Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Derek Manky
Derek Manky
Connect Directly
E-Mail vvv

Looking Back to Look Ahead: Cyber Threat Trends to Watch

Data from the fourth quarter of last year shows the state of application exploits, malicious software, and botnets.

Organizations today face an unprecedented volume of increasingly sophisticated threats as they conduct online operations. As the potential attack surface expands and attack volumes increase, it is imperative to track the most popular and successful strategies of cybercriminals to stay ahead of their malicious intentions.

The quarterly Fortinet Global Threat Landscape Report gathers the collective intelligence drawn from FortiGuard Labs' large array of sensors deployed in live production environments. The research data in the most recent report focuses on three aspects of the threat landscape: application exploits, malicious software, and botnets. It also examines important zero-day vulnerabilities and infrastructure trends to add context about the trajectory of cyberattacks affecting organizations over time.

What the Data Reveals
Below are the key findings from the latest "Threat Landscape Report" that organizations need to know about in order to prepare for what's ahead.

Application exploits, malicious software, and botnets:

  • Historic Volume: The number of malware families detected in the fourth quarter of 2017 increased by 25% over the third quarter, to 3,317, and unique variants grew 19%, to 17,671. An average of 274 attacks per firm were also detected, a staggering increase of 82% over the previous quarter.
  • Mining for Cryptocurrency: Cryptomining malware increased in the fourth quarter, which seems to be intertwined with the changing price of bitcoin. Cybercriminals recognize the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser; nothing is installed or stored on the computer.
  • Everything Old Is New Again: Steganography is an attack that embeds malicious code in images. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit in the fourth quarter. It was found dropping multiple ransomware variants.
  • A Ransomware Explosion: Ransomware continues to grow in both volume and sophistication. Several strains of ransomware topped the list of malware variants. Locky was the most prevalent malware variant, and GlobeImposter was second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting bitcoin for payment to other forms of digital currency.
  • Swarm-Based Cyberattacks: The sophistication of attacks targeting organizations is accelerating at an unprecedented rate. For example, they are developing new Internet of Things (IoT)-based botnets with swarm-like capabilities that simultaneously target multiple vulnerabilities, devices, and access points.
  • An Increase in IoT Attacks: Three of the top 20 attacks identified in the quarter targeted IoT devices. New IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multivector approach is much harder to combat. In addition, Reaper's new flexible framework, built around a Lua engine and scripts, means that Reaper's code can be easily updated to swarm faster by running new and more malicious attacks as they become available. Exploit volumes associated with Reaper exhibited an early October jump from 50,000 to 2.7 million over just a few days, before dropping back to normal.
  • Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems and safety instrumental systems suggests these under-the-radar attacks might be climbing higher on attackers’ radar. An example is an attack code-named Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.

Infrastructure trends:
When it comes to the cyber threat landscape, infrastructure statistics offer a powerful overview because strong correlations exist between infrastructure usage and threat frequency. For example, firms that use a lot of peer-to-peer and proxy apps report seven to nine times as many botnets and malware as those that don't use them.

In the fourth quarter of 2017, firms also appear to have used more bandwidth and encrypted more web traffic than ever before, but they are actually visiting fewer sites and using fewer applications. There is also a special interest in keeping tabs on the ratio of HTTPS traffic in the network. It's continuing to trend up.

While helpful for maintaining privacy, higher encryption rates also present challenges to threat monitoring and detection. Inspecting Secure Sockets Layer traffic has a significant impact on the performance of firewalls, which means it can affect the amount of network traffic that is actually being inspected. And organizations — especially those with higher HTTPS ratios — cannot afford to ignore threats that might be lurking within encrypted communications.

Best Practices for Stronger Security
With the volume, velocity, and variety of modern threats increasing, standalone point devices and platforms are rapidly becoming inadequate and ineffective. Organizations need a more unified approach that makes it practical for security teams, large or small, to achieve and maintain a competent security posture.

To protect the network against application exploits, malicious software, botnets, and zero-day vulnerabilities, organizations need to stay abreast of and track popular and successful threats. In addition, automated security measures can help pit swarm against swarm in order to effectively counter and repel an attack.

A unified defense posture can also help companies by detecting known and unknown threats at multiple layers throughout the environment. Growing your capability to detect and sever botnet communications at key choke points in your network is another solid strategy. Additionally, an internal network segmentation strategy will help detect and automatically contain all kinds of threats.

Looking back at data from 2017 reveals that to effectively combat today's ever-evolving threats, you need to break down siloes and bring many security tools together for a collaborative approach that can help you see everything that's coming at your network.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 & save $200 .

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/26/2018 | 3:03:46 PM
Thanks for such an amazing post
Derek, thanks for a post full of information. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...