Virtualization Technology News and Information
VMblog Expert Interview: WatchGuard Details Key Findings and Trends from its Recent Internet Security Report


WatchGuard recently announced new findings from its most recent quarterly Internet Security Report, detailing the top malware trends and network security threats analyzed by WatchGuard Threat Lab researchers.
The research also showed Log4Shell detections tripled, PowerShell scripts heavily influenced a surge in endpoint attacks, the Emotet botnet came back in a big way, and malicious cryptomining activity increased.

To dig in deeper, VMblog reached out to Corey Nachreiner, CSO at WatchGuard

VMblog:  What are some of the consistent themes, topics, and takeaways from your most recent Internet Security Report?  

Corey Nachreiner:  Here are the biggest threat themes/trends from our Q1 report:
  • While malware and network attacks and exploits were down a bit quarter-over-quarter (QoQ), they continue to rise year-over-year (YoY), and network-based malware detection seems to have returned to pre-pandemic levels, suggesting that some people have returned to the office.
  • We continue to see most malware evade signature-based detection and arrive via encrypted channels.
  • Endpoint ransomware detection has significantly increased during Q1 after dropping for the past two quarters in a row. We believe this is due to a combination of opportunistic attackers (LockBit group) spamming more ransomware lures via email.
  • Emotet has returned, as we expected. While authorities did a great job taking down the C2 infrastructure of the primary Emotet group about a year ago, malware code tends to spread underground, so we are not surprised that new groups have created and released new Emotet variants.
  • Malware threat actors are increasingly focusing on living-off-the-land (LotL) attack techniques using malicious PowerShell scripts. 88 % of malware starts with a malicious script, and over 99% of that uses PowerShell specifically. We believe attackers are using these LotL techniques (using legit programs and binaries to do malicious things) because they evade many legacy antivirus products that aren't designed to find good programs doing bad actions.

As far as some takeaways to go with these trends:

  • Signature-based AV is not sufficient. It would help if you had more proactive malware detection that uses machine learning and/or behavioral analysis to catch the latest threats-also, leverage Endpoint Detection and Response (EDR) solutions to catch LotL attacks.
  • Harden PowerShell. Many settings can help you limit PowerShell to certain users and scripts, thus preventing some of these PowerShell attacks. Check out one of Microsoft or another third party's PowerShell hardening guides (links in the report).

VMblog:  What were some of the biggest shifts, increases, or decreases in the previous quarter?

Nachreiner:  The most significant shift is likely the vast increase in ransomware detections. It has been dropping considerably for the two quarters previous but shot up to three times the volume this quarter. In the first quarter of the year, we have already seen and prevented 80% of the ransomware that we detected for the full year 2021. 

VMblog:  Log4Shell recently made its debut on the top 10 network attack list. What makes this emerging threat so serious? And what should security teams know about this growing threat? 

Nachreiner:  Log4shell was a very serious attack because:

  • It had the worst severity with a CVSS score of 10, meaning full, privileged code execution remotely, relatively easily.
  • It was an easy vulnerability to exploit, with many proofs-of-concept (POC) exploits available in the public for anyone to get and try.
  • It is a ubiquitous package found in many hardware and software products. Many people who don't even know what Log4j is may not realize they have it in other software or hardware products they may use.

The critical thing security teams know is they need to patch it ASAP (assuming they didn't during the end of Q4).

This may be a slightly harder challenge in that they may not realize all the places they might have it. While it's easy to find the Log4j install you did yourself, many products use this package, and you may not know which ones do. If a vendor of one of your software or hardware products uses it, they should have informed you last December. You can also find sites listing all the known products that used log4j. 

VMblog:  Emotet saw law enforcement disruption efforts in early 2021, but your report still showcases it's still a viable and active threat. Can you touch on the current status of Emotet and what to be aware of? 

Nachreiner:  Essentially, the return of Emotet is no surprise, and the current status of the threat is new groups have taken underground code and resurrected new variants of this older botnet.

Realize that these new variants are slightly different, and they probably have several different command and control (C2) infrastructures run by different groups. In short, threat actors often sell their source code, binaries, or platforms to other groups on the underground, or they leak. So, while the world might think of Emotet as an instance of malware from onegroup, which the authorities took down, the reality is other groups tend to get their hands on the code and re-use it themselves.

We see this Emotet resurgence as those new groups bringing up their versions based on the original. 

VMblog:  PowerShell scripts have been leading the charge in endpoint attacks. While these are the clear choice for attackers, what evolution have you seen in these attacks? And where should teams be focusing? 

Nachreiner:  Powershell is all about helping launch Living-off-the-Land (LotL), or fileless malware attacks. Traditional malware has a unique malicious binary (file on your system) that it uses to do bad things, and it also writes registry entries or other things to help that binary start.

However, many AV products are good at looking for these bad files and registry entries. What if an attacker could use legitimate programs to do all the bad stuff malware does, without leaving any new files on your computer? That is essentially what LotL attacks are. PowerShell is perfectly legitimate-and as its name suggests-very powerful. Admin can and do use it to do anything on corporate computers and networks as the user could, and thus it's very powerful to attackers. Since it's legitimate, you can't just block all Powershell.

Essentially, threat actors use it to evade traditional defenses that don't monitor PowerShell. There are also many open-source and publicly available PowerShell exploit frameworks that have pre-built code and functions to do bad stuff, like Powersploit.

In short, malicious PowerShell can evade old defenses, and the underground has plenty of exploit code out there so that less technical cyber criminals don't need to reinvent the wheel. IT and Security teams need to be sure to harden their Windows global PowerShell settings to make it harder for attackers to use it.

Also, adopt EDR, which typically can detect LotL techniques, including malicious PowerShell. 

VMblog:  Cryptomining has been a safety concern for some time, and we saw an increase from Q1 to Q2. What are some key concerns with crypto mining, and how is the threat evolving? 

Nachreiner:  Cryptomining has plateaued and doesn't seem to be the primary focus of threat actors. That said, cybercriminals want to monetize in any way they can, so adding a crypto mining payload is a no brainer to any bot herder or trojan master, even if it doesn't have a high return. To the victim, the key concern is losing performance.

This attack doesn't steal their data or directly threaten them, but it can eat all your computer resources when you need them. Long term, the head generated can lower the lifespan of your hardware too.

As mentioned, attackers are not making much money with this anymore, so it's not their focus. Cryptocurrency has dropped significantly, and the time and resources required to mine even a little have exploded. So, they are not making a ton of money from this.

That said, if I control a botnet with two hundred thousand computers, it takes zero effort to install a crypto miner on all of them and thus make a little more profit slowly. I don't think we will see much growth in cryptomining in the next year, it will stick around at the same levels as it is today since it's easy, but it is more of a side hustle for the cybercriminal. 

VMblog:  Businesses still face a wide range of unique network attacks, and the report details its highest count since 2019. What does this increase indicate for businesses?

Nachreiner:  Your perimeter, whether at the office or in the cloud, is not dead. You still need network server protection, and you need to patch. Attackers have automated mass scanning of the internet, and if they find a server that hasn't been patched, they'll pop it. Make sure to patch and use IPS. 

VMblog:  Are there any other key takeaways from this past quarter or predictions for your upcoming quarterly report? 

Nachreiner:  That pretty much covers the main points. I suspect we will see ransomware continue to grow and evasive malware increase in Q2, and we look forward to sharing those results. 


Published Friday, July 22, 2022 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2022>