THREAT LANDSCAPE REPORT Q4 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction and Key Findings . 3 Sources and Measures . 4 Infrastructure Trends . 6 Threat Landscape Trends . 9 Exploit Trends . 10 Mini Focus: Exploit Kits . 13 Malware Trends . 14 Mini Focus: Cryptomining Malware . 17 Botnet Trends . 18 Mini Focus: Zero-Day Research . 21 Exploratory Analysis . 22 Conclusions and Recommendations . 25 2 Q4 2017 HIGHLIGHTS AND KEY FINDINGS Q4 2017 INTRODUCTION AND KEY FINDINGS In many ways, the fourth quarter of 2017 was a montage of what played out before our Q4 2017 BY THE NUMBERS: eyes throughout the year. No one theme or threat stole the show such that everything Exploits else disappears into the background with time § 5,988 unique detections (+0.3%) Reaper breathed new life into threats targeting the Internet of Things (IoT). Key § 274 detections per firm (+82%) Reinstallation Attacks (KRACK) against WPA2 protocol pushed the word “nonce” out § 2% saw severe exploits (-7%) of the cryptographer’s lexicon and into the mainstream. Ransomware added some Malware sinister-sounding monikers like “Asasin” and “Bad Rabbit.” Cryptocurrencies surged § 17,671 unique variants (+19%) then crashed in value, and cryptomining attacks surged and crashed systems. The § 3,317 different families (+27%) Andromeda takedown warmed our hearts, but FALLCHILL reversed that feeling. § 22% detected ransomware (0%) Botnets Thank you for joining us once again as we process the past quarter together so we’re all better prepared for those ahead. As always, we begin with some highlights and then § 259 unique botnets detected (+2%) dive into the details as seen by our global array of sensors. § 513 daily botnet comms per firm (-1%) § 3.3% saw ≥10 botnets (+0.3%) THAT’S SO TYPICAL. Readers of this report will recognize the “Infrastructure Trends” we show quarter after quarter in Figure 1. A common question that arises is how typical those stats are of all organizations. If you have that same question, we’ve added Figure 2 just for you. STILL STRUTTING THEIR STUFF. Multiple exploits against the Apache Struts framework that made so much headway and so many headlines last quarter are still doing their thing. It’s a continuing example of how attackers swarm when they catch scent of a widespread, vulnerable target. SOME “THINGS” BREWING IN THE IoT. The arrival of the Reaper attacks and quadrupling of exploit activity against devices like Wi-Fi cameras in Q4 have our hackles raised about what’s next. We share why and what we’re watching for in the months to come. SAY CHEESE. We all know human families come in many different forms. We present portraits of common malware families in Figure 11 that show it’s no different for these threats. RANSOMWARE TO THE TOP. Ransomware has been a common thread in these reports but this is the first time two different strains have led the pack. Locky was a lock-in for the most prevalent malware variant in Q4 and GlobeImposter proved itself no imposter by taking the No. 2 spot. CRYPTOMINING MAL-WHERE? If you’re not familiar with cryptomining malware (also sometimes called cryptojacking), you’ll definitely want to check out our Mini Focus on that topic. We discuss the dramatic increase in these attacks and reveal where it’s happening the most. THAT FALLCHILL IN THE AIR. Our analysts monitored FALLCHILL threat activity closely in Q4 after the U.S. Department of Homeland Security, FBI, and US-CERT released indicators and research tying it to a North Korean APT group. FALLCHILL targets victims in the aerospace, telecommunications, and finance industries. A LITTLE REGIONAL FLAVOR. In our Exploratory Analysis section this quarter, we seek to find the threats that exhibit the highest amount of variation across regions of the globe. What’s on the menu in your neck of the woods? Read to find out! 3 SOURCES AND MEASURES SOURCES AND MEASURES SOURCES AND MEASURES The findings in this report represent the collective intelligence anonymized and contains no identifiable information on any entity of FortiGuard Labs, drawn from Fortinet’s vast array of network represented in the sample. devices/sensors within production environments. This comprises As one might imagine, this intelligence offers excellent views billions of threat events and incidents observed in live production of the cyber threat landscape from many perspectives. This environments around the world from October 1 through December report focuses on three central and complementary aspects of 31, 2017. According to independent research, Fortinet has that landscape, namely application exploits, malicious software the largest security device footprint and accordingly we boast (malware), and botnets. the largest sampling of threat data in the industry. All data was Exploits Application exploits described in this report were collected primarily via network IPS. This