Threat Landscape Report - Fortinet · REPORT: THREAT LANDSCAPE REPORT 5 Select Verticals Education Sector Open source vulnerabilities continue to be an issue in the education sector

Threat Landscape Report

REPORT

REPORT: THREAT LANDSCAPE REPORT

www.fortinet.com 2

Threat Landscape Report

Introduction Cybercriminals and threat actors continue to move forward with new tricks and tools designed to gain access to networks and the valuable assets within. During the last quarter, we saw major attacks from threat actors using complicated zero-day attacks including Rowhammer that may fundamentally change the way we approach public cloud, and the continuous rise of ransomware. Security teams, vendors, and professionals are all scrambling to respond to the continuous assault against their organizations.

In the period from April 1 to June 30, 2016, participants in the Fortinet Cyber Threat Assessment Program (CTAP) recorded over 185 million threat events and incidents. Many of these security events succeeded in getting past traditional perimeter security defenses and onto the internal network where Fortinet assessment devices were located. This provides a more accurate picture of threats that currently occur and penetrate organizations. In addition, we call out select developments across all industries that we consider noteworthy, as well as specific regional insights. We give special focus to threats facing companies, such as threat actor targeted activity, targeted spear phishing, and ransomware.

Overall Statistics

Previously, FortiGuard Labs reported that the primary threat delivery to organizations was via email attachments and links leading to malicious content, or through web browsing activities. This has not changed, and we have seen an increase in the volume and velocity of attempted attacks delivered via email.

Attacks against open source software were predominant across many industries. FortiGuard Labs found attacks, such as Shellshock, recorded some of the highest attempted exploits across many industries. Attackers are realizing that organizations have an extremely difficult time patching systems that contain vulnerabilities in libraries or auxiliary software, as opposed to merely patching the primary application. Additionally, attackers are attempting new techniques to

bypass perimeter security defenses and guard from detection. This includes using new techniques to craft older attacks. Attacks were not limited to targeting the GNU Bourne Shell. FortiGuard Labs also recorded a large number of attacks against OpenBSD operating systems, as well as attacks against a number of commonly used open source applications and services, such as DNS.

As in the past, we found high volumes of DDoS (distributed denial of service) attacks. Although attackers still attempted service-disruption techniques in large volumes, FortiGuard Labs saw an increase in targeted attacks that focused on breaching organizations over less-focused, disruption-based attacks.

Malware, Botnets and Spyware/Adware

Regin.botnet

WM/Agentitr

Andromeda.Bonet

Zeus

Tepfer. Botnet

CIG.Circular

conflicker.Botnet

Pushdo.Botnet

15%

Botnet Distribution

13%

12%

11%

12%

10%

14%

13%

Botnet activity continues to be a major cause for concern in every vertical. Botnet owners that use multiple methods to build their armies and campaigns in order to expand their footprint are seen on a consistent basis. They typically communicate with malware, which continues to be spread via two key vectors: email and drive-by web downloads. In many cases, affiliate ad networks among cybercriminal organizations amplify the impact of those attacks.


www.fortinet.com 3

Top Global Application Vulnerabilities

The top globally exploited attempt was against the Bourne Shell, the attack commonly referred to as Shellshock. The Shellshock attack was disclosed publicly on September 24, 2014. We were a little surprised this attack still existed in the wild, and had hypothesized that attacks were automated Internet scans with no real targets or vulnerabilities. Essentially, we thought attackers were hoping to find something in the wild. We believe attackers using automated systems is a plausible theory, because globally we see Heartbleed attempts as the third most-pervasive attempted attack. Shellshock and Heartbleed are generally tested together. Another variant of Heartbleed also shows up as the seventh most-popular attack.

Other attacks seen in FortiGuard Labs’ top global application vulnerabilities appear to be more targeted. The MS.GDIPlus attack (for more information, see http://fortiguard.com/

encyclopedia/ips/11581) is an attack where a victim just has to view a specific type of image within a Microsoft operating system or specific application and arbitrary code is run, giving an attacker the potential to compromise the entire system.

