2H 2022 Global Threat Landscape Report: Key Insights for CISOs
Enterprising cybercriminals are increasingly taking a “work smarter, not harder” approach, upgrading old tactics and copying traits historically associated with advanced persistent threat (APT) attacks. While many of the attack vectors we observed in the second half of 2022 will look familiar to CISOs and their teams, the volume of threats continues to skyrocket.
This proliferation of threats presents an ongoing challenge for CISOs everywhere, particularly as organizations continue to embrace digital transformation and work-from-anywhere (WFA) strategies—two initiatives that widen an organization’s attack surface. Teams are faced with securing a rapidly expanding network and protecting against a growing list of threats, yet often must do so without additional resources.
In our 2H 2022 Threat Landscape Report, we examine the cyber-threat landscape over the year's second half to identify trends and offer insights as to what CISOs and their teams should pay close attention to in the new year and beyond. The report findings are based on the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed around the world during this same period.
Here's What CISOs Need to Know
Here are the key trends CISOs need to know, along with recommendations for protecting their network in the face of an evolving array of cyber threats.
Destructive APT-Like Wiper Malware Is Now Ubiquitous
In the first half of 2022, we witnessed the spread of destructive, APT-like wiper malware, with at least seven new variants emerging across 24 countries. As the FortiGuard Labs team predicted, this attack technique has only widened its foothold during the second half of 2022. We observed wiper malware expanding across the globe, driving a 53% increase in wiper activity from Q3 to Q4.
The most interesting—and perhaps concerning—characteristic of this spike in wiper activity is that, unlike the original surge where nation-state actors deployed most strains in conjunction with the Russia-Ukraine war, we’re now seeing wipers being scaled and deployed worldwide without a connection to geopolitical events. These strains are increasingly picked up by Crime-as-a-Service (CaaS) groups and broadly distributed.
CISOs and their teams need to know that every organization—regardless of size or industry—is now a viable target for wiper malware activity and must prepare accordingly. Organizations should implement next-generation firewalls (NGFWs) equipped with inline sandbox technology and augment those with real-time threat intelligence services to detect and block threats like wiper malware.
What’s Old Is New Again (and Better Than Before)
Cyber adversaries always seek to maximize their investments and knowledge in attack efforts. Reusing existing infrastructure, botnets, and code can be an easier yet equally effective path to a payday.
In the year's second half, we observed cybercriminals reimagining old attack strains that proved successful in the past, reintroducing new (and in many cases, enhanced) versions. Some familiar botnet and malware names emerged during this period—like Mirai and Emotet—many of which are over a year old.
It’s tempting to write off older threats as history, but this trend is another reminder that organizations must remain vigilant. When it comes to code reuse and modularization, the volume and variety of threats that today's security teams must handle make quick detection and response efforts table stakes. CISOs should use comprehensive, consolidated security services to easily apply automation and quickly counter threats.
Ransomware Still Runs Rampant
At the beginning of 2022, we witnessed an explosion of new ransomware variants, driven mainly by Ransomware-as-a-Service (RaaS) operations. Looking at the second half of the year, it’s clear that ransomware shows no signs of slowing.
The top five ransomware codebases found in samples in the wild accounted for roughly 37% of all activity during the back half of 2022. GandCrab, a RaaS strain introduced in 2018, topped the list. While members of the GandCrab operation claimed to retire in 2019, we continue to see the reuse of this ransomware codebase circulating. This anecdote illustrates the importance of developing global partnerships across the public and private sectors to permanently dismantle these cybercrime rings, as cybercriminal “retirement” rarely means that the group’s ransomware codebase disappears along with it.
In addition to these larger-scale efforts, there are essential steps CISOs and their teams should take to protect their networks. Organizations must adopt advanced endpoint detection and response (EDR) technologies to detect and mitigate ransomware threats in real-time. Cybersecurity awareness training for end-users—often an organization’s first line of defense against an attack—is more important than ever as the number of ransomware variants in circulation continues to grow.
Log4j Lingers
While Log4j captured headlines throughout 2021 and into 2022, many organizations still haven’t applied the appropriate security controls to protect their enterprises against this notable vulnerability.
In the second half of 2022, Log4j remained active in all regions, with 41% of organizations detecting Log4j activity during this time. The prolonged, widespread nature of this threat demonstrates just how critical it is to patch software regularly and promptly.
Secure “Red Zone” Active Attack Surfaces to Better Manage Organizational Risk
Analyzing exploit trends show us what cybercriminals are interested in attacking, probing for a future attack, and currently targeting. They also provide a valuable picture of where organizations should focus their efforts when it comes to protecting their attack surface and prioritizing patching efforts.
FortiGuard Labs reviewed Common Vulnerabilities and Exposures (CVE) data observed on endpoints and compared that with the CVEs actively under attack during the second half of 2022. The result is good news for CISOs: Less than 1% of all CVEs are present on endpoints and under attack, and many organizations likely have a smaller-than-expected “active” attack surface or “red zone.”
Security teams can better prioritize patching efforts by cross-referencing the exploits related to the operating systems an organization uses with the CVEs currently being exploited. Products such as a digital risk protection service (DRPS)—which monitors the dark web for vulnerability mentions that might affect the enterprise—can also help teams more accurately pinpoint vulnerabilities in their environments.
Embrace Consolidation and Automation to Protect Your Enterprise
The growth of CaaS means that security teams must protect their organizations against an increasingly sophisticated variety of threats. The most impactful step CISOs can take to mitigate these risks is to reduce complexity in daily operations by embracing a comprehensive and consolidated approach to security.
By consolidating security solutions and working with fewer vendors, teams can more easily implement automation, ultimately helping to proactively protect the organization and aiding analysts with faster detection and response. CISOs with smaller teams should also consider using offerings like FortiSOAR, AIOps, incident response (IR) and readiness services as well as Security Operations Center-as-a-Service (SOCaaS) to augment their internal capabilities.
More About the 2H 2022 FortiGuard Labs Threat Landscape Report
The latest Global Threat Landscape Report represents the collective intelligence of FortiGuard Labs, drawn from Fortinet's vast array of sensors collecting billions of threat events observed worldwide during the second half of 2022. The FortiGuard Labs Global Threat Landscape Report uses the MITRE ATT&CK framework to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report covers global and regional perspectives.
Download your copy of the 2H 2022 FortiGuard Labs Threat Landscape Report now.