dataset offers a view into attacker reconnaissance activities to identify vulnerable systems and attempts to exploit those vulnerabilities. Malware Malware samples described in this report were collected via perimeter devices, sandboxes, or endpoints. For the most part, this dataset represents the weaponization or delivery stages of an attack rather than successful installation in target systems. Botnets Botnet activity described in this report was collected via network devices. This dataset represents command and control (C2) traffic between compromised internal systems and malicious external hosts. In addition to these different aspects of the threat landscape, we The figures in this report include a large number of threats. We use three measures to describe and interpret what the data tells provide brief descriptions on some, but you will undoubtedly desire us. You’ll regularly see the terms volume, prevalence, and intensity more information than we’re able to supply here. Consult the used throughout this report, and our usage of these terms will FortiGuard Labs Encyclopedia as needed while working your way always conform to the definitions provided here. through these pages. Measure of overall frequency or proportion. The total number or percentage of observations of a VOLUME threat event. Measure of spread or pervasiveness across groups. The percentage of reporting organizations2 PREVALENCE that observed the threat event at least once. Measure of daily volume or frequency. The average number of observations of a threat event per INTENSITY organization per day. 1 Source: IDC Worldwide Security Appliances Tracker, April 2017 (based on annual unit shipments) 2 We can only measure prevalence among organizations reporting threat activity. A prevalence of 50% for a given botnet doesn’t mean it impacted half of all firms in the world. It means half of the firms in our botnet dataset observed that particular botnet. That denominator usually represents tens of thousands of firms. 5 INFRASTRUCTURE TRENDS INFRASTRUCTURE TRENDS INFRASTRUCTURE TRENDS As has become our tradition, we begin this exploration of the Why is such a view needed? Remember from our previous reports Q4 2017 threat landscape not with threats, but rather with some that strong correlations exist between infrastructure usage and trends about infrastructure and application usage. When looking threat frequency. For example, firms that use a lot of P2P and proxy at any landscape, we typically focus on what’s at the top—trees, apps report seven to nine times as many botnets and malware as hills, water, and so forth—but we don’t often think about what lies those that don’t use any P2P or proxy apps! That alone is sufficient beneath all that. When it comes to the cyber threat landscape, the justification to monitor these trends closely. infrastructure statistics in Figure 1 offer us that underlying view of it all. Q1 2016 Q2 2016 Q3 2016 Q4 2016 Q1 2017 Q2 2017 Q3 2017 Q4 2017 Daily bandwidth 6.3G 7.7G 7.3G 8.5G 8.5G 6.4G 8.9G 10.6G HTTPS ratio 52.5% 49.8% 52.4% 50.8% 54.9% 57.3% 55.4% 58.5% Daily Total Apps 216 215 211 211 195 187 195 202 SaaS apps 33 35 35 36 33 28 32 37 IaaS apps 26 22 23 27 29 25 26 28 RAS apps 4 4 4 4 4 4 4 4 Proxy apps 4 4 4 5 4 4 4 3 P2P apps 1 2 2 1 1 1 1 1 Social apps 14 19 17 17 14 13 14 15 Streaming apps 17 24 21 20 16 14 15 15 Gaming apps 2 3 3 3 2 2 2 2 Daily website visits 600 590 571 595 502 411 404 364 FIGURE 1. QUARTERLY INFRASTRUCTURE TRENDS. NUMBERS REPRESENT THE MEDIAN VALUE PER FIRM. The statistics shown in Figure 1 were derived from a voluntary but consolidation in the enterprise software market, migrations threat assessment program that usually lasts about a week. to cloud application suites, and the use of mobile devices for The numbers differ dramatically across participants, which is personal web browsing are high on the list from our perspective. understandable given the mix of sectors, sizes, business models, Among applications, cloud apps are the only category that shows regions, and other factors. Even so, we get a snapshot of a an increase (barely). “typical” infrastructure profile and how that changes over time. Figure 1 is useful for keeping an eye on trends at a macro scale, Comparing Q4 2016 to Q4 2017, we see both give and take. but as mentioned above, these statistics represent a diverse array Firms appear to be using more bandwidth and encrypting more of organizations. Obviously, not all firms visit exactly 364 websites web traffic but visiting fewer sites and using fewer applications. or use 37 SaaS apps. The density plots3 in Figure 2 are more The “more” part of that statement probably won’t shock anyone, conducive to getting a sense for how these measures vary across but the “fewer” part may prompt some head scratching.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages28 Page
-
File Size-