Global IT threat report

Fortinet, a world leader in the field of advanced cyber security, presented the results of its latest global IT threat research. The study shows how cybercriminals are building an "army of things" that poses a serious security threat and draws attention to ever-changing and increasingly sophisticated methods of attack.

Trends in infrastructure and their relation to threats

Detecting and stopping exploits, botnets and malware is becoming more and more difficult due to the development of network infrastructure. According to the data, SSL encrypted traffic remained at the level of about 50% and accounted for about half of all traffic generated by enterprises. It is worth noting the increasing use of HTTPS protocol. While it protects your privacy, it makes it difficult to detect threats that may hide in encrypted messages. Often SSL traffic is not controlled due to the enormous costs associated with decryption, control and re-encryption. This forces IT professionals to balance security and performance.

As far as enterprise applications are concerned, the average number of applications running in the cloud has risen to 63, which is about one third of their total number. This trend has an important

security implications because of the lower visibility of the data stored by cloud-based applications and limited insight into how this data is used and who accesses it. On the other hand, the use of social media, audio and video streaming and P2P applications has not increased dramatically.

"Army of things" built in the digital world

Things Internet Devices (IoTs) are greedy snacks for cybercriminals around the world. They build their own "armies of things" that enable them to replicate attacks in a cheap and incredibly fast way and on a massive scale. This is the basis for the actions of today's cybercriminals. IoT devices taken over by Mirai botnet led to record-breaking DDoS attacks. Making Mirai source code available increased the botnet activity 25 times a week, and by the end of the year as much as 125 times.

At the top of the list of threats there are exploits using several categories of IoT devices and looking for vulnerabilities in the security of home routers and printers. For some time at the top of the list were also DVRs and NVRs, the use of which to carry out attacks has increased up to 6 times.

The number of attacks on mobile devices is increasing

Malware for mobile devices has become a bigger problem than before. While it represents only 1.7% of the total volume of malware, as many as 20% of companies admit that they have dealt with it - almost always on the Android system. There are significant regional differences in these cases: 36% of attacks targeted African companies, 23% from Asia, 16% from North America and only 8% from Europe. This data is currently used to identify trusted devices in enterprise networks.

Automated mass attacks have become commonplace

The relationship between the number of exploits and their prevalence suggests increasing automation of attacks and lower costs of malware and tools distributed in the darknet. Carrying out attacks is cheaper and easier than ever before.

SQL Slammer is at the top of the list of detected exploits that pose a serious or critical threat, mainly to educational institutions. The second most common one was an exploration pointing to attacks with the use of force algorithm, aimed at Microsoft Remote Desktop Protocol (RDP). This exploitation initiated 200 RDP requests every ten seconds, which explains the large number of such cases detected in companies around the world. Third place was a signature associated with memory corruption in Windows File Manager, which allows criminals to remotely execute arbitrary code in a given application using a .jpg file.

The most popular botnets were H-Worm and ZeroAccess. Both allow criminals to control systems for data extraction, are used in what is known as 'click fraud' (unfair or false clicks on a sponsored link or other form of advertising for commercial purposes) and to dig up bitcoins. Attempts at attacks using these two botnets were most frequently made in the technology and public sector.

Ransomware is not a thing of the past

The popularity of this extremely cost-effective attack method will grow as RaaS services (ransomware as a service) become more and more available, allowing even untrained criminals to download the right tools and use them against the victim. According to the results of the survey, 36% of enterprises detected botnet activity related to ransomware software. The winner was TorrentLocker.

Two families of malware, Nemucod and Agent, which included 81.4% of malware samples, also had their own five minutes. The Nemucod family is commonly associated with ransomware, which is present in all regions and sectors, especially in healthcare.

There are novelties, but older explorations are doing well

As many as 86% of companies have experienced attempts to attack with vulnerabilities older than ten years of age. Nearly 40% of them had to deal with explosives using even older commonly known threats.

On average, there were 10.7 unique application exploits per company. Approximately 9 out of 10 companies have detected explosions posing a serious or critical threat. Overall, Africa, the Middle East and Latin America were characterized by a higher number and differentiation of cases in each threat category compared to the average number of exploits, malware and botnet families detected in companies in different regions of the world. These differences were visible especially in the case of botnets.