Select RegionsNorth America

North America had the highest number of unique applications being used per enterprise, and not surprisingly also the most application vulnerability attacks (with more than 40,000 incidents per day). It also recorded the highest number of websites visited each day. Subsequently, it had the second-highest bandwidth usage per day (15.3 GB).

While NA may have fewer formal environments (due to allowing the highest usage of gaming, audio/video streaming applications, etc.), it’s also the first to make a move on things

like cloud-based infrastructure (IaaS and cloud applications) technologies.

Across this region, FortiGuard Labs found that the two most dominant threats by count within the timeframe were the Expiro (34.04%) and Cidox (33.35%) botnets. By spread, the two biggest threats were the CIG.Circular botnet (15.13%) and the Malware_Generic.P0 virus (13.45%).

Name Average

Applications Detected 224.25

Cloud Applications Used 74.83

Malware/Botnets Detected 2.21

SaaS Applications Used 45.47

IaaS Applications Used 26.97

Remote Access Applications 3.62

Proxy Applications 4.86

Peer-to-Peer Applications 1.82

Social Media Applications 17.58

Video/Audio Streaming Applications 26.93

Gaming Applications 3.98

HTTPS/HTTP Usage Ratio 64% : 36%

Application Vulnerabilities per Day 40,911.81

Websites Visited per Day 1,037.83

Malicious Websites Visited per Day 0.26

Bandwidth Used per Day 15.3 GB

LATAMFortiGuard Labs found that LATAM had the highest peer-to-peer application usage and also the most remote access applications in use. One possible correlation between these numbers could be employees using remote access at night to tap into company bandwidth.

http://fortiguard.com/encyclopedia/ips/11581

http://fortiguard.com/encyclopedia/ips/11581


www.fortinet.com 4

In terms of malware, the H-worm botnet was far and away the dominant presence, representing more than half (52.12%) of all cases detected in the region during this reporting phase. The second-highest threat by count was the Jenxcus botnet, coming in at 12.7% of all LATAM cases. By spread, the leading threats were the H-worm botnet (14.89%), the Andromeda botnet (12.77%), and the JS/FakejQuery.BD!tr virus (12.77%).

Name Average














Websites Visited per Day 659.07



EMEAThe data for the Europe, Middle East, and Africa region suggests that it has more formal environments, as illustrated by it not leading in any application categories with the exception of SaaS Applications Used. This may correlate to the fact that EMEA organizations generally standardize on corporate applications and infrastructure. The report data also suggests that EMEA organizations may not be as fast to adopt cloud-based infrastructure (IaaS), instead opting for customer-provided equipment (CPE) solutions.

Within EMEA, we found that the two predominant malware threats by count were the Conficker botnet (22.36%) followed by the Andromeda botnet (20.03%). The Malware_Generic.P0 virus was the leading malware threat by spread, coming in at 16.36% of all cases recorded.

Name Average

















APACAsia-Pacific leads all regions in malware/botnets detected. This statistic may correlate to them simultaneously being ranked first in malicious websites visited per day. APAC generally also has the lowest HTTPS/HTTP ratio, which means that their applications are comparatively less encrypted when moving over the wire. These businesses also utilized the largest amount of bandwidth per day (16.1 GB) and averaged the highest number of social media applications of any region (18).

In regard to malware, the Kelihos virus dominated with nearly 76% of counted incidents in APAC during the reporting window. By spread, the highest occurring threats were the Zeus virus (16.67%), the Tepfer botnet (12.50%), and the Malware_Generic.P0 (12.50%).

Name Average









Social Media Applications 18









www.fortinet.com 5

Select Verticals Education Sector

Open source vulnerabilities continue to be an issue in the education sector. However, we are beginning to see more web-based application attacks. Some of the attacks appear to be components of client-based attacks. This should not be a surprise since there are ample vulnerabilities for attackers to target with client-based attacks. One example is CGI.WPSHOP.Remote.Command.Exe, which allows an attacker to execute commands without authentication under the privileges of the web server.

