WatchGuard
Technologies announced the
findings of its latest
Internet
Security Report, detailing the top malware trends and network and endpoint
security threats analyzed by WatchGuard Threat Lab researchers. Key findings
from the data show increasing instances of remote access software abuse, the
rise of cyber adversaries using password-stealers and info-stealers to thieve
valuable credentials, and threat actors pivoting from utilizing scripting to
employing other living-off-the-land techniques to initiate an endpoint attack.
"Threat actors continue using different tools and methods in
their attack campaigns, making it critical for organizations to keep abreast of
the latest tactics to fortify their security strategy," said Corey Nachreiner,
chief security officer at WatchGuard. "Modern security platforms that include
firewalls and endpoint protection software can deliver enhanced protection for
networks and devices. But when it comes to attacks that employ social
engineering tactics, the end user becomes the last line of defense between
malicious actors and their success in infiltrating an organization. It's
important for organizations to provide social engineering education as well as
adopt a unified security approach that provides layers of defense, which can be
administered effectively by managed service providers."
Among the key findings, the latest Internet Security Report
featuring data from Q3 2023 showed:
- Threat
actors increasingly use remote management tools and software to evade
anti-malware detection,
which both the FBI
and CISA have acknowledged. For instance, in researching the top
phishing domains, the Threat Lab observed a tech support scam that would
result in a victim downloading a pre-configured, unauthorized version of
TeamViewer, which would allow an attacker full remote access to their
computer.
- Medusa
ransomware variant surges in Q3, driving endpoint ransomware attacks to
increase 89%. On the surface, endpoint
ransomware detections appeared down in Q3. Yet the Medusa ransomware
variant, which emerged in the Top 10 malware threats for the first time,
was detected with a generic signature from the Threat Lab's automated
signature engine. When factoring in the Medusa detections, ransomware
attacks rose 89% quarter over quarter.
- Threat
actors pivot from using script-based attacks and increasingly employ other
living-off-the-land techniques. Malicious
scripts declined as an attack vector by 11% in Q3 after dropping by 41% in
Q2. Still, script-based attacks remain the largest attack vector,
accounting for 56% of total attacks, and scripting languages like
PowerShell are often used in living-off-the-land attacks. Alternatively,
Windows living-off-the-land binaries increased 32%. These findings
indicate to Threat Lab researchers that threat actors continue to utilize
multiple living-off-the-land techniques, likely in response to more
protections around PowerShell and other scripting. Living-off-the-land
attacks make up the most endpoint attacks.
- Malware
arriving over encrypted connections declined to 48%, meaning just under half of all malware detected came
via encrypted traffic. This figure is notable because it is down
considerably from previous quarters. Overall, total malware detections
increased by 14%.
- An
email-based dropper family that delivers malicious payloads comprised four
of the Top 5 encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the
dropper family named Stacked, which arrives as an attachment in an email
spear phishing attempt. Threat actors will send emails with malicious
attachments that appear to come from a known sender and claim to include
an invoice or important document for review, aiming to trick end users
into downloading malware. Two of the Stacked variants - Stacked.1.12 and
Stacked.1.7 - also appeared in the Top 10 malware detections.
- Commoditized
malware emerges. Among the top malware threats,
a new malware family, Lazy.360502, made the Top 10 list. It delivers the
adware variant 2345explorer as well as the Vidar password stealer. This
malware threat connected to a Chinese website that provided a credential
stealer and appeared to operate like a "password stealer as a service,"
where threat actors could pay for stolen credentials, illustrating how
commoditized malware is being used.
- Network
attacks saw a 16% increase in Q3.
ProxyLogon was the number-one vulnerability targeted in network attacks,
comprising 10% of all network detections in total.
- Three
new signatures appeared in the Top 50 network attacks. These included a PHP Common Gateway Interface Apache
vulnerability from 2012 that would result in a buffer overflow. Another
was A Microsoft .NET Framework 2.0 vulnerability from 2016 that could
result in a denial-of-service attack. There was also a SQL injection
vulnerability in Drupal, the open-source CMS, from 2014. This
vulnerability allowed attackers to remotely exploit Drupal without any
need for authentication.
Consistent with WatchGuard's
Unified Security Platform approach and the
WatchGuard Threat Lab's previous quarterly research updates, the data analyzed
in this quarterly report is based on anonymized, aggregated threat intelligence
from active WatchGuard network and endpoint products whose owners have opted to
share in direct support of WatchGuard's research efforts.
For a more in-depth view of WatchGuard's research, read the
complete Q3 2023 Internet Security Report here: https://www.watchguard.com/wgrd-resource-center/security-report-q3-2023.