One cybersecurity firm’s own protection ecosystem showed a 70% drop in ransomware detections, balanced by faster, more-targeted exploitations of vulnerabilities

In analyzing its globally deployed sensors that collect data on trillions of global threat events daily in its protection ecosystem, a cybersecurity firm has published its findings for the second half (H2) of 2023.

First, the H2 data showed that attackers were 43% faster in capitalizing on newly publicized vulnerabilities over H1.

Second, 41% of incidents analyzed showed detected exploits from signatures less than one month old, and 98% involved N-Day vulnerabilities that have existed for at least five years. Threat actors had been exploiting vulnerabilities that are more than 15 years old.

Third, less than 9% of all known endpoint vulnerabilities had been targeted by attackers. In the firm’s 2H 2023 data, 0.7% of all common vulnerabilities and exposures observed on endpoints were actually under attack, indicating that a much smaller attack surface was active for security teams to work on.

Other findings

The H2 data also showed the following trends:

  • 44% of all ransomware and wiper samples in H2 2023 had targeted the industrial sectors. Compared to H1 data, ransomware detections had dropped by 70%. The theory is that attackers had shifted away from the traditional “spray and pray” strategy to more of a targeted approach in H2, focusing largely on the energy, healthcare, manufacturing, transportation and logistics, and automotive industries.
  • In H2, botnets communications took an average of 85 days to cease command and control (C2) communications after first detection. Compared to H1 botnet data, bot traffic had remained steady, with three entrants emerging: AndroxGh0st, Prometei, and DarkGate.
  • 38 of the 143 advanced persistent threat (APT) groups listed by MITRE were observed to be active during 2H 2023: Threat intelligence data indicates that 38 of the 143 Groups that MITRE tracks were active in the 2H 2023. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig were the most active in H2.
  • On the Dark Web, threat actors in H2 had discussed targeting organizations within the finance industry most often, followed by the business services and education sectors. Details of more than 3,000 data breaches and 221 vulnerabilities had been shared on prominent Dark Web forums in H2. On Telegram channels, 237 vulnerabilities had been discussed. Finally, the data showed that the details of over 850,000 payment cards had been advertised for sale in H2.

According to Rashish Pandey, Vice President, Marketing and Communications (Asia & ANZ), Fortinet, the firm disclosing its H2 2023 analytics: as cybersecurity threats become more sophisticated, organizations can build resilient and future-proof cybersecurity defenses. This can be done if they “consolidate security tools, enhance operational efficiency, and enable rapid adaptation to emerging threats.”