FortiGuard Labs has identified a significant increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. It also revealed that operational technology (OT) environments may not get the same attention as IT, but its connection to the physical world means it can impact lives, reflecting the significance of the role that OT plays in organizational frameworks.
The report, titled, ‘2021 mid-year Global Threat Landscape Report’ gathers threat intelligence from the initial six months of this year, indicating a noticeable increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. The expanding attack surface of hybrid workers and learners, in and out of the traditional network, continues to be a target.
FortiGuard Labs has documented steady interest from threat actors in identifying OT vulnerabilities and then building them into various exploit tools that lower the cost of attack. The result is that ‘script kiddies’ are at least as likely to find exposed OT devices, as APT (advanced persistent threat) groups focused explicitly on exploiting unprotected and unpatched ICS (industrial control systems). FortiGuard Labs is the threat intelligence and research organization at Fortinet.
Until recently, OT networks functioned as isolated, air-gapped environments, meaning cybersecurity was not a top priority. Exploits against SCADA (supervisory control and data acquisition) or ICS environments were viewed by many as a rare subset of highly-targeted attacks that most organizations needn’t concern themselves with, the report highlighted.
In the light of the modern threats, FortiGuard Labs plotted IPS (intrusion detection system) detections according to their prevalence and volume. Data shows that while IT-related exploits are more numerous and exhibit greater prevalence and volume, the relatively high level of exploitation targeting OT may surprise many, even shattering the perception that ICS exploits are an obscure niche of the cyber threat landscape.
This recalibration of perception is critical, given how new business demands and aging infrastructure are chipping away at the historical partitions separating OT and IT and leading to increased convergence of these networks, FortiGuard Labs said.
“We are seeing an increase in effective and destructive cyberattacks affecting thousands of organizations in a single incident creating an important inflection point for the war on cybercrime,” Derek Manky, Chief, Security Insights & Global Threat Alliances at FortiGuard Labs, said in a press statement. “Now more than ever, everyone has an important role in strengthening the kill chain. Aligning forces through collaboration must be prioritized to disrupt cybercriminal supply chains,” he added.
“We’ve had numerous reminders of that connection so far in 2021 through ransomware and other attacks aimed at industrial environments. We analyze detected exploits targeting industrial control systems (ICS) and demonstrate that OT sits higher on the attacker radar than you might think,” according to the FortiGuard Labs report.
ICS detections during the first half of the year saw an increasing prevalence and volume of exploits targeting WindRiver VxWorks systems. Deployed in ICS-related devices and deployed across several sectors, including communications, critical manufacturing, energy, healthcare and public health, transportation systems, and water and wastewater systems, the real-time operating system (RTOS) platform has a history of high-profile vulnerabilities, including a slew of them identified by Rapid7 in 2010 and the more recent ‘Urgent/11’ disclosed by Armis Labs in 2019.
Armis published an update to the Urgent/11 last December, claiming that 97 percent of the OT devices impacted by URGENT/11 had not been patched. It’s possible that this served to grab the attention of would-be attackers, resulting in a surge of reconnaissance activity probing for those vulnerabilities, the FortiGuard Labs report said.
“That theory is supported by the fact that one of the most prevalent detections indicates attempted scans to ascertain the version number of VxWorks. While not particularly threatening in and of itself, that reconnaissance likely targets additional known flaws in the VxWorks TCP/IP stack, several of which have RCE potential,” it added.
Timely collaboration and partnership momentum across law enforcement, as well as public and private sectors, will help to disrupt the cybercriminal ecosystem going into the second half of 2021, the report said.