Fortinet threat research finds cybercriminals are exploiting new industry vulnerabilities 43 per cent faster than 1H 2023

FortiGuard Labs’ 2H 2023 Global Threat Landscape Report highlights the need for vendors to adhere to vulnerability disclosure best practices and for organisations to improve cyber hygiene and patch management 

Derek Manky, chief security strategist and global vice president threat intelligence, FortiGuard Labs, said, “The 2H 2023 Global Threat Landscape Report from FortiGuard Labs continues to shine a light on how quickly threat actors are taking advantage of newly disclosed vulnerabilities. In this climate, both vendors and customers have a role to play. Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible radical transparency in their vulnerability disclosures. With over 26,447 vulnerabilities across more than 2,000 vendors in 2023 as cited by the National Institute of Standards and Technology (NIST), it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation.” 

Glenn Maiden, director of threat intelligence, FortiGuard Labs, Australia and New Zealand, Fortinet, said, “The escalating pace of cyber vulnerabilities being exploited in the wild is of extreme concern. Gone are the days of keeping software versions at N-1; companies now require a highly aggressive patch deployment approach with upmost urgency. As revealed in the 2H 2023 Global Threat Landscape Report from FortiGuard Labs, attacks occur on average 4.76 days after a vulnerability is disclosed, emphasising the ever-diminishing window for organisational response. To address this trend, a multi-layered approach is essential, combining prompt patching with advanced detection and response systems. 

“There is no silver bullet; however, a multi-layered defence that’s finely tuned provides the most effective protection. Deploying security defences across the cloud, network, and endpoint, all integrated into an optimised operations centre, significantly reduces a business’s risk exposure and the impact of a cyberattack. A proficient security operations centre (SOC) is staffed with team members who have an updated and thorough understanding of normal network behaviour, letting them swiftly identify and respond to anomalies through continuous monitoring. 

“The increasing prevalence of ‘living off the land’ (LOLT) tactics by attackers can be countered through rigorous monitoring of accounts, stringent role-based access, multifactor authentication, and system LOLbinaries such as PowerShell. Additionally, offline, out-of-band backups and regular audits of security practices are essential to mitigate the risk of data breaches and ensure resilience against sophisticated cyber threats. 

“It’s clear that SOCs must adopt a proactive stance and be well-prepared, with executive leaders needing to focus on comprehensive training and regular exercises to empower employees to respond quickly and accurately to threats. Clear guidance, defined roles and responsibilities, and rehearsal of scripts and use cases are essential to foster familiarity and efficiency during actual incidents.” 

News summary 

Fortinet® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, has announced the release of the FortiGuard Labs 2H 2023 Global Threat Landscape Report. The latest semiannual report is a snapshot of the active threat landscape and highlights trends from July to December of 2023, including analysis on the speed with which cyber attackers are capitalising on newly identified exploits from across the cybersecurity industry and the rise of targeted ransomware and wiper activity against the industrial and operational technology (OT) sector. 

Key findings from the second half of 2023 include: 

• Attacks started on average 4.76 days after new exploits were publicly disclosed: Like the 1H 2023 Global Threat Landscape Report, FortiGuard Labs sought to determine how long it takes for a vulnerability to move from initial release to exploitation, whether vulnerabilities with a high exploit prediction scoring system (EPSS) score get exploited faster, and whether it could predict the average time-to-exploitation using EPSS data. Based on this analysis, the second half of 2023 saw attackers increase the speed with which they capitalised on newly publicised vulnerabilities (43 per cent faster than 1H 2023). This shines a light on the need for vendors to dedicate themselves to internally discovering vulnerabilities and developing a patch before exploitation can occur (mitigate instances of 0-Day vulnerabilities). It also reinforces that vendors must proactively and transparently disclose vulnerabilities to customers to ensure they have the information needed to effectively protect their assets before cyber adversaries can exploit N-Day vulnerabilities. 

