FortiGuard Labs What we’ve seen on the Threat Landscape, and what’s to come, Feb 16, 2023.pdf

A Semiannual Report by FortiGuard Labs
Douglas Santos, Director of Advanced Threat Intelligence
On-Demand Replay: https://register.gotowebinar.com/recording/7053274062895783172

3
© Fortinet Inc. All Rights Reserved.
Overview – Key Insights
Don’t count out the old: We saw the
resurgence of familiar names in the
malware, wiper, and botnet space -
including Emotet and GandCrab, to
name a few. A reminder that old
malware and even older businesses
still need to remain vigilant.
Ransomware and Wipers volume is
still growing: There’s been a 16%
increase in both ransomware and
wipers in the second half of the year
compared to the first half. However,
when we look at a quarterly
breakdown, we can see that wiper
volume increased 53% between Q3
and Q4 of 2022. .
Raspberry.Robin is the new bot
with an old trick: 1 in 84
organizations were impacted by this
new botnet that entered the bot-
scene in September.
Introducing “The Red Zone”: We’ve
seen plenty of takes on “Attack
Surface” in the past few years. With
our extensive archive of data of
known vulnerabilities, including
CVEs, we’re uniquely positioned to
speak to the difference between the
open vs. active attack surface. The
majority of CVEs found didn’t appear
on endpoints- less than 1% of all
open CVEs were under attack—
earning the name the “Red Zone.”

Most Active Malware Groups
Section Subhead

5
On the Wild Samples Genetic Codebase Analysis
Most Active Malware Groups - APT

6
On the Wild Samples Genetic Codebase Analysis
Most Active Malware Groups - CyberCrime

Malware Code Reuse
Emotet Exploratory Analysis

8
Malware Code Reuse – Emotet
Shared code amongst clusters of variants

Ransomware and Wipers
Growth and Targets

10
Ransomware - Growth
Jan-Dec 2022 Ransomware Growth Tracking

11
Wiper - Growth
Jan-Dec 2022 Wiper Growth Tracking

12
Wiper - Ranking
Jul-Dec 2022 Top Wiper Families in the Wild

13
Wiper – Regional
Regional Prevalence of Wiper Families

Attack Surface
Active and Inactive Attack Surface

15
Endpoint CVEs
Active Attack Surface

16
Endpoint CVEs – Apple X Microsoft
Active Attack Surface Vendor Breakdown

Botnets
Post-Compromise Telemetry

18
Botnet – Volume x Prevalence
Active Botnets H2 2022

19
Botnet - Volume
Active Botnets H2 2022

20
Botnet – New
Active Botnets H2 2022 – New signatures

IPS Telemetry
Pre-Compromise Telemetry

22
Vulnerabilities – Exploited Platforms
Most Exploited Platform H2 2022

23
Vulnerabilities – Platforms Ranking Timeline
Jul-Dec 2022 Top Exploited Vulnerable Platforms

24
Vulnerabilities - Microsoft
Jul-Dec 2022 Top Exploited Microsoft Vulnerabilities

25
Vulnerabilities - Regional
The Long Reach of Log4J

26
Vulnerabilities – New Vulnerabilities
Jul-Dec 2022 Top Exploited Vulnerabilities

MITRE ATT&CK Heatmap
Tactics, Techniques and Procedures
Reconnaissance and Resource Development

