifies adversary tactics and techniques, with the first three groupings spanning reconnaissance, resource development, and initial access, the FortiGuard Labs Global Threat Landscape Report leverages this model to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report also covers global and regional perspectives as well.

Additional information can be found at:

1. https://www.fortinet.com/blog/industry-trends/fortiguard-labs-global-threat-landscape-report-2021

2. https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/Global-TLR-2021-2H.pdf




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...
Entries to southern Africa OSPA Awards now open
Technews Publishing Securex South Africa Editor's Choice News & Events
The southern Africa OSPAs are part of a global awards scheme that recognises and rewards teams, individuals and organisations for their commitment and outstanding performance within the security sector.

Read more...
Securex has moved to June
Technews Publishing Editor's Choice News & Events
Following the formal announcement of the date for South Africa’s national election, 29 May 2024 , which happened to be in the middle of the planned dates for Securex South Africa, Securex will now take place from 11 – 13 June 2024 at Gallagher Estate in Midrand.

Read more...