Derek Manky, chief security strategist and global VP: threat intelligence at FortiGuard Labs, says the Global Threat Landscape Report for the second half of 2023 shines a light on threat actors’ quick response to newly disclosed vulnerabilities.
In this climate, vendors and customers have a role to play: vendors must introduce robust security scrutiny at all stages of the product development life cycle and be dedicated to responsible radical transparency in vulnerability disclosures.
With over 26 447 vulnerabilities across more than 2 000 vendors in 2023, cited by the US National Institute of Standards and Technology, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation.
The semi-annual Global Threat Landscape Report provides a snapshot of the active threat landscape. It highlights trends from July to December 2023 including analysis of cyber attackers’ speed in capitalising on newly identified exploits across the cybersecurity industry. It also covers the rise of targeted ransomware and wiper activity against the industrial and operational technology sectors.
Key findings in the report include:
- Attacks started on average 4,76 days after new exploits were publicly disclosed: The second half of 2023 saw attackers increase their speed in capitalising on newly publicised vulnerabilities (43% faster than in the first half of 2023). This shines a light on the need for vendors to be dedicated to internally discovering vulnerabilities and developing a patch before exploitation occurs. It also reinforces the need for vendors to proactively and transparently disclose vulnerabilities to customers to ensure they have the information needed to effectively protect their assets before cyber adversaries can exploit N-day vulnerabilities.
- Some N-Day vulnerabilities remain unpatched for 15+ years: Fortinet telemetry found that 41% of organisations detected exploits from signatures less than one month old and nearly every organisation (98%) detected N-Day vulnerabilities that have existed for at least five years. FortiGuard Labs also continues to observe threat actors exploiting vulnerabilities that are more than 15 years old. This reinforces the need to remain vigilant about security hygiene and for organisations to continue acting promptly through a consistent patching and updating programme.
- Less than 9% of all known endpoint vulnerabilities were targeted by attacks: In the second half of 2023, research found that 0,7% of all CVEs observed on endpoints are actually under attack, revealing a much smaller active attack surface for security teams to focus on and prioritise remediation efforts.
- 44% of all ransomware and wiper samples targeted the industrial sectors: Across all of Fortinet’s sensors, ransomware detections dropped by 70% compared to the first half of 2023. The observed slowdown in ransomware over the past year can best be attributed to attackers shifting away from the traditional “spray and pray” strategy to more of a targeted approach aimed largely at the energy, healthcare, manufacturing, transportation and logistics and automotive industries.
- Botnets showed incredible resilience, taking on average 85 days for command and control communications to cease after first detection: While bot traffic remained steady relative to the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of the past few years such as Gh0st, Mirai and ZeroAccess but three new botnets emerged in the second half of 2023 including AndroxGh0st, Prometei and DarkGate.
- 38 of the 143 advanced persistent threat groups listed by MITRE were observed to be active during the second half of 2023: FortiRecon intelligence indicates that 38 of the 143 groups that MITRE tracks were active in the second half of 2023. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel and OilRig were the most active groups.
Discussing the findings for South Africa, Geri Revay, principal security researcher at FortiGuard Labs, says: “As part of a rapidly growing economy, organisations across South Africa are striving to fast-track their digital innovation, which can leave the door open for cyber criminals looking to take advantage of those still playing catch-up on security. During the second half of last year, FortiGuard Labs detected 53,6 billion threats across the African continent with 68% of this malicious activity concentrated in South Africa alone. Moreover, in our analysis, we observed over 19 million attempts to exploit publicly known vulnerabilities in South Africa. With the attack surface constantly expanding, it is crucial that local organisations seek the right expertise to help them to expand and develop their cybersecurity capabilities and reduce their overall risk by closing the mean time to detection and remediation.”