
By Aamir Lakhani, a cyber security researcher and practitioner with Fortinet’s FortiGuard Labs
Recently, FortiGuard Labs released the latest Global Threat Landscape Report for the second half of 2021. There is a ton of data in it and several key takeaways. The main themes that weave through this report are about the increase in cybercriminal sophistication as well as speed.
First, let’s discuss why sophistication is a prominent aspect of the Report. Currently, the cutting-edge of the cybercrime threat landscape is based on the convergence between advanced persistent threats (APTs), threat actors, and nation-states. They are well-funded and mainly focused on the reconnaissance and weaponization part of the attack kill chain.
In the past, cybercriminals didn’t focus so much on the left side of the attack kill chain—let’s call it “the pre-attack framework.” But now, we are starting to see more and more cases of cybercriminal empires focusing on that pre-attack framework and hopping on fresh zero-day vulnerabilities.
Wasn’t always this sophisticated
It hasn't been the typical behavior of cybercriminals to use sophisticated attack methods. In the past, they used "tools" that were freely available on the internet, like concept code that they could modify.
FortiGuard Labs is starting to see more specific design and development in many attacks.
A great benefit from our Threat Landscape Report is that it gives you an overview that you may not have had because you are working in weeds every day. You may not see the big picture until you take a step back and look at what is happening on a macro level—especially from a “what’s trending” perspective.
Another key revelation from the Report regarding the increase of sophistication in malware and many other types of attacks is that cybercriminals now take advantage of advanced coding. Everything is not just Python now. The bad guys use much more sophisticated coding like C++ for Linux and IoT-based attacks. Also, they are using Go and Java.
Everything under the sun is fair game
Cybercriminals use reconnaissance to uncover weaknesses in platforms, environments, and organizations. Obviously, taking advantage of these vulnerabilities is their goal. However, they are figuring out how to exploit the vulnerabilities and stay under the radar by using techniques that weren't thought of before or weren't commonly used.
We also see a strong persistency in their attempts to evade security controls.
The Perfect Storm
A close study of the Report reveals that cybercrime attacks are becoming more aggressive, especially ransomware, in addition to more sophistication.
The past year has seen a relentless, continuous surge of ransomware and ransomware settlements at unseen levels. This is very concerning because the risks climb to extraordinary levels when you add abundance with sophistication. But not only is the risk of getting attacked higher, but the threats' actual destructiveness is skyrocketing.
Case in point: Wiperware.
Speed kills
Speed is also a consistent theme we see in recent attacks. FortiGuard Labs is seeing the window shrinking—in other words, how quickly an attack is executed—especially when you consider the targeted attacks of the past.
For example, looking back ten years, when we had to deal with Stuxnet and other famous long-winded attacks, it could be two years in the making. But what we saw at the end of 2021 with Log4j, in just 10 days, accounted for the most volume in our whole reporting period.
If we compare Log4j to the ProxyLogon set of vulnerabilities with MS Exchange from 2020, it was 50 times faster. We put in a new metric, the rate of spread in that 10-day window, and compared it to a similar 10-day window to ProxyLogon. It was quite incredible how much faster it was.

A crazy spike in activity
When a threat like Log4j has that much popularity, the "blue team" defenders will scan different organizations and their own organizations to see if they are vulnerable, while the "red team" (the hackers) are scanning all over the internet.
Because of the nature of Log4j, as soon as there was a public announcement, there was a crazy spike in traffic with people scanning the internet on all sorts of media.
So, the amount of data we saw in 10 days eclipsed everything we had seen in the past.
Nowadays, defenders need to be thinking about threats in days and hours. From a SOC (security operations center) perspective, how quickly analysts prepare and react to these threats must be within a 48-hour window.
The advantages of automation cut both ways
Something SOCs and networking and security organizations have been doing for a long time is taking advantage of automation using API infrastructures and back end—just trying to configure things as quickly as possible.
But now attackers are thinking, "Hey, you know what I can take advantage of that as well. I can use this for the 'dark side.'" So instead of writing code to specifically attack one organization, they are doing mass scans.
Cybercriminals are taking advantage of API code, API infrastructure, malware, and malware kits that are directly built-in. That's a level of sophistication we hadn't seen before. It also shows the automation that malware authors and attackers are putting into systems to try to get into organizations. However, this is also allowing the "good guys" to develop their own programs to take advantage of these malware engines.
This new level of sophistication and speed also shows how profitable it is for cybercriminals. If they are putting that much work into it and making it usable repeatedly, they must realize a substantial return on their investment (ROI). Never forget, most cybercriminals are running an illegitimate business, and the more they can reduce headcount and cycles and do automation, the more profitable they will be.
Why the focus on automation?
The Threat Landscape Report provides a view of the cybercriminal TTPs (tactics, techniques, and procedures) as well. It highlights what sightings we see from the MITRE Attack Framework TTPs.
If you look at the code execution tactic chart (Figure 11 from the Report – see below), you will see that API and scripting accounted for the majority techniques—over 60% of all code execution techniques—versus 20% of user execution, which means waiting for user interaction and clicking on dialogues and malicious links.

Clearly, there is a specific focus on that automation now. In the past, user interaction was the only way to do things like getting an opportunity for privilege escalation so you can get into the system or take over a user's account with some admin or elevated privileges. If not, bad guys will use another exploit to gain those elevated privileges.
However, with APIs, the bad guys can automate the whole attack and look for other types of high-value accounts.
There are many advantages to the dark side of using APIs. One is that you don't have to "knock on the door." That's a cybercriminal term for a technique of looking for vulnerabilities that they can take advantage of and determine how valuable that vulnerability or exploit may be.
With APIs, threat actors can automate that entire process. The evildoers can run a script, and when it comes back to them, they will have a good sense of what they can accomplish. They get an idea if the exploit merits spending time on. So, this technique dramatically reduces the costs for the bad guys. But, the same methods are being used by the good guys in various ways—from SOCs to cloud deployments and beyond.
So, it's critically important from a SOC point of view to have automation to react quickly as well as proactively.
Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.
Learn more about the Fortinet free cybersecurity training initiative, the Fortinet NSE Training program, Security Academy program, and Veterans program.
Aamir Lakhani is a cyber security researcher and practitioner with Fortinet’s FortiGuard Labs, with over 18 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani has designed cyber solutions for defense and intelligence agencies, and has assisted organizations in defending themselves from active attacks. Lakhani is considered an industry leader in support of detailed architectural engagements and projects on topics related to cyber defense, mobile application threats, malware and advanced persistent threat (APT) research.
Sponsored and written by FortiGuard Labs
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now