2018 saw the convergence of three separate threat trends — two that have evolved over the last few years, and one that came to the fore during 2018. These are the merging of IoT botnets, destructive malware and cryptojacking.
IoT botnets have grown through easy access to malware, poor security in the devices, and the sheer number of devices that can be compromised. Fortinet’s Q4 2018 Threat Report states that half of the top 12 detected exploits around the world — and three of the top five — target IoT devices. The top two exploits detected by Fortinet remain the Apache Struts 2 exploit used in the Equifax hack and CVE-2017-7269. The next three top detected exploits relate to Avtech cameras (used in building the Hide’n’Seek botnet), Linksys routers (used to spread the Moon malware), and D-Link routers (a command injection vulnerability used in building Mirai-variant botnets).
The figures come from the telemetry of Fortinet’s network of devices and sensors in live production environments around the world, comprising billions of threat events and incidents. As such, these threat figures relate to business threats, not consumer threats. While a detection is not an infection, it shows that the threat from IoT botnets continues. Details are reported in Fortinet’s Q4 2018 Threat Landscape Report (PDF). Phil Quade, Fortinet CISO, calls it the age of Cy-Phy — the convergence of cybersecurity things and physical spaces.
“Although the appeal of this convergence to our digital economy is almost psy-fi in terms of imagination,” he says, “unfortunately the cybersecurity risks are very real. Cybercriminals are closely watching and developing exploits that target this emerging digital convergence. Fundamental elements of cybersecurity, including visibility, automation, and agile segmentation, are more critical than ever to enable us to thrive in our Cy-Phy digital future, and to protect us against the malicious activities of our cyber adversaries.”
With details from its telemetry, Fortinet’s Q4 2018 Threat Report focuses on three threat trends: exploits, malware and botnets. All three areas experienced a slight decline in Q4, but this is likely because of the end-of-year the holiday season — with fewer people at their devices, there were fewer detections. It is not thought to be indicative of declining threats. Fortinet’s exploit index was down 0.3%, the malware index fell 4.3%, and the botnet index declined by 1.5%.
The top two detected exploits concern long-patched vulnerabilities, but demonstrate that criminals are aware of generally poor patching habits around the world. The Struts vulnerability is now being used to implement cryptojacking functions on compromised systems. The CVE-2017-7269 relates to a buffer overflow in Microsoft IIS. An exploit known as ExplodingCan was leaked by Shadow Brokers in 2017. CVE-2017-7269 was patched by Microsoft in June 2017.
Fortinet’s malware trend index fell dramatically in December (primarily the peak holiday season) and is the only trend to close out below the index starting point of 1000 at the beginning of the year. Two generic detections top the list: adware and the cryptocurrency mining service Coinhive. The third is also a generic detection: W32/Agent.AJFK!tr, a trojan that has been known to log keystrokes, initiate command-control (C2) functionality, and download/drop additional files.
The fourth most prevalent malware detection was Android/Agent.FJ!tr — a variant that has ties to FakeSpy (first discovered by Trend Micro in June 2018) but with additional new features. Fifth in the list is MSOffice/CVE_2017_11882.A!exploit. CVE_2017_11882 is a vulnerability in Microsoft Equation Editor that had existed for 17 years before being patched by Microsoft in November 2017. Fortinet links its use to the nation-state actor known as the Gorgon Group, which Palo Alto described as ‘slithering between nation state and cybercrime’. At that time, it was targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. However, it has also been used by the Iran-linked group APT34, targeting largely Israeli organizations.
Fortinet’s botnet detection index fell by 1.5% in Q4 2018. Nevertheless, the firm detected 261 unique botnets. Detection of botnets differs from that of exploits and malware. While the latter are generally detected in the pre-compromise stage of an attack, botnet detections are largely post-compromise.
The most prevalent botnet detection by far was Gh0st. “It was reported by more organizations in every region by a wide margin,” notes Fortinet. “Itís far from new, but has a timeless laundry list of useful features, allowing an attacker to take full control of the infected system, log keystrokes, spy live webcam and microphone feeds, download and upload files, etc.”
Pushdo comes in a distant second with, for example, less than half the detections of Gh0st in North America. Pushdo — also known as Cutwail — has like Gh0st been around for many years. Zeroaccess, Andromeda and Sality also make it into the top five detected botnets. Not listed, but with special mention, is Trick. This heads Fortinet’s list of major movers. “From humble beginnings at a volume of 10 [detections], it surged to an impressive 3.5M,” notes the report.
The rise of Trickbot — especially used in combination with Emotet — was well documented in 2018. Its rapid rise in Fortinet detections is probably linked to its move from primarily a consumer-focused threat to a business threat. “Emotet and Trickbot have grown on the business side and declined on the consumer side,” Adam Kujawa (director of Malwarebytes Labs) told SecurityWeek in January 2019, “to the extent that it is now one of the few major malware families that has more corporate than consumer real-estate.”
He added, “Where the new exploits really thrive is on corporate networks. Now, when you get something like Emotet getting a foothold on an endpoint — still being delivered by the same phishing email with a malicious Office document — it is able to drop Trickbot and other malware and start spreading through the network.”