• Some N-Day vulnerabilities remain unpatched for 15+ years: It’s not just newly identified vulnerabilities that chief information security officers (CISOs) and security teams must worry about. Fortinet telemetry found that 41 per cent of organisations detected exploits from signatures less than one month old and nearly every organisation (98 per cent) detected N-Day vulnerabilities that have existed for at least five years. FortiGuard Labs also continues to observe threat actors exploiting vulnerabilities that are more than 15 years old, reinforcing the need to remain vigilant about security hygiene and a continued prompt for organisations to act quickly through a consistent patching and updating program, employing best practices and guidance from organisations such as the Network Resilience Coalition to improve the overall security of networks. 

• Less than nine per cent of all known endpoint vulnerabilities were targeted by attacks: In 2022, FortiGuard Labs introduced the concept of the “red zone,” which helps readers better understand how likely it is that threat actors will exploit specific vulnerabilities. To illustrate this point, the last three Global Threat Landscape Reports have looked at the total number of vulnerabilities targeting endpoints. In 2H 2023, research found that 0.7 per cent of all common vulnerabilities and exposures (CVEs) observed on endpoints are actually under attack, revealing a much smaller active attack surface for security teams to focus on and prioritise remediation efforts.  

• 44 per cent of all ransomware and wiper samples targeted the industrial sectors: Across all of Fortinet’s sensors, ransomware detections dropped by 70 per cent compared to the first half of 2023. The observed slowdown in ransomware over the last year can best be attributed to attackers shifting away from the traditional “spray and pray” strategy to more of a targeted approach, aimed largely at the energy, healthcare, manufacturing, transportation and logistics, and automotive industries. 

• Botnets showed incredible resiliency, taking on average 85 days for command and control (C2) communications to cease after first detection: While bot traffic remained steady relative to the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of the last few years, such as Gh0st, Mirai, and ZeroAccess, but three new botnets emerged in the second half of 2023, including: AndroxGh0st, Prometei, and DarkGate. 

• 38 of the 143 advanced persistent threat (APT) groups listed by MITRE were observed to be active during 2H 2023: FortiRecon, Fortinet’s digital risk protection service, intelligence indicates that 38 of the 143 groups that MITRE tracks were active in the 2H 2023. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig were the most active groups. Given the targeted nature and relatively short-lived campaigns of APT and nation-state cyber groups compared to the long life and drawn-out campaigns of cybercriminals, the evolution and volume of activity in this area is something FortiGuard Labs will be tracking on an ongoing basis.  

Dark web discourse 

The 2H 2023 Global Threat Landscape Report also includes findings from FortiRecon, which give a glimpse into the discourse between threat actors on dark web forums, marketplaces, Telegram channels, and other sources. Some of the findings include: 

• Threat actors discussed targeting organisations within the finance industry most often, followed by the business services and education sectors. 

• More than 3,000 data breaches were shared on prominent dark web forums. 

• 221 vulnerabilities were actively discussed on the darknet, while 237 vulnerabilities were discussed on Telegram channels. 

• Over 850,000 payment cards were advertised for sale.  

Turning the tide against cybercrime 

With the attack surface constantly expanding and an industrywide cybersecurity skills shortage, it’s more challenging than ever for businesses to properly manage complex infrastructure composed of disparate solutions, let alone keep pace with the volume of alerts from point products and the diverse tactics, techniques, and procedures threat actors leverage to compromise their victims. 

Turning the tide against cybercrime requires a culture of collaboration, transparency, and accountability on a larger scale than from just individual organisations in the cybersecurity space. Every organisation has a place in the chain of disruption against cyberthreats. Collaboration with high-profile, well-respected organisations from both the public and private sectors, including computer emergency response teams (CERTs), government entities, and academia, is a fundamental aspect of Fortinet’s commitment to enhance cyber resilience globally. 

It’s through constant technology innovation and collaboration across industries and working groups, such as Cyber Threat Alliance, Network Resilience Coalition, Interpol, the World Economic Forum (WEF) Partnership against Cybercrime, and WEF Cybercrime Atlas, that will collectively improve protections and aid in the fight against cybercrime globally. 

Additional resources 

• Read the blog for valuable takeaways from this research, or access the full report. 

• Learn more about FortiGuard Labs threat intelligence and research and Outbreak Alerts, which provide timely steps to mitigate breaking cybersecurity attacks. 

