Fortinet Announces Its Latest Report on the Global Cyber Threat Scenario. The study details the methods and strategies that cybercriminals use and explains the possible future impact on the digital economy. The question & #8220; What is my biggest threat? & #8221; it remains difficult to answer as old threats reappear and new automated, high-volume attacks appear.
Study Highlights: Local Data
Brazil is among the largest DDoS attack targets in the world and is the main target in Latin America.
One thing that really strikes the eye is the alarming amount of infections in the Cerber ransonware which occurred during the second quarter of 2016. By the data we are talking about a little over 700 thousand victims of this malware only in Brazil.
O ransomware most frequently detected by the threat telemetry system was Locky, observed on 87% of all infections with ransomware detected, with TorrentLocker in 2nd place. As with most types of ransomware, Locky and TorrentLocker hold the victim's data hostage by encrypting the files and then charging a ransom to decrypt them.
The majority of malware Mobile detected is on Android system, and this is because with devices with Android system, users can easily install third party applications that can be downloaded with malware on Android. The five most common mobile malware types are all related to the Android system, with Android / Generic.S.37D422! Tr first, which is a type of Android trojan that steals user information.
The & #8220; Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass & #8221; caused the most attacks among the 5 most frequent IPS events, corresponding to over 9 million of the detected attacks. With just over a quarter of activity, the vulnerability present on Netcore manufacturer's devices jumped to # 1 with over 60% of all intrusion prevention events viewed nationwide. No fix is available yet for this vulnerability; so there were a lot of attacks like this in 2016 that are likely to continue in 2017.
Global data
Infrastructure Trends and How Threats Related
It is important to consider infrastructure trends and how they relate to the threat landscape. Exploits, malware, and botnets do not happen in a vacuum, and threat detection or prevention becomes increasingly complicated as network infrastructure evolves.
Data shows that SSL-encrypted traffic remained stable at about 50% and accounted for approximately half of an organization's overall web traffic. Using HTTPS traffic is an important trend to monitor because, while good for privacy, it presents challenges in detecting threats that may be hidden in encrypted communications. Often SSL traffic is not scanned because of the heavy processing overhead required to open, inspect, and re-encrypt traffic, forcing teams to choose protection or performance.
In terms of total applications detected per organization, the number of applications in the cloud has increased, rising to 63, which is approximately one third of all applications detected. This trend has significant security implications because IT teams have less visibility into the data stored in cloud applications, the use of that data, and who has access to it. Social media, audio and video streaming, and P2P applications did not show a sharp upward trend.
An army of devices created by the digital underworld
IoT devices are products sought after by cybercriminals worldwide. They are building armies of devices and the ability to replicate attacks at low cost and at incredible speed and scale is the central pillar of the modern cybercrime ecosystem.
In Q4 2016, industry was recovering from Yahoo! data breach and the DDoS attack on the Dyn company. Before the middle of the quarter, records caused by these two events were not only broken but duplicated.
Internet of things (IoT) devices, compromised by the Mirai botnet, initiated multi-record DDoS attacks. The release of Mirai source code increased botnet activity by 25 times in a week, with activity increasing by 125 times by the end of the year.
IoT-related scanning activity across various device categories showed scans on vulnerable routers and residential printers, but DVRs / NVRs soon eclipsed routers as the favorite thing, producing a big leap that exceeds 6 orders of magnitude.
Mobile malware has become a bigger problem than before. While representing only 1.7% of the total malware volume, one in five organizations that reported malware detection found a mobile variant, almost always on Android. Considerable regional differences were found in mobile malware attacks, with 36% from Africa, 23% from Asia, 16% from North America, and 8% from Europe. This data shows which devices are reliable in today's corporate networks.
Predominance of high volume automated attacks
Correlation between exploit volume and dominance indicates increased attack automation and cost savings for malware and distribution tools available on the shady web. This is making attacks cheaper and easier than ever.
SQL Slammer appeared at the top of the farms detection list, rated high or critical, mainly affecting educational institutions.
Second is an exploit that indicates brute force attack attempts in the Microsoft Remote Desktop Protocol (RDP). This threat launched RDP requests at a rate of 200 times every 10 seconds, explaining the high volume detected in companies worldwide.
Third is a signature linked to a memory corruption vulnerability in Windows File Manager, which allows a remote attacker to execute arbitrary code on vulnerable applications with a jpg file.
H-Worm and ZeroAccess had the highest predominance and volume in botnet families. These two threats give cybercriminals control over the affected systems to extract data or perform fraud via clicks and bitcoin mining. The technology and government sectors suffered the most attacks from these two botnet families.
Ransomware present in all regions and industries
Particular attention should still be devoted to the industry-independent ransomware threat, as this high-value attack method is likely to continue with the increase of & #8220; ransomware as a & #8221; (RaaS), where criminals without training or special skills can simply download tools and point them at a victim.
36% organizations detected ransomware-related botnet activity. TorrentLocker came first and Locky third.
Two malware families, Nemucod and Agent, committed a number of crimes: 81.4% of all malware samples collected belonged to these two families. The Nemucod family is associated with ransomware.
The presence of ransomware was detected in all regions and sectors, but mainly in healthcare institutions. This is very important because when patient data are compromised, the ramifications can be much more severe as they have greater longevity and personal value than other types of data.
Old audacious explorations are back
To counter the attacks, companies have adopted the policy of “#8220; not allowing any vulnerability”. Unfortunately, the attention devoted to patches and security holes in older devices or software means less time and less attention to focus on the growing accelerated attack surface of today's digital devices.
In total, 86% companies reported attacks that attempted to exploit vulnerabilities that existed for more than 10 years. Almost 40% of them have been exploited against even older common list of vulnerabilities and exposures (CVEs).
The average of 10.7 unique app exploits were tracked by organization. About 9 out of 10 companies have detected high severity or critical exploits.
Overall, Africa, the Middle East, and Latin America exhibited a greater number and variety of detections for each threat category by comparing the average exploits, malware, and botnet families detected by organizations from each region of the world. These differences seemed more pronounced for botnets.
