WatchGuard Threat Lab Report Finds Endpoint Malware Volumes Decreasing Despite Campaigns Growing More Expansive
ย
Key findings from the research also show a rise in double-extortion attacks, self-managed websites targeted for malware delivery, threat actors continuing to exploit older software vulnerabilities, and more
ย
Sydney โ Oct. 6, 2023 โย WatchGuardยฎ Technologies, a global leader in unified cybersecurity, today announced the findings of its latestย Internet Security Report, detailing the top malware trends and network and endpoint security threats analysed by WatchGuard Threat Lab researchers. Key findings from the research include 95% of malware now arriving over encrypted connections, a decrease in endpoint malware volumes despite campaigns growing more widespread, ransomware detections on the decline amid a rise in double-extortion attacks, older software vulnerabilities persisting as popular targets for exploit among modern threat actors, and more.
โThe data analysed by our Threat Lab for our latest report reinforces how advanced malware attacks fluctuate in occurrence and multifaceted cyber threats continue to evolve, requiring constant vigilance and a layered security approach to combat them effectively,โ said Corey Nachreiner, chief security officer at WatchGuard. โThere is no single strategy that threat actors wield in their attacks and certain threats often present varying levels of risk at different times of the year. Organisations must continually be on alert to monitor these threats and employ a unified security approach, which can be administered effectively by managed service providers, for their best defense.โ
Among the most notable findings, the latest Internet Security Report featuring data from Q2 2023 showed:
- Ninety-five percent of malware hides behind encryption.ย Most malware lurks behind SSL/TLS encryption used by secured websites. Organizations that donโt inspect SSL/TLS traffic at the network perimeter are likely missing most malware. Furthermore, zero day malware dropped to 11% of total malware detections, an all-time low. However, when inspecting malware over encrypted connections, the share of evasive detections increased to 66%, indicating attackers continue to deliver sophisticated malware primarily via encryption.
- Total endpoint malware volume is down slightly, though widespread malware campaigns increased.ย There was a slight 8% decrease in endpoint malware detections in Q2 compared to the previous quarter. However, when looking at endpoint malware detections caught by 10 to 50 systems or 100 or more systems, these detections increased in volume by 22% and 21%, respectively. The increased detections among more machines indicate that widespread malware campaigns grew from Q1 to Q2 of 2023.
- Double-extortion attacks from ransomware groups increased 72% quarter over quarter,ย as the Threat Lab noted 13 new extortion groups. However, the rise in double-extortion attacks occurred as ransomware detections on endpoints declined 21% quarter over quarter and 72% year over year.
- Six new malware variants in the Top 10 endpoint detections.ย Threat Lab saw a massive increase of detections of the compromised 3CX installer, accounting for 48% of the total detection volume in the Q2 Top 10 list of malware threats. Furthermore, Glupteba, a multi-faceted loader, botnet, information stealer, and cryptominer that targets victims seemingly indiscriminately worldwide, made a resurgence in early 2023 after being disrupted in 2021.
- Threat actors increasingly leverage Windows living off-the-land binaries to deliver malware.ย In analysing attack vectors and how threat actors gain access in endpoints, attacks that abused Windows OS tools like WMI and PSExec grew 29%, accounting for 17% of all total volume, while malware that used scripts like PowerShell dropped 41% in volume. Scripts remain the most common malware delivery vector, accounting for 74% of detections overall. Browser-based exploits declined 33% and account for 3% of the total volume.
- Cybercriminals continue to target older software vulnerabilities.ย Threat Lab researchers found three new signatures in the Top 10 network attacks for Q2 based on older vulnerabilities. One was a 2016 vulnerability associated with an open-source learning management system (GitHub) that was retired in 2018. Others were a signature that catches integer overflows in PHP, the scripting language used by many websites, and a 2010 buffer overflow and HP management application, called Open View Network Node Manager.
- Compromised domains at WordPress blogs and link-shortening service.ย In researching malicious domains, the Threat Lab team encountered instances of self-managed websites (such as WordPress blogs) and a domain-shortening service that were compromised to host either malware or malware command and control framework. Additionally, Qakbot threat actors had compromised a website dedicated to an educational contest in the Asia Pacific region to host command and control infrastructure for their botnet.
Consistent withย WatchGuardโsย Unified Security Platformยฎ approachย and the WatchGuard Threat Labโs previous quarterly research updates, the data analysed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuardโs research efforts.
The Q2 2023 report continues the rollout of the Threat Lab teamโs updated methods to normalise, analyse, and present the report findings, which began in last quarterโs report. The network security results are presented as โper deviceโ averages, and this month the updated methodologies extend to the Threat Labโs network attack and endpoint malware research.
For a more in-depth view of WatchGuardโs research, read the complete Q2 2023 Internet Security Reportย here.
About WatchGuard Technologies, Inc.
WatchGuardยฎ Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platformยฎ approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the companyโs award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visitย WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), onย Facebook, or on theย LinkedIn Companyย page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them atย www.secplicity.org.ย Subscribe to The 443 โ Security Simplified podcastย atย Secplicity.org, or wherever you find your favorite podcasts.
WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners.