Fortinet warns swarm cyberattacks on IoT devices

IoT devices are being targeted by new swarm cyberattacks. (Credit: chombosan/iStockPhoto)

Cybercriminals are implementing newer swarm-like capabilities while simultaneously targeting multiple vulnerabilities, devices, and access points, according to the latest Global Threat Landscape Report released by Fortinet this week.

The report showed that IoT devices are the target of these swarm cyberattacks. Three of the top 20 attacks that had been identified zeroed in on these internet-connected devices, with exploit activity quadrupling against devices like Wi-Fi cameras. None of these detections were associated with a known or named CVE, which is one of the troubling aspects of vulnerable IoT devices.

In addition, unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime can target multiple vulnerabilities simultaneously.

“This multi-vector approach is much harder to combat. Reaper’s flexible framework means that, rather than the static, pre-programmed attacks of previous IoT exploits, Reaper’s code is easily updated to swarm faster by running new and more malicious attacks as they become available,” said Phil Quade, chief information security officer, Fortinet

Demonstrating its swarm abilities, exploit volume associated with Reaper exhibited a jump from 50,000 to 2.7 million over a few days before dropping back to normal.

According to Fortinet, fighting swarm attacks requires integrated security. Over the next couple of years, the attack surface will continue to expand while visibility and control over today’s infrastructures diminish.

“To address the problems of speed and scale by adversaries, organizations need to adopt strategies based on automation and integration,” Quade said. “Security should operate at digital speeds by automating responses as well as applying intelligence and self-learning so that networks can make effective and autonomous decisions.”

Attacks per firm increased by 82%

The latest Fortinet report also showed an average of 274 exploit detections per firm were detected, which is a significant increase of 82% over the previous quarter. The number of malware families also increased by 25% and unique variants grew by 19%.

The data not only indicates growth in volume, but also an evolution of the malware as well. In addition, encrypted traffic using HTTPS and SSL grew as a percentage of total network traffic to a high of nearly 60% on average.

While encryption can certainly help protect data in motion as it moves between core, cloud, and endpoint environments, it also represents a real challenge for traditional security solutions.

“The volume, sophistication, and variety of cyber threats continue to accelerate with the digital transformation of our global economy,” Quade said. “Cybercriminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many.”

Other findings of the reports include:

  • Ransomware Still Prevalent: Several strains of ransomware topped the list of malware variants. Locky was the most widespread malware variant and GlobeImposter followed as the second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. In addition, there was a shift on the darknet from only accepting Bitcoin for payment to other forms of digital currency such as Monero.
  • Cryptocurrency Mining on the Rise: Crypto-mining malware increased, which seems to be intertwined with the changing price of Bitcoin. Cybercriminals recognize the growth in digital currencies and are using a trick called cryptojacking to mine cryptocurrencies on computers using CPU resources in the background without a user knowing. Cryptojacking involves loading a script into a web browser, nothing is installed or stored on the computer.
  • Sophisticated Industrial Malware: An uptick in exploit activity against industrial control systems (ICS) and safety instrumental systems (SIS) suggests these under-the-radar attacks might be climbing higher on attackers’ radar. 

An example is an attack codenamed Triton. It is sophisticated in nature and has the ability to cover its tracks by overwriting the malware itself with garbage data to thwart forensic analysis. Because these platforms affect vital critical infrastructures, they are enticing for threat actors. Successful attacks can cause significant damage with far-reaching impact.

  • Attack Variety: Steganography is an attack that embeds malicious code in images. It’s an attack vector that has not had much visibility over the past several years, but it appears to be on the resurgence.

The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit. It was found dropping multiple ransomware variants.

Read more on