• Learn about Fortinet’s free cybersecurity training, which includes broad cyber awareness and product training. As part of the Fortinet Training Advancement Agenda (TAA), the Fortinet Training Institute also provides training and certification through the Network Security Expert (NSE) Certification, Academic Partner, and Education Outreach programs. 

• Follow Fortinet on Twitter, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on our blog or YouTube. 

• Visit fortinet.com/trust to learn more about Fortinet innovation, collaboration partners, product security processes, and enterprise-grade products that contribute to delivering proven cybersecurity, everywhere you need it.  

• Learn more about Fortinet’s commitment to product security and integrity, including its responsible product development and vulnerability disclosure approach and policies.  

About FortiGuard Labs 
FortiGuard Labs is the threat intelligence and research organisation at Fortinet. Its mission is to provide Fortinet customers with the industry’s best threat intelligence designed to protect them from malicious activity and sophisticated cyberattacks. It is composed of some of the industry’s most knowledgeable threat hunters, researchers, analysts, engineers, and data scientists in the industry, working in dedicated threat research labs all around the world. FortiGuard Labs continuously monitors the worldwide attack surface using millions of network sensors and hundreds of intelligence-sharing partners. It analyses and processes this information using AI and other innovative technology to mine that data for new threats. These efforts result in timely, actionable threat intelligence in the form of Fortinet security product updates, proactive threat research to help our customers better understand the threats and actors they face, and threat intelligence to help our customers better understand and defend their threat landscape. Learn more at https://www.fortinet.com, the Fortinet blog, and FortiGuard Labs.  

About Fortinet 
Fortinet (NASDAQ: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security. Our mission is to secure people, devices, and data everywhere, and today we deliver cybersecurity everywhere you need it with the largest integrated portfolio of over 50 enterprise-grade products. Well over half a million customers trust Fortinet’s solutions, which are among the most deployed, most patented, and most validated in the industry. The Fortinet Training Institute, one of the largest and broadest training programs in the industry, is dedicated to making cybersecurity training and new career opportunities available to everyone. Collaboration with high-profile, well-respected organisations from both the public and private sectors, including CERTs, government entities, and academia, is a fundamental aspect of Fortinet’s commitment to enhance cyber resilience globally. FortiGuard Labs, Fortinet’s elite threat intelligence and research organisation, develops and utilises leading-edge machine learning and AI technologies to provide customers with timely and consistently top-rated protection and actionable threat intelligence. Learn more at https://www.fortinet.com, the Fortinet blog, and FortiGuard Labs. 

Copyright © 2024 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and common law trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, the Fortinet logo, FortiGate, FortiOS, FortiGuard, FortiCare, FortiAnalyzer, FortiManager, FortiASIC, FortiClient, FortiCloud, FortiMail, FortiSandbox, FortiADC, FortiAI, FortiAIOps, FortiAntenna, FortiAP, FortiAPCam, FortiAuthenticator, FortiCache, FortiCall, FortiCam, FortiCamera, FortiCarrier, FortiCASB, FortiCentral, FortiConnect, FortiController, FortiConverter, FortiCWP, FortiDB, FortiDDoS, FortiDeceptor, FortiDeploy, FortiDevSec, FortiEdge, FortiEDR, FortiExplorer, FortiExtender, FortiFirewall, FortiFone, FortiGSLB, FortiHypervisor, FortiInsight, FortiIsolator, FortiLAN, FortiLink, FortiMoM, FortiMonitor, FortiNAC, FortiNDR, FortiPenTest, FortiPhish, FortiPlanner, FortiPolicy, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiRecorder, FortiSASE, FortiSDNConnector, FortiSIEM, FortiSMS, FortiSOAR, FortiSwitch, FortiTester, FortiToken, FortiTrust, FortiVoice, FortiWAN, FortiWeb, FortiWiFi, FortiWLC, FortiWLM and FortiXDR. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, contract, binding specification or other binding commitment by Fortinet or any indication of intent related to a binding commitment, and performance and other specification information herein may be unique to certain environments.