Once used primarily by search engines, automated bots now account for nearly two-thirds of all internet traffic. This is according to new research by Barracuda, a trusted partner and leading provider of cloud-enabled security solutions, which found that bad bots – which carry out a range of malicious activities including web and price scraping, inventory hoarding, account takeover attacks, distributed denial of service (DDoS) attacks, and more – now account for a staggering 40% of all internet traffic.

“While some bots like search engine crawlers are good, our research shows that a much larger number of bots are dedicated to carrying out malicious activities at scale,” said Nitzan Miron, VP of Product Management, Application Security, Barracuda. “When left unchecked, these bad bots can have serious consequences for businesses and ultimately lead to a breach. That’s why it’s critically important to be prepared to detect and block these attacks.”

Over the last year, owing to lockdowns and a growing emphasis by organisations on offering digital services, consumer’s utilisation of online shopping and other online services has skyrocketed. Attackers have been quick to attempt to exploit this popularity and Barracuda’s researcher found that eCommerce applications and login portals are now most targeted by advanced persistent bots.

While the internet activity of bad bots now exceeds that of humans, attackers have been developing these automated programs in a manner that mimics human activity. Most notably, Barracuda’s research found that bad bot behaviour peaks during work hours, closely mirroring trends in human internet utilisation. This is in sharp contrast to good bots that aren’t trying to circumvent security defences and therefore maintain traffic rates that are fairly constant throughout the day.

Though the rise of the public cloud has had an undeniably positive impact, it has also empowered cybercriminals. Barracuda’s research shows that most bot traffics now comes for the two large public cloud providers – AWS and Microsoft Azure – in roughly equal measure.

According to a report released today by Honeywell, USB-based threats that can severely impact business operations increased significantly during a disruptive year when the usage of removable media and network connectivity also grew. Data from the 2021 Honeywell Industrial USB Threat Report indicates that 37% of threats were specifically designed to utilize removable media, which almost doubled from 19% in the 2020 report.

The research also highlights that 79% of cyber threats originating from USB devices or removable media could lead to critical business disruption in the operational technology (OT) environment.  At the same time, there was a 30% increase in the use of USB devices in production facilities last year, highlighting the growing dependence on removable media.

The report was based on aggregated cybersecurity threat data from hundreds of industrial facilities globally during a 12-month period. Along with USB attacks, research shows a growing number of cyber threats including remote access, Trojans, and content-based malware have the potential to cause severe disruption to industrial infrastructure.

“USB-borne malware was a serious and expanding business risk in 2020, with clear indications that removable media has become part of the playbook used by attackers, including those that employ ransomware,” said Eric Knapp, engineering fellow and director of cybersecurity research for Honeywell Connected Enterprise. “Because USB-borne cyber intrusions have become so effective, organizations must adopt a formal program that addresses removable media and protects against intrusions to avoid potentially costly downtime.”

Many industrial and OT systems are air-gapped or cut off from the internet to protect them from attacks. Intruders are using removable media and USB devices as an initial attack vector to penetrate networks and open them up to major attacks. Knapp says hackers are loading more advanced malware on plug-in devices to directly harm their intended targets through sophisticated coding that can create backdoors to establish remote access. Hackers with remote access can then command and control the targeted systems.

The 2021 report includes data from Honeywell’s Secure Media Exchange (SMX) technology, which is designed to scan and control USB drives and removable media. To reduce the risk of USB-related threats, Honeywell recommends that organizations utilize several layers of OT cybersecurity software products and services such as Honeywell’s Secure Media Exchange (SMX), the Honeywell Forge Cybersecurity Suite, people training and process changes.

Honeywell’s Secure Media Exchange (SMX) provides advanced threat detection for critical infrastructure by monitoring, better protecting, and logging the use of removable media throughout industrial facilities. The Honeywell Forge Cybersecurity Suite can monitor for vulnerabilities such as open ports or the presence of USB security controls to strengthen endpoint and network security, while also ensuring better cybersecurity compliance.

Fortinet has announced the latest semiannual FortiGuard Labs Global Threat Landscape Report. Threat intelligence from the first half of 2021 demonstrates a significant increase in the volume and sophistication of attacks targeting individuals, organizations, and increasingly critical infrastructure. The expanding attack surface of hybrid workers and learners, in and out of the traditional network, continues to be a target. Timely collaboration and partnership momentum across law enforcement, as well as public and private sectors, is an opportunity to disrupt the cybercriminal ecosystem going into the second half of 2021.

Ransomware Is About Much More Than Just Money
FortiGuard Labs data shows average weekly ransomware activity in June 2021 was more than tenfold higher than levels from one year ago. This demonstrates a consistent and overall steady increase over a year period. Attacks crippled the supply chains of multiple organizations, in particular sectors of critical importance, and impacted daily life, productivity, and commerce more than ever before.

Organizations in the telecommunications sector were the most heavily targeted followed by government, managed security service providers, automotive, and manufacturing sectors. In addition, some ransomware operators shifted their strategy away from email-initiated payloads to focusing on gaining and selling initial access into corporate networks further showing the continued evolution of Ransomware-as-a-Service (RaaS) fueling cybercrime.

