Malware-as-a-Service tops FortiGuard Labs’ list of threats for Q3 2019

By FortiGuard SE Team

The Fortinet Threat Landscape Report provides insights into the top threats and trends discovered and tracked by the FortiGuard Labs team, and the report for last quarter shows that cybercriminals are continuing to focus on finding ways to stay a step ahead of their cybersecurity professional adversaries.

When people consider cybercrime, they tend to think of some of the more high-profile events of the past that used sophisticated malware or exploited zero-day vulnerabilities. And while some efforts continue to be made in those areas, most criminals focus on leveraging their existing resources. The top issues for Q3 are no different.

Cybercriminals are targeting edge services

Because over 90% of malware is still delivered via email, many organizations have responded by aggressively focusing on training users to identify phishing emails and not click on email attachments. They are also more aware of the importance of email security solutions. As a result, criminals have begun to expand their tactics by simply targeting other areas of the attack surface that aren’t being focused on.

Have you read “Modern cameras’ WiFi connectivity vulnerable to ransomware, malware”?

For example, over the past quarter, FortiGuard Labs has observed attacks targeting publicly available edge services with remote code execution exploits. Once criminals establish a foothold at the edge, they then use that attack vector to begin delivering their malware to targets inside the network, with the same result as having used phishing to deliver those same payloads.

Bypassing adblockers whitelist malicious sites

Another strategy is to prevent adblocker security tools from blocking access to malicious content. Adblock Plus, for example, is an open-source browser extension that provides content-filtering and ad blocking for all of the major browsers, including Firefox, Chrome, Internet Explorer, Edge, Opera, Safari, Yandex, and Android. It also uses a key to tag approved advertisement sites so they can be whitelisted. However, this key has been identified by attackers and is being exploited to also whitelist their malicious sites. These webpages can then serve their malicious advertisements or even function as a phishing page to users who rely on the adblocker solution to block malicious sites and content.

The HTML/Framer.INF!tr IPS signature that detects these webpages is at the top of our list of most prevalent malware variants detected in Q3 2019 across all global regions. However, it is important to note that some of these detections may be false positives because of the way Adblock is designed, making it difficult to produce a fully reliable signature.

Malware-as-a-Service continues to grow

The GandCrab ransomware and its Ransomware-as-a-Service (RaaS) offering netted its developers as much as $2 billion before they retired last year. As a result, many cybercriminal organizations are keen to jump on the bandwagon. Last quarter, FortiGuard Labs observed that at least two other significant ransomware families – Sodinokibi and Nemty – are now available on the dark web as ransomware-as-a-service offerings. By using this RaaS model, the authors of these malware tools are significantly lowering the bar, both in terms of overhead and expertise, for launching such attacks.

Emotet offers a new spin on MaaS

Emotet, a popular and successful banking trojan, has launched a similar service that rents access to devices infected with the Emotet trojan. This is especially malicious because the Emotet developers have added the ability of the malware to deliver malicious payloads. This means that attackers using this new malware-as-a-service offering can infect targeted networks with additional malware, such as the Trickbot trojan and Ryuk ransomware, launched from a previously compromised device.

Another new Emotet trick significantly increases the efficiency of distributing malware through phishing. Cybercriminals naturally want to deliver phishing emails with the highest likelihood of being opened. This new Emotet phishing strategy steals email threads, not just email addresses, from infected devices. It then develops an infected reply from someone in the thread and sends it to the other thread participants disguised as being part of the thread. This strategy has proven to be exponentially more effective than trying to hook victims using a cold initial phishing attempt, or even a targeted spearphishing tactic.

Older attacks remain a persistent threat

It is important to remember that attacks don’t need to be new to be successful. According to the Q3 Threat Landscape Report, FortiGuard Labs saw more attempts to target vulnerabilities from 2007 than from 2018 and 2019 combined. And every year in between equaled 2018/19 levels. This trend shows how unpatched vulnerabilities—regardless of age—can heighten exposure. The point is that attackers (and their tools) don’t ignore older vulnerabilities and neither should you.

Segment networks

Many of these attacks and exploits are successful because vulnerable systems are not being adequately protected. Older vulnerabilities can be successfully protected by conducting a risk assessment and then prioritizing the likelihood of a device being exploited using the FortiGuard Security Rating Service.

In addition to patching and upgrading devices, organizations should also consider implementing intent-based network segmentation and zero trust access strategies to prevent critical devices and vulnerable systems from being exploited. Segmentation also minimizes the risks of a successful intrusion by shrinking the available attack surface.