Threat actors are upping their game and taking advantage of newly-disclosed vulnerabilities quicker than ever.
This is among the findings of FortiGuard Labs’ 2H 2023 Global Threat Landscape Report, which highlights the need for vendors to adhere to vulnerability disclosure best practices and for organisations to improve cyber hygiene and patch management.
Derek Manky, chief security strategist and global vice-president: threat intelligence at FortiGuard Labs, comments: “In this climate, both vendors and customers have a role to play. Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible radical transparency in their vulnerability disclosures.
“With over 26 447 vulnerabilities across more than 2 000 vendors in 2023 as cited by NIST, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation.”
Key findings from the second half of 2023 include:
- Attacks started on average 4,76 days after new exploits were publicly disclosed: The second half of 2023 saw attackers increase the speed with which they capitalised on newly publicised vulnerabilities (43% faster than 1H 2023). This shines a light on the need for vendors to dedicate themselves to internally discovering vulnerabilities and developing a patch before exploitation can occur. It also reinforces that vendors must proactively and transparently disclose vulnerabilities to customers to ensure they have the information needed to effectively protect their assets before cyber adversaries can exploit N-day vulnerabilities.
- Some N-Day vulnerabilities remain unpatched for 15+ years: Fortinet telemetry found that 41% of organisations detected exploits from signatures less than one month old and nearly every organisation (98%) detected N-Day vulnerabilities that have existed for at least five years. FortiGuard Labs also continues to observe threat actors exploiting vulnerabilities that are more than 15 years old, reinforcing the need to remain vigilant about security hygiene and a continued prompt for organisations to act quickly through a consistent patching and updating program.
- Less than 9% of all known endpoint vulnerabilities were targeted by attacks: In 2H 2023, research found that 0,7% of all CVEs observed on endpoints are actually under attack, revealing a much smaller active attack surface for security teams to focus on and prioritise remediation efforts.
- 44% of all ransomware and wiper samples targeted the industrial sectors: Across all of Fortinet’s sensors, ransomware detections dropped by 70% compared to the first half of 2023. The observed slowdown in ransomware over the last year can best be attributed to attackers shifting away from the traditional “spray and pray” strategy to more of a targeted approach, aimed largely at the energy, healthcare, manufacturing, transportation and logistics, and automotive industries.
- Botnets showed incredible resiliency, taking on average 85 days for command and control (C2) communications to cease after first detection: While bot traffic remained steady relative to the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of the last few years, such as Gh0st, Mirai, and ZeroAccess, but three new botnets emerged in the second half of 2023, including: AndroxGh0st, Prometei, and DarkGate.
- 38 of the 143 advanced persistent threat (APT) groups listed by MITRE were observed to be active during 2H 2023: FortiRecon intelligence indicates that 38 of the 143 Groups that MITRE tracks were active in the 2H 2023. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig were the most active groups.
Geri Revay, principal security researcher at FortiGuard Labs, says: “As part of a rapidly growing economy, organisations across South Africa are striving to fast-track their digital innovation, which can leave the door open for cyber criminals looking to take advantage of those still playing catch-up on security.
“During the second half of last year, FortiGuard Labs detected 53,6-billion threats across the African continent, with 68% of this malicious activity concentrated in South Africa alone. Moreover, in our analysis we observed over 19-million attempts to exploit publicly known vulnerabilities in South Africa.
“With the attack surface constantly expanding, it is crucial that local organisations seek the right expertise to help them to expand and develop their cyber security capabilities and reduce their overall risk by closing the mean time to detection and remediation.”
The 2H 2023 Global Threat Landscape Report also includes findings from FortiRecon, which give a glimpse into the discourse between threat actors on dark web forums, marketplaces, Telegram channels, and other sources. Some of the findings include:
- Threat actors discussed targeting organisations within the finance industry most often, followed by the business services and education sectors.
- More than 3 000 data breaches were shared on prominent dark web forums.
- 221 vulnerabilities were actively discussed on the darknet, while 237 vulnerabilities were discussed on Telegram channels.
- Over 850 000 payment cards were advertised for sale.