Three other rising trends involved a focus on remote workers and converged IT/OT endpoints; destruction of data; and sophisticated detection-evasion techniques

Drawing from the collective intelligence of a large array of sensors collecting billions of threat events observed around the world, FortiGuard Labs has released its semiannual cyber threat landscape report for the first half of 2022 (H1).

Based on the data collected, the following four H1 trends have been reported:
    • The Ransomware-as-a-Service (RaaS) model has allowed threat actors to create more variants.
      In the period of analysis, cybercriminals continued to invest significant resources into new attack techniques. Compared to H2 2021, ransomware variants grew nearly 98%. RaaS continued to fuel an industry of criminals forcing organizations to consider ransomware settlements.
    • Work-from-home/anywhere endpoints remain targets for cybercriminals to gain access to corporate networks.
      The digital convergence of IT and OT and the endpoints enabling work-from-home/anywhere remained key vectors of attack. Many exploits of vulnerabilities involved unauthorized users gaining access to a system with a goal of lateral movement to get deeper into corporate networks. The most common were a spoofing vulnerability (CVE 2022-26925) and a remote code execution vulnerability (CVE 2022-26937). Cybercriminals were noted to be maximizing both old and new vulnerabilities in H1. A wide range of devices and platforms experienced in-the-wild exploits.
    • The spread of wiper malware as part of adversary toolkits signals the continual evolution of destructive threat trends
      Wiper malware trends in H1 revealed a disturbing evolution of more destructive and sophisticated attack techniques that destroys data by wiping it clean. The war in Ukraine had fueled a substantial increase in disk wiping malware among threat actors primarily targeting critical infrastructure. At least seven major new wiper variants were detected in various campaigns against government, military, and private organizations. This number is significant because it is close to the number of wiper variants that had been publicly detected since 2012. Additionally, the wipers did not stay in one geographical location but were detected in 24 countries besides Ukraine.
    • More reconnaissance and defense evasion techniques are being used to increase precision and destructive weaponization across the cyberattack chain
      Examining adversarial strategies revealed takeaways about how attack techniques and tactics evolve in H1. The top eight tactics and techniques focused on the endpoint, and defense evasion using system binary proxy execution was the most-employed tactic by malware developers. Hiding malicious intentions is one of the most important things for adversaries. Therefore, they attempt to evade defenses by masking them and attempting to hide commands using a legitimate certificate to execute a trusted process and carry out malicious intent. In addition, the second most popular technique was process injection, where cybercriminals work to inject code into the address space of another process to evade defenses and improve stealth.
Sample of a threat group’s advertisement for threat talent. Source: Microsoft

According to the report, organizations need to gain a deeper understanding of the goals and tactics used by adversaries through actionable threat intelligence, in order to align defenses optimally to adapt to quickly changing attack techniques and proactively defend against cyber threats. Threat insights are critical to help IT teams to prioritize patching strategies, while cybersecurity awareness training also needs to be stepped up.

Finally, security operations need to function at machine speed to keep up with the volume, sophistication, and speed of today’s cyber threats through AI and ML automation.