A new report on the worldwide cybersecurity threat landscape highlights the prevalence of malware, botnets and...
old exploits, as well as the doubled-edged sword that is encryption.
Network security vendor Fortinet Inc. published its quarterly Threat Landscape Report for the fourth quarter in 2016, which presented data about the "explosive growth" of cybercrime worldwide. Fortinet used data collected from millions of its devices about the billions of security events that occurred between Oct. 1, 2016, and Dec. 31, 2016.
The report offered data on exploit and malware trends, including the internet of things, botnet activity and more. But before delving into those details, the Fortinet report outlined trends in infrastructure that may have had an effect on the threat landscape that presented at the end of 2016. Specifically, the report looked at the use of HTTPS.
Fortinet researchers expected to find an increase in HTTPS traffic over the course of 2016, but they actually found it held steady, with about 50% of organizations using HTTPS and 50% using the less secure HTTP. The report also showed fluctuations in HTTPS traffic through the year; for example, the first quarter of 2016 saw HTTPS traffic for 52.5% of all surveyed traffic, while that number dropped to 49.8% during the next quarter. The distribution of HTTPS traffic across the monitored organizations shows the polarity of encryption adoption, according to Fortinet.
"[This distribution of HTTPS traffic] illustrates how that ratio varies across firms and is a reminder that there are some that encrypt nearly everything and some almost nothing," the report stated. "Such movements tend to play out over longer time periods, so we'll continue monitoring this one."
The report didn't attribute specific reasons for the stagnation in HTTPS traffic growth, but Fortinet did say encrypted traffic does pose a challenge for enterprise security teams. "HTTPS traffic usage is an important trend to monitor because, while it is good for privacy, it presents challenges to detecting threats that are able to hide in encrypted communications," Derek Manky, security researcher at Fortinet, based in Sunnyvale, Calif., wrote in a blog post about the report. "And far too much SSL traffic goes uninspected because of the huge processing overhead required to open, inspect, and re-encrypt traffic. Which forces IT teams to choose between protection and performance."
The Fortinet report indicated that researchers also intend to continue to track the use of cloud apps, as software-as-a-service and infrastructure-as-a-service app usage was up only slightly, as well as the number of sites visited per day and how many of them are malicious -- the rate of visits to malicious sites stayed steady at 0.5% all year.
"A rate of 0.5% may not seem like a lot," Fortinet stated. "But when you visit hundreds of sites a day (many more for larger enterprises), small numbers can represent big exposures."
In other news:
- In a report, the Finnish Security Intelligence Service, Supo, called out the Russian hacking group APT28 for not trying to conceal its involvement in a plethora of attacks. Referring specifically to APT28's attempts to compromise Finland's foreign and security policies, the report noted that "no particular effort was made to conceal the activity." The report also said because of all the known hacking attempts, it's safe to assume there are many more attacks from the group that remain unknown to the Finnish government. APT28 -- also known as Fancy Bear, Sofacy and Pawn Storm -- was publically linked to the Russian government by FireEye in 2014. FireEye CEO Kevin Mandia referenced APT28 in a March 30 public Senate Intelligence Committee hearing about Russian interference in the 2016 U.S. presidential election. "All of the breaches that we attribute to APT28 in the last two years involve the theft of internal data, as well as the leaking of this data -- potentially APT28 or some other arm of the [Kremlin] -- into the public." Mandia went on to note that APT28 might not bother to cover its tracks because it knows it will get noticed by foreign governments anyway.
- On March 28, the United Kingdom's National Crime Agency (NCA) arrested a man on suspicion of hacking and extortion. The 20-year-old man is reportedly tied to the hacking group that calls itself the Turkish Crime Family and is attempting to extort Apple. The NCA confirmed the arrest of the suspect, but has not confirmed whether he is actually connected with the Turkish Crime Family. Last week, the group threatened to remotely wipe Apple devices if the company paid them a large sum of money either in bitcoin or in iTunes gift cards. Reports vary, but the group claimed to have somewhere between hundreds of thousands and hundreds of millions of stolen iCloud credentials that they threatened to use to wipe the user devices on April 7 if they don't get the ransom from Apple.
- A new variant of the Mirai botnet targeted a U.S. college with a distributed denial-of-service attack that lasted for 54 straight hours. Imperva Incapsula reported the attack of the unnamed college, which is one of its customers, in a blog post. "Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application-layer DDoS attack activity we saw in the second half of 2016," wrote Dima Bekerman, a security researcher for Imperva Incapsula. "That said, with over 90% of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own." The attack began on Feb. 28, and it "generated over 2.8 billion" requests per second -- the highest number out of a Mirai botnet so far, according to Bekerman. "Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet."
Learn more about Fortinet and the support it provides
Find out how to use a Forbidden attack to hijack an HTTPS session
Discover how to avoid HTTPS traffic exploits