Cyber-defenders have a lot on their plates: Rapid vulnerability exploitation. Ransomware-apalooza. Botnet infestations on the order never seen in the past. How can IT security teams effectively deal with the escalating volume of threats, especially as those threats become more sophisticated and more dangerous?
In the latest in our Threatpost Podcast Series, host Becky Bracken picks the brain of Derek Manky to answer those questions. Manky, a Threatpost Infosec Insider and vice president of threat intelligence for Fortinet’s FortiGuard Labs, lays out the cybersecurity trends impacting the rest of 2022 and why there is still cause for hope.
Along the way, Manky covers several disturbing data points, including what he calls a “near-vertical” rise in the rate of exploitation for new vulnerabilities. Looking at a 10-day benchmark for the Log4Shell vulnerability in December vs. last spring’s ProxyLogon bug, the firm found the rate of exploitation in the first 48 hours to be 50 times faster.
There has also been a 100-percent increase in the rate of ransomware attacks, according to Fortinet, which are becoming increasingly more sophisticated as financially motivated cybercriminals adopt the playbooks of nation-state actors. Hallmarks of the underground economy now include weaponizing zero-day vulnerabilities and honing elaborate back-end infrastructures — plus ever-deeper pockets to fund all of it.
“I call it mass persistent cybercrime, or APC,” Manky noted.
Check out the full conversation in this week’s Threatpost Podcast, which also touches on the alarming proliferation of botnets, and how cybercrooks are using automation and artificial intelligence (AI).
Please listen below, and a lightly edited transcript follows. A direct MP3 download can also be found here.
For additional executive insights, check out the Threatpost podcast microsite.
Becky Bracken: I want to welcome everyone here today to the Threatpost Podcast Series. Today I’m joined by Derek Manky, who is the vice president of threat intelligence for Fortinet’s FortiGuard Labs. And he is going to spend a little bit of time giving us insights into their latest threat intelligence report. It’s a semi-annual report.
Well, let’s just jump into it. I wanted to talk a little bit about the overall theme of speed. That seems to be a recurring theme in the report. Let’s talk a little bit about what speed is increasing and how that impacts security teams internally.
Derek Manky: Yeah, sure. So you know, I’ve been following this threat landscape for over 20 years, 18 years with Fortinet. And it’s changed dramatically, as we all know. And we often talk about speed in terms of the prevalence of attacks. We know there are always these big waves of campaigns that happen and that, you know, even at FortiGuard labs, we’re processing 100 billion potential threat events a day now.
There are a lot of different types of threats, but what we talked about in the report and what we picked up on here is a new angle, looking at speed in terms of the rate of spread for exploits, particularly for fresh vulnerabilities. It’s something we actually called out in our cybersecurity threat predictions for 2022. And unfortunately, we’re already seeing that ring true.
We looked at Log4j because of course that was front-and-center [at the end of last year]. There was a group of these vulnerabilities that waterfalled and followed after the first one was released with a critical CVSS 10 score and a huge deployment base. It literally spread like wildfire, but we tried to stack that up and when we looked at Log4j compared to some other significant vulnerabilities like the Microsoft Exchange ProxyLogon bug that broke a year ago, [the rate of exploitation] was significantly faster.
So we set up an initial 10-day benchmark for Log4j vs. ProxyLogon, and we also looked at [a vulnerability] from 2017 as well just to throw another one in the hat. And what we saw with Log4j was a near-vertical rise compared to ProxyLogon in the rate of exploitation in the first couple of days. From the comparison that we did from our data, it was 50 times faster for that group of vulnerabilities.
BB: To what do you attribute the speed?
DM: Yeah, good question. It’s a variety of factors. That CVSS 10 metric, I would say that’s a big contributing factor. But also there’s a technology piece, right — we’re seeing more offensive automation. And the way that the attackers can actually roll this up into kits and have that commoditized.
The other thing about Log4j, is that for ProxyLogon, there was just a small handful of copycat campaigns. Compared to a mountain of different malware groups that were piggybacking on or leveraging Log4j. We saw about 10 to 20 of them doing everything from cryptojacking to remote access trojans to ransomware. There were just simply more stakeholders and more campaigns, and then, on top of that, they’re adopting this quicker. They’re getting access to it, putting it into their attack toolkits.
BB: Yeah, absolutely. The report also covers botnet trends. What did you see there?
DM: So, with the botnets, we’re seeing that this is the cybercriminal enterprise model. And with botnets, we’re seeing multipurpose botnets more and more. So it’s not just a monolithic cryptominer or DDoS botnet, these are all the above, because they’re essentially loaders. They can just download and load whatever malware on demand.
In fact, a lot of the time it’s a botnet-as-a-service, rented out for these various purposes. And unfortunately, these fresh vulnerabilities are a juicy target for attackers, because they see this as an easy way to be able to distribute their botnets and really ramp up their infrastructure as well too.
BB: The report touched on botnets being an indicator of “C [time] to activity.” Is that something important for internal security teams to keep an eye on?
DM: Yeah, definitely. Of course, if you’re seeing C to activity, this is, of course, the well-tried and tested Lockheed Martin cyber kill chain. Activity [can mean] that the attackers are trying to meet and communicate, or manipulate systems so that they can move laterally to do whatever they wish essentially.
So, again, when we talk about going back to the Log4j-and-speed conversation, it’s very concerning. I mentioned that 50-times greater rate of exploit speed metric that we’re seeing from the attackers. But if you think about from a security operation center and defensive point of view, it’s equally as important, right? We can’t think it’s good enough now to be able to pick up indicators and respond three or four days later or five days later. Given how quickly this is moving from using the initial exploit to try to install a payload, and then establish the botnet, you need to be able to detect those and effectively mitigate that risk from a SOC perspective within 24 to 48 hours. That certainly wasn’t as big of a priority or the case a year or two years ago.
