WatchGuard Technologies released its latest quarterly
Internet Security Report, detailing the top
malware trends, and network and endpoint security threats analyzed by
WatchGuard Threat Lab researchers in Q3 2022. Key
findings from the data reveal the quarter's top malware threat was detected
exclusively over encrypted connections, ICS attacks are maintaining popularity,
LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat
engine is delivering a malicious payload, and much more.
"We
can't emphasize enough how important it is for HTTPS inspection to be enabled,
even if it requires some tuning and exceptions to do properly. The majority of
malware arrives over encrypted HTTPS, and not inspecting it means you're missing
those threats," said Corey Nachreiner, chief security officer at WatchGuard
Technologies. "Rightfully so, the big prizes for attackers like an Exchange
server or a SCADA management system deserve extraordinary attention as well
this quarter. When a patch is available, it's important to update immediately,
as attackers will eventually benefit from any organization that has yet to
implement the latest patch."
Other key findings from the Q3 Internet Security Report include:
- The vast majority of malware
arriving over encrypted connections - Although Agent.IIQ placed third in the normal top 10
malware list this quarter, it landed in the #1 spot at the top of the
encrypted malware list for Q3. In fact, if you look at the detections for
it on both of these lists, you'll see all Agent.IIQ detections come from
encrypted connections. In
Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it
detected was through that encrypted connection, leaving only a meager 18%
detected without encryption. If you're not inspecting encrypted traffic on
your Firebox, it's very likely that this average ratio remains true, and
you are missing a huge portion of malware. Hopefully, you at least have
endpoint protection implemented for a chance to catch it further down the
cyber kill chain.
- ICS
and SCADA systems remain trending attack targets - New
to the top 10 network attacks list this quarter is a SQL injection-type
attack that affected several vendors. One of these companies is Advantech,
whose WebAccess portal is used for SCADA systems across a variety of
critical infrastructure. Another serious exploit in Q3, which also
appeared in the top five network attacks by volume, involved Schneider
Electric's U.motion Builder software versions 1.2.1 and prior. This is a
stark reminder that attackers aren't quietly waiting for an opportunity -
rather, they are actively seeking system compromise wherever possible.
- Exchange
server vulnerabilities continuing to pose risk - The
most recent CVE among the Threat Lab's new signatures this quarter, CVE-2021-26855,
is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability
for on-premises servers. This RCE vulnerability was given a 9.8 CVE score
and is known to have been exploited. The date and severity of
CVE-2021-26855 should also ring a bell, as it is one of the exploits used
by the group HAFNIUM. While most Exchange servers affected by it have
likely been patched by now, most does not equate to all. Therefore, risks
remain.
- Threat
actors targeting seekers of free software - Fugrafa
downloads malware that injects malicious code. This quarter, the Threat
Lab examined a sample of it that was found in a cheat engine for the
popular game Minecraft. While the file shared primarily on Discord claims
to be the Minecraft cheat engine Vape V4 Beta, that's not all it contains. Agent.FZUW has some similarities
to Variant.Fugrafa, but instead of installation through a cheat engine,
the file itself pretends to have cracked software. The Threat Lab
discovered this particular sample has connections with Racoon Stealer, a
cryptocurrency hacking campaign used to hijack account information from
cryptocurrency exchange services.
- LemonDuck
malware evolving beyond cryptominer delivery - Even
with a dip in total blocked or tracked malware domains for the third
quarter of 2022, it is easy to see that attacks on unsuspecting users are
still high. With three new additions to the top malware domains list - two
of which were former LemonDuck malware domains, and the other part of an
Emotet classified domain - Q3 saw more malware and attempted malware sites
that were newer domains than usual. This trend will change and modify with
the landscape of cryptocurrency in turmoil as attackers look for other venues
to trick users. Keeping DNS protection enabled is a way to monitor and
block unsuspecting users from allowing malware or other serious issues
into your organization.
- JavaScript
obfuscation in exploit kits -
Signature 1132518, a generic vulnerability for detecting JavaScript
Obfuscation attacks against browsers, was the only new addition to the
most-widespread network attack signatures list this quarter. JavaScript is
a common vector for attacking users and threat actors use JavaScript-based
exploit kits all the time - in malvertising, watering hole and phishing
attacks, just to name a few. As the defensive fortifications have improved
on browsers, so have attackers' ability to obfuscate malicious JavaScript
code.
- Anatomy
of commoditized adversary-in-the-middle attacks - While
multi-factor authentication (MFA) is undeniably the single best technology
you can deploy to protect against the bulk of authentication attacks, it
is not on its own a silver bullet against all attack vectors. Cyber
adversaries have made this clear with the rapid rise and commoditization
of adversary-in-the-middle (AitM) attacks, and the Threat Lab's deep dive
on EvilProxy, the top security incident of Q3, shows just how malicious
actors are beginning to pivot to more sophisticated AitM techniques. Like
the Ransomware as a Service offering made popular in recent years, the
September 2022 release of an AitM toolkit called EvilProxy has
significantly lowered the barrier of entry for what was previously a
sophisticated attack technique. From a defensive standpoint, successfully
combatting this kind of AitM attack technique requires a mix of both
technical tools and user awareness.
- A
malware family with Gothic Panda ties - The
Threat Lab's Q2 2022 report described how Gothic Panda-a state-sponsored
threat actor connected to China's Ministry of State Security-was known to
use one of the top malware detections from that quarter. Interestingly,
the top encrypted malware list for Q3 includes a malware family called
Taidoor, which was not only created by Gothic Panda but has only been seen
used by Chinese government cyber actors. While this malware typically
focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample
analyzed this quarter was found primarily targeting organizations in
France, suggesting that some Fireboxes in this region may have detected
and blocked parts of a state-sponsored cyberattack.
- New
ransomware and extortion groups in the wild - Additionally
this quarter, the Threat Lab is excited to announce a new, concerted
effort to track current ransomware extortion groups and build out its
threat intelligence capabilities to provide more ransomware-related
information in future reports. LockBit tops the list for Q3 with over 200
public extortions on their dark web page - nearly four times more than
that of Basta, the second most prolific ransomware group WatchGuard
observed this quarter.
WatchGuard's
quarterly research reports are based on anonymized Firebox Feed data from
active WatchGuard Fireboxes whose owners have opted to share data in direct
support of the Threat Lab's research efforts. In Q3, WatchGuard blocked a total
of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional
malware and network trends from Q3 2022, recommended security strategies,
critical defense tips for businesses of all sizes and in any sector, and more.
For
a detailed view of WatchGuard's research, read the complete Q3 2022 Internet
Security Report here.