28
Most Active Threat Actors on Telegram

29
Vulnerability Chatter on the Deep Web by Disclosure date

30
Most Successful Ransomware Groups

31
Global ATT&CK Heatmap
Most Used Techniques

Anthony K Giandomenico
Global VP, FortiGuard Security Consulting Services

33
Equal Opportunity for all Industries
0%
2%
4%
6%
8%
10%
12%
14%
16%
B
a
n
k
i
n
g
&
C
a
p
i
t
a
l
M
a
r
k
e
t
s
C
i
v
i
l
G
o
v
e
r
n
m
e
n
t
C
o
n
s
u
m
e
r
P
r
o
d
u
c
t
s
D
e
f
e
n
s
e
,
S
e
c
u
r
i
t
y
&
J
u
s
t
i
c
e
H
e
a
l
t
h
C
a
r
e
I
n
d
u
s
t
r
i
a
l
P
r
o
d
u
c
t
s
&
C
o
n
s
t
r
u
c
t
i
o
n
I
n
v
e
s
t
m
e
n
t
M
a
n
a
g
e
m
e
n
t
M
i
n
i
n
g
&
M
e
t
a
l
s
O
i
l
,
G
a
s
&
C
h
e
m
i
c
a
l
s
R
e
t
a
i
l
,
W
h
o
l
e
s
a
l
e
&
D
i
s
t
r
i
b
u
t
i
o
n
S
t
a
t
e
,
L
o
c
a
l
&
E
d
u
c
a
t
i
o
n
T
e
c
h
n
o
l
o
g
y
T
r
a
n
s
p
o
r
t
a
t
i
o
n
,
H
o
s
p
i
t
a
l
i
t
y
&
S
e
r
v
i
c
e
s
FortiGuard IR Investigations 2022 - Victim Industry Breakdown
Banking & Capital Markets
Civil Government
Consumer Products
Defense, Security & Justice
Health Care
Industrial Products & Construction
Investment Management
Mining & Metals
Oil, Gas & Chemicals
Retail, Wholesale & Distribution
State, Local & Education
Technology
Transportation, Hospitality & Services

34
Top 3 - United States, LATAM, EMEA
0%
5%
10%
15%
20%
25%
30%
35%
40%
Global NA EMEA APAC Africa LATAM
FortiGuard IR Investigations 2022 - Victim Region
Global
NA
EMEA
APAC
Africa
LATAM

35
Actor’s Familiarity &
Confidence w/
Technology
=
New TTPs
Exchange/OWA exploitation moves
beyond initial access and becomes a core post-
exploitation TTP (Persistence – Web Shells)
VMware used as alternative technique to
maintain access and minimize detection
VM
• Monitor for anomalous process spawn from w3wp.exe
• Anomalous modifications of static Webpages
• EDR Technology - FortiEDR/XDR
• Prevent attackers from authenticating from VMs to other
components of the network
• Maintain an Asset Database Ability to detect rogue
endpoints

36
Compromised
Credentials
Popular
44.8%
20.7%
17.2%
6.9%
3.4% 3.4% 3.4%
T1078 - Valid
Accounts
T1190 - Exploit
Public-Facing
Application
T1133 -
External
Remote
Services
T1566 -
Phishing
T1091 -
Replication
Through
Removable
Media
T1189 - Drive-
by
Compromise
T1199 -
Trusted
Relationship
Initial Access Techniques
T1078 - Valid Accounts T1190 - Exploit Public-Facing Application
T1133 - External Remote Services T1566 - Phishing
T1091 - Replication Through Removable Media T1189 - Drive-by Compromise
T1199 - Trusted Relationship
• Deploy UEBA /SIEMs – FortiSIEM
• EASM and Dark Web Monitoring – FortiRecon

37
Financial
Crime
Dominated the
Limelight
73.9%
13.0%
8.7%
4.3%
Assessed Intrusion Motivation
Financially motivated; Espionage; Infrastructure acquisition; Disruption;

