WatchGuard Technologies
announced the findings of its latest Internet Security Report, detailing the top malware trends and network and
endpoint security threats analyzed by WatchGuard Threat Lab researchers. Key
findings from the research include 95% of malware now arriving over encrypted
connections, a decrease in endpoint malware volumes despite campaigns growing
more widespread, ransomware detections on the decline amid a rise in
double-extortion attacks, older software vulnerabilities persisting as popular
targets for exploit among modern threat actors, and more.
"The data
analyzed by our Threat Lab for our latest report reinforces how advanced
malware attacks fluctuate in occurrence and multifaceted cyber threats continue
to evolve, requiring constant vigilance and a layered security approach to
combat them effectively," said Corey Nachreiner, chief security officer at
WatchGuard. "There is no single strategy that threat actors wield in their
attacks and certain threats often present varying levels of risk at different
times of the year. Organizations must continually be on alert to monitor these
threats and employ a unified security approach, which can be administered effectively
by managed service providers, for their best defense."
Among the most
notable findings, the latest Internet Security Report featuring data from Q2
2023 showed:
- Ninety-five percent of
malware hides behind encryption. Most
malware lurks behind SSL/TLS encryption used by secured websites.
Organizations that don't inspect SSL/TLS traffic at the network perimeter
are likely missing most malware. Furthermore, zero day malware dropped to
11% of total malware detections, an all-time low. However, when inspecting
malware over encrypted connections, the share of evasive detections
increased to 66%, indicating attackers continue to deliver sophisticated
malware primarily via encryption.
- Total endpoint malware
volume is down slightly, though widespread malware campaigns increased. There was a slight 8% decrease in
endpoint malware detections in Q2 compared to the previous quarter.
However, when looking at endpoint malware detections caught by 10 to 50
systems or 100 or more systems, these detections increased in volume by
22% and 21%, respectively. The increased detections among more machines
indicate that widespread malware campaigns grew from Q1 to Q2 of 2023.
- Double-extortion
attacks from ransomware groups increased 72% quarter over quarter, as the Threat Lab noted 13
new extortion groups. However, the rise in double-extortion attacks
occurred as ransomware detections on endpoints declined 21% quarter over
quarter and 72% year over year.
- Six new malware variants in the Top 10 endpoint
detections. Threat Lab saw a massive increase of detections of the
compromised 3CX installer, accounting for 48% of the total detection
volume in the Q2 Top 10 list of malware threats. Furthermore, Glupteba, a
multi-faceted loader, botnet, information stealer, and cryptominer that
targets victims seemingly indiscriminately worldwide, made a resurgence in
early 2023 after being disrupted in 2021.
- Threat actors
increasingly leverage Windows living off-the-land binaries to deliver
malware. In analyzing
attack vectors and how threat actors gain access in endpoints, attacks
that abused Windows OS tools like WMI and PSExec grew 29%, accounting for
17% of all total volume, while malware that used scripts like PowerShell
dropped 41% in volume. Scripts remain the most common malware delivery
vector, accounting for 74% of detections overall. Browser-based exploits
declined 33% and account for 3% of the total volume.
- Cybercriminals
continue to target older software vulnerabilities. Threat Lab researchers found
three new signatures in the Top 10 network attacks for Q2 based on older
vulnerabilities. One was a 2016 vulnerability associated with an
open-source learning management system (GitHub) that was retired in 2018.
Others were a signature that catches integer overflows in PHP, the
scripting language used by many websites, and a 2010 buffer overflow and
HP management application, called Open View Network Node Manager.
- Compromised domains at
WordPress blogs and link-shortening service. In researching malicious domains,
the Threat Lab team encountered instances of self-managed websites (such
as WordPress blogs) and a domain-shortening service that were compromised
to host either malware or malware command and control framework.
Additionally, Qakbot threat actors had compromised a website dedicated to
an educational contest in the Asia Pacific region to host command and
control infrastructure for their botnet.
Consistent with WatchGuard's Unified Security
Platform approach and the
WatchGuard Threat Lab's previous quarterly research updates, the data analyzed
in this quarterly report is based on anonymized, aggregated threat intelligence
from active WatchGuard network and endpoint products whose owners have opted to
share in direct support of WatchGuard's research efforts.
The Q2 2023
report continues the rollout of the Threat Lab team's updated methods to
normalize, analyze, and present the report findings, which began in last
quarter's report. The network security results are presented as "per device"
averages, and this month the updated methodologies extend to the Threat Lab's
network attack and endpoint malware research.
For a more
in-depth view of WatchGuard's research, read the complete Q2 2023 Internet
Security Report here.