Financial Sector

Attacks against the financial industry appeared to be more concentrated around remote exploitation. Most attacks do not focus on simple denial-of-service attacks, such as the OpenBSD IPv6 fragmentation attacks experienced in the healthcare sector. Attackers, for obvious reasons, appear more motivated around the financial sector.

FortiGuard Labs also correlated a large number of ransomware attacks

against the financial industry. Many of the vulnerabilities listed here, such as the MS.GDIPlus JPEG vulnerability or the Angler exploit kit, were used in attempts to deliver ransomware en masse. Correspondingly, ransomware attacks were noticed in the financial industry in far greater numbers than other observed industries during the same timeframe using similar sample sizes. We were surprised to see some attacks not commonly noticed in enterprise networks, such as command injection against ASUS routers. These types of attacks are usually more prevalent on home networks, as attackers can redirect traffic to malicious websites or browse local networks.

After investigation and interviews, FortiGuard Labs found that several large financial providers rent out office space to smaller providers such as financial advisors and other professionals. In many cases the offices are independent of the brokerage’s IT staff, even though they may connect on a port belonging to the brokerage firm. The smaller offices typically will install home routers to segment their office from the rest of the brokerage firm’s network. Segmentation with “rented” switching presents an additional attack service for financial institutions and should be considered carefully.


www.fortinet.com 6

The most prevalent malware in the financial industry was njRAT (which is a remote access Trojan). It is quite dated at this point and should be detected by most antivirus software. Although it has depreciated as an attack tool, FortiGuard Labs still found a large number of attempts against the financial sector. We believe this is the case because the botnet is relatively easy to manipulate and modify.

While we found these sorts of common attacks against financial companies to be normally detected with ease, we also noted that attackers are taking these legacy approaches and modifying them to avoid detection. For example, on several samples of njRAT, we found that attackers used encryptor tools to change how anti-malware technology examines the malware.

Technology SectorBelow is a spread of the technology sector. We see a spread similar to other sectors, although we do start to see some attacks specifically around technology OEMs, such as multiple attempted vulnerabilities around Microsoft and Adobe technologies.

Healthcare Sector


www.fortinet.com 7

Across multiple global geographic regions, healthcare application vulnerabilities differed from other verticals. One of the top healthcare attacks FortiGuard Labs found was what commonly leads to an OpenBSD denial-of-service attack. The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise). More commonly, the attack leads to remote denial-of-service attacks. The attack is triggered using specially crafted IPv6 fragmented packets. Fortinet security devices found that traditional perimeter security devices on occasion did not properly identify or stop attacks crafted using IPv6 packets.

Furthermore, this specific approach requires an attacker to inject IPv6 packets into a local network. In other words, the majority of these attacks usually occur from the internal networks rather than being sourced from the Internet. The local network does not necessarily need to have IPv6 stacks or routing enabled for the attack to be effective. The extremely high dominance of this attack leads us to believe complicated healthcare networks may have a difficult time with internal segmentation and insider threats.

In addition, we can see attacks against other systems commonly found within healthcare providers such as the Joomla content management system.

Recommended ActionsFortiGuard Labs experts recommend the following to cover general best practices to address our report findings:

nn Data should be protected, segmented, and monitored. Your infrastructure should control access as much as possible. If a particular business segment doesn’t use a certain set of data, then limit their access to it.

nn “Flat” networks offer little resistance to attackers once they’ve penetrated the perimeter. The inclusion of extensive physical and logical separation (such as internal segmentation firewalls) throughout an infrastructure can slow attacks and help detect them before significant losses or damage occur.

nn Make regular audits of your company’s security posture. Security should be tested and reviewed on an ongoing basis

for both qualitative and quantitative efficacy. Independent evaluation by an outside party can offer new ideas and approaches, especially in times of rapid change.

nn Keep track of the various legal and regulatory requirements for your industry. Some require specific security controls and/or technologies.

nn Educate your people. Employees that have access to outside content, sites, and applications on their work devices also present potential threat exposures. Regular training and testing can help them spot malicious emails and other malware delivery methods.

