WatchGuard Technologies released findings from its most recent Internet Security Report, detailing the top
malware trends and network and endpoint security threats analyzed by WatchGuard
Threat Lab researchers in Q4 2022. While key findings from the data showed
declines in network-detected malware, endpoint ransomware increased a startling
627%, and malware associated with phishing campaigns continued to be a
persistent threat.
Despite seeing
an overall decline in malware, further analysis from WatchGuard Threat Lab
researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a
higher incidence of malware, indicating malware activity has shifted to
encrypted traffic. Since just ~20% of Fireboxes that provide data for this
report have decryption enabled, this indicates that the vast majority of
malware is going undetected. Encrypted malware activity has been a recurring
theme in recent Threat Lab reports.
"A continuing
and concerning trend in our data and research shows that encryption - or, more
accurately, the lack of decryption at the network perimeter - is hiding the
full picture of malware attack trends," said Corey Nachreiner, chief security
officer at WatchGuard. "It is critical for security professionals to enable
HTTPS inspection to ensure these threats are identified and addressed before
they can do damage."
Other key
findings from the Q4 Internet Security Report include:
- Endpoint
ransomware detections rose 627%. This spike highlights the need
for ransomware defenses such as modern security controls for proactive
prevention, as well as good disaster recovery and business continuity
(backup) plans.
- 93% of
malware hides behind encryption. Threat
Lab research continues to indicate that most malware hides in the SSL/TLS
encryption used by secured websites. Q4 continues that trend with a rise
from 82% to 93%. Security professionals that don't inspect this traffic
are likely missing most malware and placing a greater onus on endpoint
security to catch it.
- Network-based
malware detections dropped approximately 9.2% percent quarter over quarter
during Q4. This continues a general decline in malware
detections over the last two quarters. But as mentioned, when considering
encrypted web traffic, malware is up. The Threat Lab team believes this
decline trend may not illustrate the full picture and needs more data that
leverages HTTPS inspection to confirm this contention.
- Endpoint
malware detections increased 22%. While
network malware detections fell, endpoint detection rose in Q4. This
supports the Threat Lab team's hypothesis of malware shifting to encrypted
channels. At the
endpoint, TLS encryption is less of a factor, as a browser decrypts it for
Threat Lab's endpoint software to see. Among the leading attack vectors,
most detections were associated with Scripts, which constituted 90% of all
detections. In browser malware detections, threat actors targeted Internet
Explorer the most with 42% of the detections, followed by Firefox with
38%.
- Zero
day or evasive malware has dropped to 43% in unencrypted traffic.
Though still a significant percentage of overall malware detections, it's
the lowest the Threat Lab team has seen in years. That said, the story
changes completely when looking at TLS connections. 70% of malware over encrypted
connections evades signatures.
- Phishing
campaigns have increased. Three
of the malware variants seen in the report's top 10 list (some also
showing on the widespread list) assist in various phishing campaigns. The
most-detected malware family, JS.A gent.UNS, contains malicious HTML that
directs users to legitimate-sounding domains that masquerade as well-known
websites. Another variant, Agent.GBPM, creates a SharePoint phishing page
titled "PDF Salary_Increase," which attempts to access account information
from users. The last new variant in the top 10, HTML.Agent.WR, opens a
fake DHL notification page in French with a login link that leads to a
known phishing domain. Phishing and business email compromise (BEC)
remains one of the top attack vectors, so make sure you have both the
right preventative defenses and security awareness training programs to
defend against it.
- ProxyLogin exploits continue
to grow. An exploit for this
well-known, critical Exchange issue rose from eighth place in Q3 to fourth
place last quarter. It should be long patched, but if not, security
professionals must know attackers are targeting it. Old vulnerabilities
can be as useful to attackers as new ones if they're able to achieve a
compromise. Additionally, many attackers continue to target Microsoft
Exchange Servers or management systems. Organizations must be aware and
know where to put their efforts into defending these areas.
- Network attack volume is flat
quarter over quarter. Technically, it increased by 35 hits, which is just
a 0.0015% increase. The slight change is remarkable, as the next
smallest change was 91,885 from Q1 to Q2 2020.
- LockBit
remains a prevalent ransomware group and malware variant. The Threat Lab team continues
to see LockBit variants often, as this group appears to have the most
success breaching companies (through their affiliates) with ransomware.
While down from the previous quarter, LockBit again had the most public extortion victims,
with 149 tracked by the WatchGuard Threat Lab (compared to 200 in Q3).
Also in Q4, the Threat Lab team detected 31 new ransomware and extortion
groups.
WatchGuard's
quarterly research reports are based on anonymized Firebox Feed data from
active WatchGuard Fireboxes whose owners have opted to share data in direct
support of the Threat Lab's research efforts. The company's Unified Security Platform approach is uniquely designed for managed service
providers to deliver world-class security. In Q4, WatchGuard blocked a total of more than 15.7
million malware variants (194 per device) and more than 2.3 million network
threats (28 per device). The full report includes details on additional malware
and network trends from Q4 2022, recommended security strategies, critical
defense tips for businesses of all sizes and in any sector, and more.
For a more
in-depth view of WatchGuard's research, read the complete Q4 2022 Internet
Security Report here.