Cyber criminals and other threat actors continue to move forward with new tricks and tools designed to gain access to networks and the valuable assets within. The threat landscape moves very quickly— making it difficult for security teams to keep up, let alone respond. In the period from January 1 to April 30, 2016, participants in the Fortinet Cyber Threat Assessment Program (CTAP) recorded over 41 million threat events and incidents, many of which managed to pass established perimeter security devices to reach our assessment units deployed behind them. In this version of Fortinet’s CTAP Threat Intelligence Report, we call out select developments within the global threat environment – across all industries – that we view as noteworthy compared to the annual report published last quarter. More importantly, we give special focus to threats facing companies in the manufacturing sector (an industry not specifically reported on previously), as well as the continued threat that ransomware poses to the manufacturing sector and beyond.
- The majority of malware threats we see in live customer environments continue to depend on two key areas for delivery:
malicious content delivered through web browsing, and through email attachments or links leading to malicious content. The
largest portion of malware being seen at the moment is cryptomalware and ransomware.
- Advertising content continues to be both a source of a significant amount of traffic passing across enterprise networks today,
and has been shown to be a potential source of malware as third-party advertising networks are subverted or tricked into
delivering malicious ads.
- Fundamental Domain Name Server (DNS) infrastructure is increasingly under attack, primarily from Denial of Service (DoS)
Global, All Industry Update for 1Q16
As before, threats on networks come from many different sources, however Botnet activity continues to be a significant cause for concern for every vertical, as well as companies of every size. Botnet owners that use multiple methods to build their armies and campaigns in order to expand their footprint are seen on a regular basis. They typically communicate with malware which continues to be spread via two key vectors: email and web traffic. In many cases, affiliate networks among cybercriminal
organizations amplifies the impact of attacks.
That said, the bots and malware topping the chart often change as shown below.
It is important to note both the resurgence of ZeroAccess (which despite the best efforts of authorities to shut it down continues to pop up on top threat charts) and the newer H-Worm (or Houdini Worm) which is a newer delivery vehicle for Remote Access Trojans (RATs).
It’s presumed that masters of these large zombie networks continue to make substantial income. Perhaps more importantly is the inclusion of the CryptoWall botnet among the top 2 bots, reflecting the more recent rise in the past 12-18 months of ransomware. This newer business model continues to make headlines and spark debate about whether or not to pay the ransom. The prevalence of this and other delivery vehicles suggests that enough victims indeed pay, making this a lucrative (and thus likely to accelerate) business venture for cybercriminals (we take a closer look at ransomware in a dedicated section later
in the report).
In regard to application vulnerabilities and exploit activity, whereas our previous report noted a continued targeting of established vulnerabilities like Shellshock and Heartbleed, in this quarter we see attempts to exploit newer vulnerabilities – namely the vulnerability announced late last year that exploits the way some Microsoft Server products use DNS. If you use a Microsoft Domain Name Server (or hosted service based on it), be on the lookout for denial of service attacks on this key piece of Internet infrastructure and consider alternate service providers for business continuity.
Application, Media and Social Media Categories
While there were definitely notable changes across the threat landscape as explored above, user behavior remained largely the same.
Industry Focus: Manufacturing
The #1 discrete attack we saw was the Necurs botnet. As discussed earlier, bots generate a lot of traffic and often top the list. However, it is still noteworthy to see just one top the chart. And it’s especially troubling given that this particular bot is known for rootkit and other more sophisticated and evasive behavior. It is not a great surprise, however, to see that attacks targeting manufacturing (and not seen on the global
list) seem to be designed for greater persistence within such intellectual property-rich environments. Ensuring a deeper level of inspection than the norm is particularly important in any information-rich sector. That said, looking at the remainder of the list in aggregate, we see an even greater incidence of downloaders (primarily new variants of the Nemucod malware)- that have been used for many months as vehicles to deliver cryptomalware and ransomware. Unfortunately, awareness and good security habits among end users in industrial networks are often poor: users continue to click on links and attachments in emails that lead to compromise. An errant click or install can bring a machine to a crippling halt, and perhaps interrupt the day-today operations of a company. This may be a harbinger of an expansion of ransomware beyond its initial healthcare-oriented targets. As such, we will discuss ransomware in more detail and this should be of particular concern to manufacturing organizations given the uptick in such attacks we have seen in this sector.
Manufacturing: Application Vulnerability Exploit Attempts
As we discussed in the global section, the top application exploit (at 45%) was aimed at the Microsoft DNS infrastructure, targeting a newer vulnerability. Looking closer at manufacturing we see that this sector in particular was hard hit by these types of attacks, well above the global average at 85%. Manufacturing organizations are encouraged to ensure appropriate countermeasures are in place, including basic DoS protection
and ideally an additional source for domain name resolution. And of course, exploits of older vulnerabilities continue. The Shellshock vulnerability appeared in late September, 2014. Bash is used by many systems. Attackers almost 18 months later continue to scan the Internet looking for unpatched machines to infect, all the more reason to ensure that all the machines in your infrastructure are quickly and rapidly patched. We also detected a large number of attempts to attack
Adobe ColdFusion servers in these environments. In many manufacturing environments where tools and technologies use web-based front ends to manage systems, it is not uncommon to see systems woefully out-of-date and unpatched.
Manufacturing: Application Usage
As you should expect in a manufacturing environment, we saw a significant amount of data being consumed for services and management-related functions. Compared to other verticals, where categories like Video/Audio and Social Media are significant consumers of bandwidth, usage of these categories in manufacturing is well below the average.