A key takeaway is that ransomware remains a clear and present danger for all organizations regardless of industry or size. Organizations need to take a proactive approach with real-time endpoint protection, detection, and automated response solutions to secure environments along with a zero-trust access approach, network segmentation, and encryption.

One in Four Organizations Detected Malvertising
Ranking the prevalence of top malware detections by malware families shows a rise in deceptive social engineering malvertising and scareware. More than one in four organizations detected malvertising or scareware attempts with Cryxos being a notable family. Although, a large volume of the detections is likely combined with other similar JavaScript campaigns that would be considered malvertising.

The hybrid work reality has undoubtedly encouraged this trend in tactics by cybercriminals as they attempt to exploit it, aiming for not just a scare but also extortion. Increased cybersecurity awareness is important as ever to provide timely training and education to help avoid falling victim to scareware and malvertising tactics.

Botnet Trends Show Attackers Push to the Edge
Tracking the prevalence of botnet detections showed a surge inactivity. At the beginning of the year, 35% of organizations detected botnet activity of one sort or another, and six months later it was 51%. A large bump in TrickBot activity is responsible for the overall spike in botnet activity during June.

TrickBot originally emerged on the cybercrime scene as a banking trojan but has since been developed into a sophisticated and multi-stage toolkit supporting a range of illicit activities. Mirai was the most prevalent overall; it overtook Gh0st in early 2020 and has reigned ever since well into 2021.

Mirai has continued adding new cyberweapons to its arsenal, but it is likely that Mirai’s dominance at least still partially stems from criminals seeking to exploit Internet-of-Things (IoT) devices used by work-from-home or learning-from-home individuals. Gh0st is also noticeably active, which is a remote access botnet that allows attackers to take full control of the infected system, capture live webcam and microphone feeds, or download files.

More than a year into remote work and learning shifts, cyber adversaries continue to target our evolving daily habits to exploit the opportunity. To protect networks and applications, organizations need zero-trust access approaches to provide the least access privileges to secure against IoT endpoints and devices entering the network.

Disruption of Cybercrime Shows Reduced Threat Volumes
In cybersecurity, not every action has an immediate or lasting effect, but several events in 2021 show positive developments specifically for defenders. The original developer of TrickBot was arraigned on multiple charges in June. Also, the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, as well as actions to disrupt the Egregor, NetWalker, and Cl0p ransomware operations represent significant momentum by cyber defenders, including global governments and law enforcement to curb cybercrime.

In addition, the level of attention that some attacks garnered spooked a few ransomware operators to announce they were ceasing operations. FortiGuard Labs’ data showed a slowdown of threat activity following the Emotet takedown. Activity related to TrickBot and Ryuk variants persisted after the Emotet botnet was taken offline, but it was at a reduced volume. This is a reminder of how hard it is to eradicate cyber threats or adversary supply chains immediately, but these events are important achievements regardless.

Defensive Evasion and Privilege Escalation Techniques Favored by Cybercriminals
Studying higher resolution threat intelligence reveals valuable takeaways about how attack techniques are evolving currently. FortiGuard Labs analyzed the specific functionality inherent to detected malware by detonating the samples to observe what the intended outcome was for cyber adversaries.

The result was a list of negative things malware would have accomplished if the attack payloads had been executed in target environments. This shows cyber adversaries sought to escalate privileges, evade defenses, move laterally across internal systems, and exfiltrate compromised data, among other techniques. For example, 55% of observed privilege escalation functionality leveraged hooking, and 40% utilized process injection.

A takeaway is that there is an obvious focus on defense evasion and privilege escalation tactics. Although these techniques are not novel, defenders will be better positioned to secure against future attacks, armed with this timely knowledge. Integrated and artificial intelligence (AI)-driven platform approaches, powered by actionable threat intelligence, are essential to defend across all edges and to identify and remediate shifting threats organizations face today in real-time.

Derek Manky, Chief, Security Insights and Global Threat Alliances, FortiGuard Labs, said, “We are seeing an increase in effective and destructive cyberattacks affecting thousands of organizations in a single incident creating an important inflection point for the war on cybercrime. Now more than ever, everyone has an important role in strengthening the kill chain. Aligning forces through collaboration must be prioritized to disrupt cybercriminal supply chains. Shared data and partnership can enable more effective responses and better predict future techniques to deter adversary efforts. Continued cybersecurity awareness training, as well as AI-powered prevention, detection, and response technologies integrated across endpoints, networks, and the cloud, remain vital to counter cyber adversaries.”

While government and law enforcement agencies have taken actions relative to cybercrime in the past, the first half of 2021 could be a game-changer in terms of the momentum for the future. They are working with industry vendors, threat intelligence organizations, and other global partnership organizations to combine resources and real-time threat intelligence to take direct action against cyber adversaries.

Regardless, automated threat detection and AI remain essential to enable organizations to address attacks in real-time and to mitigate attacks at speed and scale across all edges. In addition, cybersecurity user awareness training is as important as ever with anyone being a target of cyberattacks. Everyone needs regular instruction on best practices to keep individual employees and the organization secure.