About FortiGuard LabsFor more than 10 years, Fortinet’s dedicated security research team, FortiGuard Labs, has led the industry in innovation, powering all top-rated Fortinet security platforms. This

Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert EinsteinValbonee06560, Aples-Maritimes, FranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600 México D.F.Tel: 011-52-(55) 5524-8428

WHITE PAPER: THREAT LANDSCAPE REPORT

Oct 5, 2016

accomplished group is composed of over 200 dedicated security threat researchers, engineers, and forensic specialists. They’re tasked with outsmarting cybercriminals and delivering cutting-edge protection tools to our global customers—assuring some of the fastest response times in the industry to new vulnerabilities, attacks, viruses, botnets, and other threats.

The FortiGuard Labs team collaborates with the world’s leading threat monitoring organizations to advise and learn of emerging risks and new trends. Additionally, the team contributes to the overall security industry by identifying and responsibly reporting vulnerabilities directly to vendors of hardware, operating systems, and applications.

FortiGuard Labs has teams operating in North America, Asia, and Europe. In a typical week, FortiGuard Labs processes over 220 TB worth of threat samples and updates approximately:

nn 2 million antivirus signatures

nn 18,000 intrusion-prevention system (IPS) rules

nn 250 million URL ratings in 78 categories

nn 47,000,000 anti-spam signatures

In addition, FortiGuard Labs tracks more than:

nn 5,800 application control signatures

nn 700 database security policies

nn 3,000 web application firewall attack signatures

FortiGuard Labs has also discovered and responsibly disclosed hundreds of zero-day threats across the entire threat landscape—from popular and common software, to mobile to IoT devices, and everything in between.

About FortinetFortinet is a global leader and innovator in network security. Our mission is to deliver the most innovative, highest-performing network security platform to protect and simplify your IT infrastructure. We are a provider of network security appliances and security subscription services for carriers, data centers, enterprises, distributed offices, and MSSPs. Because of

constant innovation of our custom ASICs, hardware systems, network software, management capabilities, and security research, we have a large, rapidly growing, and highly satisfied customer base—including the majority of the Fortune Global 100—and we continue to set the pace in the network security market. Our market position and solution effectiveness has been widely validated by industry analysts, independent testing labs, business organizations, and the media worldwide. Our broad product line of complementary solutions goes beyond network security to help secure the extended enterprise.

Fortinet is headquartered in Sunnyvale, California, with offices around the world. Founded in 2000 by Ken Xie, the visionary founder and former president and CEO of NetScreen, Fortinet is led by a strong and seasoned management team with deep experience in networking and security.

Data Collection and MethodologyThe data in this report was gathered from over 700 participating companies who wanted to gain a deeper understanding into their network infrastructures.

To participate in the assessment, each company was provided a FortiGate network security appliance to install in “Transparent Mode” inside their existing security network infrastructure for a period of three to seven days.

The data represented in this report was collected from live production environments between April 1 and June 30, 2016. Fortinet’s CTAP process provides each company with an individualized report that highlights critical gaps in their current security solutions and policies.

nn The data presented in this report was anonymized and contains no identifiable information. Any data that may have revealed information as to the layouts or the identity of an individual corporation or organization was sterilized.

nn The FortiGate devices were configured in a method that allowed them to capture and analyze the traffic passing through them without providing any security features or impacting network traffic.

Documents

Threat Landscape Report - Fortinet · REPORT: THREAT LANDSCAPE REPORT 5 Select Verticals Education Sector Open source vulnerabilities continue to be an issue in the education sector