WatchGuard Threat Lab Report Shows Rise in Threat Actors Exploiting Remote Access Software
Notable findings from the research also show an 89% increase in endpoint ransomware attacks and a decline in malware arriving over encrypted connections.
Posted: Thursday, Dec 07
  • KBI.Media
  • $
  • WatchGuard Threat Lab Report Shows Rise in Threat Actors Exploiting Remote Access Software
WatchGuard Threat Lab Report Shows Rise in Threat Actors Exploiting Remote Access Software

SEATTLE – Dec. 6, 2023 – WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analysed by WatchGuard Threat Lab researchers. Key findings from the data show increasing instances of remote access software abuse, the rise of cyber adversaries using password-stealers and info-stealers to thieve valuable credentials, and threat actors pivoting from utilising scripting to employing other living-off-the-land techniques to initiate an endpoint attack.

“Threat actors continue using different tools and methods in their attack campaigns, making it critical for organisations to keep abreast of the latest tactics to fortify their security strategy,” said Corey Nachreiner, chief security officer at WatchGuard. “Modern security platforms that include firewalls and endpoint protection software can deliver enhanced protection for networks and devices. But when it comes to attacks that employ social engineering tactics, the end user becomes the last line of defence between malicious actors and their success in infiltrating an organisation. It’s important for organisations to provide social engineering education as well as adopt a unified security approach that provides layers of defence, which can be administered effectively by managed service providers.”

Among the key findings, the latest Internet Security Report featuring data from Q3 2023 showed:

Threat actors increasingly use remote management tools and software to evade anti-malware detection, which both the FBI and CISA have acknowledged. For instance, in researching the top phishing domains, the Threat Lab observed a tech support scam that would result in a victim downloading a pre-configured, unauthorised version of TeamViewer, which would allow an attacker full remote access to their computer.

Medusa ransomware variant surges in Q3, driving endpoint ransomware attacks to increase 89%. On the surface, endpoint ransomware detections appeared down in Q3. Yet the Medusa ransomware variant, which emerged in the Top 10 malware threats for the first time, was detected with a generic signature from the Threat Lab’s automated signature engine. When factoring in the Medusa detections, ransomware attacks rose 89% quarter over quarter.

Threat actors pivot from using script-based attacks and increasingly employ other living-off-the-land techniques. Malicious scripts declined as an attack vector by 11% in Q3 after dropping by 41% in Q2. Still, script-based attacks remain the largest attack vector, accounting for 56% of total attacks, and scripting languages like PowerShell are often used in living-off-the-land attacks. Alternatively, Windows living-off-the-land binaries increased 32%. These findings indicate to Threat Lab researchers that threat actors continue to utilise multiple living-off-the-land techniques, likely in response to more protections around PowerShell and other scripting. Living-off-the-land attacks make up the most endpoint attacks.

Malware arriving over encrypted connections declined to 48%, meaning just under half of all malware detected came via encrypted traffic. This figure is notable because it is down considerably from previous quarters. Overall, total malware detections increased by 14%.

An email-based dropper family that delivers malicious payloads comprised four of the Top 5 encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the dropper family named Stacked, which arrives as an attachment in an email spear phishing attempt. Threat actors will send emails with malicious attachments that appear to come from a known sender and claim to include an invoice or important document for review, aiming to trick end users into downloading malware. Two of the Stacked variants – Stacked.1.12 and Stacked.1.7 – also appeared in the Top 10 malware detections.

Commoditised malware emerges. Among the top malware threats, a new malware family, Lazy.360502, made the Top 10 list. It delivers the adware variant 2345explorer as well as the Vidar password stealer. This malware threat connected to a Chinese website that provided a credential stealer and appeared to operate like a “password stealer as a service,” where threat actors could pay for stolen credentials, illustrating how commoditized malware is being used.

Network attacks saw a 16% increase in Q3. ProxyLogon was the number-one vulnerability targeted in network attacks, comprising 10% of all network detections in total.

Three new signatures appeared in the Top 50 network attacks. These included a PHP Common Gateway Interface Apache vulnerability from 2012 that would result in a buffer overflow. Another was A Microsoft .NET Framework 2.0 vulnerability from 2016 that could result in a denial-of-service attack. There was also a SQL injection vulnerability in Drupal, the open-source CMS, from 2014. This vulnerability allowed attackers to remotely exploit Drupal without any need for authentication.

Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analysed in this quarterly report is based on anonymised, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.

For a more in-depth view of WatchGuard’s research, read the complete Q3 2023 Internet Security Report here:





About WatchGuard Technologies, Inc.

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at Subscribe to The 443 – Security Simplified podcast at, or wherever you find your favorite podcasts.

WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners.

Share This