BB: So let’s take a step back and maybe the speed is a reaction to this, but the business model is evolving. And I myself have reported on the evolution of ransomware groups into more professionalized organizations that are really getting good at identifying their targets. And identifying the exact amount of pain they can inflict on their targets to make it worthwhile just to pay them off and move, which is pretty sophisticated. Can you talk to me about how you see the business model shifting and changing and impacting attacks and their frequency?
DM: Yeah, there is a definite change happening here, and it’s concerning: What we’re seeing is convergence. So we often talk about convergence of networking and security from a defensive side. But if you look at the technology capability of the threat actors, we’re seeing that on their side too. And of course, that includes everything we just talked about: Weaponizing offensive automation and machine learning and AI, but but also the zero-day vulnerabilities and exploits, which typically are in the wheelhouse of nations and state-sponsored attacks.
What we’re seeing is more of these cybercrime groups now using things like zero-day exploits, creating new payloads, new families (new ransomware families as an example). We’re not just talking about one or two ransomware groups as we know today. There are many, and that’s a result of all of this.
And then they’ve also set up their own models on top of this. So the ransomware-as-a-service model, knowing their targets and blueprinting their targets, knowing where they are. That’s a big, really important point — that this is ROI to them, right? What’s the difference [in cost and labor] between affiliates hitting 1,000 targets and charging them a nominal fee for a data cryptor, as opposed to hitting a critical revenue stream at a large enterprise or manufacturing plant.
They’re starting to use the left side of the attack kill chain again: More reconnaissance, more weaponization, premeditation, planning. Again that usually an APT thing, but we’re seeing it now with [financial] cybercrime. I’m referring to this as mass persistent cybercrime or APC.
BB: Do you attribute that to general maturation of the ransomware sector? Or is it more of an outside investment of you know, outside forces see this as a place to put money and resources to get that ROI, or is it a bit of both?
DM: I’m glad you brought that up. We are finding more connections. We actually have projects doing this, looking at the connections between the outside as you said. As an example, there are groups that are investing and collaborating and working with cybercriminal groups, helping to fund or use their infrastructure as an example. We’re actually finding quite a bit of correlation there. There’s a lot to explore still, but it absolutely is a maturity in the model and unfortunately, it’s been the result of years of profiting by the cybercriminals. They’ve simply got more funding in their own deeper pockets, which is allowing them to create more, and to invest more in weaponizing zero days as an example.
Recruiting as well, too. We know they are very clever on their end, when it comes to recruiting everything from money mules to new developers for their malware. And also, they they continue to tweak their playbook, right 00 that’s the strategic, sophisticated part. Again, they know their targets, and they’ve created, technical-support departments on their end. They’re more aggressive in reaching out to their targets, doing extortion, double extortion, triple extortion, extortion extortions. Yeah.
BB: I was also interested in unpacking the rise of Linux-based threats. I mean, Linux is such a tried-and-true option for computing. To what do you attribute that rise, where’s that coming from?
DM: If we look at Linux, it has been one of, if not the, most-secure OS with different flavors out there that has existed, essentially, since the dawn of computing. And therefore hasn’t really been a target. Right? But look at that threat landscape today.
We have so many devices running on Linux: IoT devices, OT devices and sensors, even. Of course, there are a lot of different flavors. There are a lot of complications. But the attack surface is there, and what we’re seeing is more of an investment now that threat actors are looking at this one. Of course, they’ve done this before. One of the No. 1 threats we still see today is Mirai, which has been around for years. We highlighted in the report that…they’re actually creating new botnets similar to Mirai, which run on .ELF binaries on Linux.
We are seeing more than just Mirai essentially is what I’m trying to say. In fact, we saw the detections for all 2021 double in terms of .ELF binaries specifically, and signatures. So new, up-and-coming Linux variant families that we’ve seen quadrupled over the second half of 2021.
BB: Wow. Well, we can’t get to everything today, but this report is chock full of excellent information that we’ve really just scratched the surface of. If anyone out there is interested in learning more, Fortinet’s FortiGuard Labs puts out these reports intermittently throughout the year. And the most recent one really does drill down on this idea of advanced precision cybercrime, which I think maybe Derek we’re going to be hearing quite a bit more about moving forward.
BB: Is there anything else that we should cover or that you want people to know before we wrap up here?
DM: Just two things. One, just to follow up on what we’re talking about with ransomware, in the first half of 2021 we saw an unprecedented rise in terms of volume, a 100-percent increase, and we saw that it hasn’t subsided in the second half of the report. You think of a wave and it’s still surging, right, and that high watermark is still there. But they have more sophistication now, effectively becoming more destructive, more aggressive. That, combined with this continued surge, means the risk is getting higher. I’m not saying that to scare people, but this is just a reality.
BB: They’ve already been scared for years.
DM: The second thing is that there’s good news, right? So there’s a lot of good news that comes out of this opportunity for us, of course, in terms of being able to respond with speed. That’s a big theme that we also are starting to highlight in the report. Using MITRE ATT&CK TTPs and heat maps, as we move forward we are highlighting the tactics and techniques that we’re actually observing in the wild, so instead of trying to boil the ocean, we can look at the 10 or 15 prevalent threats, their different playbooks, and essentially the right ways to have a more strategic conversation.
Transcribed by https://otter.ai
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.