In the second half of 2023, the cybersecurity landscape experienced various significant developments—like the rise in sophisticated attacks targeting large-scale enterprises and critical industries—that impact every organization.
In our 2H 2023 Threat Landscape Report, we examine the cyberthreat landscape over the year’s second half to identify trends and offer insights on what security professionals should know to effectively protect their organizations. The report findings are based on the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed worldwide during this same period. Below are key takeaways from the report.
During this period, we observed substantial activity among APT groups, more targeted ransomware attacks, new botnets and malware strains, and an uptick in IoT exploits. We’re seeing a continued trend of threat actors reusing “old” attacks, underscoring the importance of security practitioners remaining vigilant, as attackers aren’t likely to stop exploiting older vulnerabilities.
Notably, adversaries are moving quicker than ever, exploiting new vulnerabilities 43% faster than in the first half of the year. This finding underscores the need for organizations to improve their patch management processes, ensuring that they’re updating software regularly to protect against fast-moving adversaries. Vendors also play a vital role in enabling customers to mitigate vulnerability risk. Every vendor has a responsibility to dedicate themselves to radical transparency, introducing robust security scrutiny at all stages of the product development lifecycle and proactively searching for and disclosing vulnerabilities.
It’s no surprise that the threat of ransomware continues to keep security teams up at night. Across our sensors, ransomware detections surged 13 times higher over the first half of 2023. That was followed by a 70% drop during the latter half of the year, during which we also saw fewer organizations detecting ransomware variants.
However, this shift isn’t a cause for celebration. In our 2024 threat predictions report, we forecasted that adversaries looking for bigger payouts would turn their attention to critical sectors. This prediction came to fruition in 2H 2023: We witnessed a shift away from the traditional “spray and pray” ransomware strategy, with cybercriminals taking a more targeted approach and asking for higher ransom demands. Industrial organizations—including energy, healthcare, manufacturing, transportation, and automotive—experienced almost half (44%) of all ransomware and wiper detections in the second half of the year.
Our FortiGuard Labs team monitors an array of globally deployed sensors that collect trillions of threat events worldwide each day. This unique vantage point gives us a detailed view of the threat landscape, including how exploit, malware, and botnet trends change.
Exploitation activity captured by the FortiGuard Intrusion Prevention System (IPS) sensors running on our FortiGate Next-Generation Firewalls offers us visibility into how threat actors find vulnerabilities, exploit their targets, and build malicious infrastructure. Not surprisingly, IoT devices were popular targets, with attackers exploiting everything from firewalls to routers during the year’s second half.
After threat actors find an exploitable vulnerability, their next step is often to deploy malware. Samples picked up by our various anti-malware solutions give us a better understanding of popular adversary tools, like JS/ScrInject and JS/Cryxos. Outside of these two consistently prevalent strains, four other malware families caught our attention in 2H 2023: AndroxGh0st, Apache ActiveMQ ransomware, Lazarus RATs, and Agent Tesla.
Once infected with malware, systems often attempt to communicate with remote hosts to download additional payloads, establish command and control channels, and open backdoors into the environment. Botnet insights are vital to understanding the full scope of an attack. While we consistently see activity among Gh0st, Mirai, and ZeroAccess, we identified several new botnets to watch, including Prometei and DarkGate.
In each threat landscape report, we aim to determine how long it takes for a vulnerability to move from initial release to exploitation and whether vulnerabilities with a high Exploit Prediction Scoring System (EPSS) score are exploited faster.
For the new exploits identified, attacks occurred an average of 4.76 days after discovery, which is 43% faster than the time-to-exploitation observed in 1H 2023. This underscores the need to use EPSS as an early warning system, as well as the importance of prioritizing patching efforts to mitigate the vulnerabilities most likely to be exploited.
In 2022, we introduced the concept of the “red zone,” which helps security practitioners better understand how likely (or unlikely) it is that threat actors will exploit a specific vulnerability. We aim to help security teams prioritize their remediation efforts, focusing on the vulnerabilities that present the most significant risk.
The good news is that only a fraction (<1%) of all published vulnerabilities were exploited in 2H 2023. However, when it comes to vulnerabilities, remember that what’s “old” is still new in the eyes of many attackers. We continue to see threat actors exploiting vulnerabilities over 15 years old, and nearly all organizations (98%) have detected exploits in their environments that have been in attackers’ toolboxes for at least five years.
APT groups continue to be highly adaptable to changes in the digital landscape and are increasingly stealthy, carefully planning and executing their attacks. Based on intelligence from FortiRecon, we observed 38 of the 143 APT groups (27%) identified by MITRE as being active during the second half of the year. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig were the most active.
While much of our telemetry shows us what actions attackers have taken previously, darknet intelligence helps us anticipate what adversaries may do next. In the last six months of 2023, threat actors discussed targeting organizations within the financial services industry most often, followed by the business services and education sectors. More than 20 significant zero days were shared on the dark web, and over 850,000 payment cards were advertised for sale. The most publicly active threat actors across the dark web were Valerka, Punktir, CoreLab, XXXX, and qwer.
Disrupting cybercrime requires a culture of collaboration, transparency, and accountability on a larger scale than possible with each entity working independently. Cybersecurity vendors have a crucial role to play in this endeavor.
Join us at RSA Conference 2024 to learn more about the importance of driving responsible transparency across the industry during the session, “No More Secrets in Cybersecurity: Implementing Radical Transparency.” This discussion will feature renowned experts from organizations such as the Cyber Threat Alliance, the Cybersecurity and Infrastructure Security Agency (CISA), Fortinet, and the Former Undersecretary of the Department of Homeland Security.
The latest Global Threat Landscape Report represents the collective intelligence of FortiGuard Labs, drawn from Fortinet’s vast array of sensors collecting billions of threat events observed worldwide during the second half of 2023. The FortiGuard Labs Global Threat Landscape Report uses the MITRE ATT&CK framework to describe how threat actors find vulnerabilities, build malicious infrastructure, and exploit their targets. The report covers global and regional perspectives.
Download your copy of the 2H 2023 FortiGuard Labs Threat Landscape Report now.