Fortinet reports destructive wiper malware increased by 50% in 2022

Fortinet has announced the latest semiannual Global Threat Landscape Report from FortiGuard Labs. The report includes findings that the mass distribution of wiper malware continues to showcase the destructive evolution of cyber-attacks and that new intelligence allows CISOs to prioritise risk mitigation efforts and minimise the active attack surface with the expansion of the “Red Zone” approach.

Destructive APT-like wiper malware spreads wide in 2022

As outlined in the report, analysing wiper malware data reveals a trend of cyber adversaries consistently using destructive attack techniques against their targets. It also shows that with the lack of borders on the internet, cyber adversaries can easily scale these types of attacks which have been largely enabled by the cyber-crime-as-a-service (CaaS) model.

In early 2022, FortiGuard Labs reported the presence of several new wipers in parallel with the Russia-Ukraine war. Later in the year, wiper malware expanded into other countries, fueling a 53% increase in wiper activity from Q3 to Q4 alone. While some of this activity was enabled by wiper malware that may have been initially developed and deployed by nation-state actors surrounding the war, it is being picked up by cyber-criminal groups and is spreading beyond just Europe.

Unfortunately, the trajectory of destructive wiper malware does not appear to be slowing any time soon based on the activity volume seen in Q4, which means any organisation remains a potential target, not just organisations based in the Ukraine or surrounding countries. 

Mapping CVEs reveals vulnerability Red Zone to help CISOs prioritise

Exploit trends help show what cyber-criminals are interested in attacking, probing for future attacks and are actively targeting. In the second half of 2022, less than 1% of the total observed vulnerabilities discovered in an enterprise-size organisation were on endpoints and actively under attack, giving CISOs a clear view of the Red Zone through intelligence of the active attack surface that they should prioritise efforts to minimise their risk and where to focus patching efforts.

Financially motivated cyber-crime and ransomware threat holding at peak levels

FortiGuard Labs incident response (IR) engagements found that financially motivated cyber-crime resulted in the highest volume of incidents (73.9%), with a distant second attributed to espionage (13%). In all of 2022, 82% of financially motivated cyber-crime involved the employment of ransomware or malicious scripts, showing that the global ransomware threat remains in full force with no evidence of slowing down thanks to the growing popularity of ransomware-as-a-service (RaaS) on the dark web.  

In fact, ransomware volume increased 16% from the first half of 2022. Out of a total of 99 observed ransomware families, the top five families accounted for roughly 37% of all ransomware activity during the second half of 2022. GandCrab, a RaaS malware that emerged in 2018, was at the top of the list.

Although the criminals behind GandCrab announced that they were retiring after making over $2 billion in profits, there were many iterations of GandCrab during its active time. It is possible that the long-tail legacy of this criminal group is still perpetuating, or the code has simply been built upon, changed and re-released, demonstrating the importance of global partnerships across all types of organisations to permanently dismantle criminal operations. Effectively disrupting cyber-criminal supply chains requires a global group effort with strong, trusted relationships and collaboration among cybersecurity stakeholders across public and private organisations and industries.

Adversary code reuse showcases the resourceful nature of adversaries

Cyber adversaries are enterprising in nature and always looking to maximise existing investments and knowledge to make their attack efforts more effective and profitable. Code reuse is an efficient and lucrative way for cyber-criminals to build upon successful outcomes while making iterative changes to fine-tune their attacks and overcome defensive obstacles.

When FortiGuard Labs analysed the most prevalent malware for the second half of 2022, the majority of the top spots were held by malware that was more than one year old. FortiGuard Labs further examined a collection of different Emotet variants to analyse their tendency to borrow and reuse code. The research showed that Emotet has gone through significant speciation with variants breaking into roughly six different “species” of malware. Cyber adversaries are not just automating threats but actively retrofitting code to make it even more effective.

Older botnet resurrection demonstrates the resiliency of adversarial supply chains

In addition to code reuse, adversaries are also leveraging existing infrastructure and older threats to maximise opportunity. When examining botnet threats by prevalence, FortiGuard Labs discovered that many of the top botnets are not new. For example, the Morto botnet, which was first observed in 2011, surged in late 2022. Others like Mirai and Gh0st.Rat continue to be prevalent across all regions. Surprisingly, out of the top five observed botnets, only RotaJakiro is from this decade.

Resourceful cyber-criminals will continue to leverage existing botnet infrastructure and evolve it into increasingly persistent versions with highly specialised techniques because the ROI is there. Specifically, in the second half of 2022, significant targets of Mirai included managed security service providers (MSSPs), the telco/carrier sector and the manufacturing sector, which is known for its pervasive operational technology (OT). Cyber-criminals are making a concerted effort to target those industries with proven methods.

Log4j remains widespread and targeted by cyber-criminals

Even with all the publicity that Log4j received in 2021 and the early parts of 2022, a significant number of organisations still have not patched or applied the appropriate security controls to protect themselves against one of the most notable vulnerabilities in history.

In the second half of 2022, Log4j was still heavily active in all regions and was second. In fact, FortiGuard Labs found that 41% of organisations detected Log4j activity, showing just how widespread the threat remains. Log4j IPS activity was most prevalent across tech, government and educational sectors, which should come as no surprise, given Apache Log4j’s popularity as open-source software.

Delivery shifts demonstrate urgency for user awareness

Analysing adversarial strategies gives us valuable insights into how attack techniques and tactics are evolving to better protect against future attack scenarios. FortiGuard Labs looked at the functionality of detected malware based on sandbox data to track the most common delivery approaches. It is important to note that this only looks at detonated samples.

In reviewing the top eight tactics and techniques viewed in sandboxing, drive-by-compromise was the most popular tactic used by cyber-criminals to gain access into organisations’ systems across all regions globally. Adversaries are primarily gaining access to victims’ systems when the unsuspecting user browses the internet and unintentionally downloads a malicious payload by visiting a compromised website, opening a malicious email attachment, or even clicking a link or deceptive pop-up window. The challenge with the drive-by tactic is that once a malicious payload is accessed and downloaded, it is often too late for the user to escape compromise unless they have a holistic approach to security.

Shifting to meet the threat landscape head-on

Fortinet says that its suite of security solutions includes a variety of powerful tools like next-generation firewalls (NGFW), network telemetry and analytics, endpoint detection and response (EDR), extended detection and response (XDR), digital risk protection (DRP), security information and event management (SIEM), inline sandboxing, deception, security orchestration, automation and response (SOAR), to meet cybersecurity and malware needs.