38
Valid
Accounts
44.8%
PowerShell
65.2%
Domain
Accounts
52.2%
Valid
Accounts
78.3%
Remote
Desktop
Protocol
69.6%
SMB/Windows
Admin Shares
47.8%
Ingress Tool
Transfer
73.9%
Web
Protocols
69.6%
Remote Access
Software
43.5%
Initial
Access
Execution
Privilege
Escalation
Defense
Evasion
Lateral
Movement
Command
and
Control
Exploit Public-
Facing
Application
20.7%
External
Remote
Services
17.2%
Windows
Command
Shell
52.2%
Windows
Service
30.4%
Local
Accounts
17.4%
Disable or
Modify Tools
56.5%
Lateral Tool
Transfer
39.1%
System
Services
30.4%
File Deletion
43.5%
Software
Deployment
Tools
13.0%
Standard
Encoding
39.1%
Web Service
30.4%
Phishing
6.9%
Replication thru
Removable
Media
3.4%
User
Execution
17.4%
Access Token
Manipulation
13.0%
Exploit for
Privilege
Escalation
8.7%
Deobfuscate/
Decode Files or
Information
39.1%
Windows
Remote
Management
13.0%
Windows
Management
Instrumentation
13.0%
Match
Legitimate Name
or Location
30.4%
Domain
Accounts
52.2%
Persistence
Windows
Service
34.8%
Web Shell
21.7%
Scheduled
Task
17.4%
Create
Account
34.8%
LSASS
Memory
30.4%
Cached
Domain
Credentials
30.4%
Credentials
from Password
Stores
13.0%
Credential
Access
DC Sync
8.7%
Credentials
in Files
4.3%
Data Encrypted
for Impact
69.6%
Inhibit System
Recovery
56.5%
Impact
Service Stop
47.8%
Resource
Hijacking
8.7%
System
Shutdown/
Reboot
4.3%
85% > Prevalence > 75%
Prevalence > 85%
25% > Prevalence

39
Growing Detection Capabilities – Ransomware
TTPs
Monitor for Anomalous
Service Creation
2
Watch for Interference with
Endpoint Security Controls
3
Lockdown and Monitor
PowerShell Activity
1
• Increase logging, permissions and determine
anomalous activity
• Deploy modern day EDR technology
• Monitor standard Windows Logs for new
service creation (ID:4697 and ID:7040)
• Monitor for services that reference files in odd
locations such as temp or user Dir
• Many SIEMs have these detection capabilities
• Ensure alerting setup for change in service
status on endpoint management systems
• Centralize Windows logs checking for event ID
7040 (change of state)

40
Contributing
Factors to
Incidents
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Prevalaence
Contributing Factor
Factors Contributing to Incidents
Inadequate IR playbooks
Lack of network/system visibility/logging
Inadequate IR procedures
Inadequate patch management
Lack of pers to adequately support
security operations
Social Engineering
Administrative error
End user error
Inadequate asset management
Insider Threat

42
Main Takeaways
Old threats don’t go away as quick as
you might think. You need to stay
vigilant to quick shifts on the threat
landscape and use that intel to drive
defenses.
APT Groups needs special attention
from your cybersecurity team, as they
will never give up on a objective.
Once an outbreak happens be quick to
use FortiGuard delivered resources to
stop the attack and break it’s kill chain
wherever you can. Once we deliver the
information it is up to the customer to
make sure they are running the latest
engine and db definitions.
Being aware of the Pre-ATT&CK phase
is as much important as being prepared
to detect and mitigate the most used
ATT&CK techniques
You patch schedule can be influenced
and driven by the active attack surface
covered by this report, use it to help
prioritize the “actively exploited ones”,
for more updated info use EPSS which
is updated more frequently
Use threat intelligence extensively for
hunting for known and unknown
threats, eventually something will go
past your defenses, what will make a
difference is how fast you will be able
to consume and operationalize cyber
threat intelligence

FortiGuard Labs What we’ve seen on the Threat Landscape, and what’s to come, Feb 16, 2023.pdf

FortiGuard Labs What we’ve seen on the Threat Landscape, and what’s to come, Feb 16, 2023.pdf

More Related Content

Similar to FortiGuard Labs What we’ve seen on the Threat Landscape, and what’s to come, Feb 16, 2023.pdf

Recently uploaded

FortiGuard Labs What we’ve seen on the Threat Landscape, and what’s to come, Feb 16, 2023.pdf