WatchGuard analyzes commercial Adversary-in-the-Middle attacks, JavaScript-based exploit kits and Gothic Panda-related malware in the Internet Security Report Q3 (ISR). The biggest threats were only sent over HTTPS encrypted connections.
Just before the end of the year, WatchGuard Technologies published its latest Internet Security Report (ISR). In this, the most important malware trends as well as currently relevant attack methods on networks and endpoints are described in detail in the usual way. WatchGuard Threat Lab researchers' findings show that the top malware threat for the third quarter of 2022 was sent exclusively over encrypted connections.
Attackers exploit HTTPS
Attacks on ICS and SCADA systems have also increased. Computer gamers are also at risk because a malicious payload was discovered in a Minecraft cheat engine. The ISR also contains a variety of other information and examples of the current threat situation.
“We cannot stress enough the importance of inspecting HTTPS connections: Organizations should definitely enable the appropriate security feature - even if it requires some adjustments and exception rules. Because the majority of malware comes via encrypted HTTPS. If this attack vector is left unchecked, threats of all kinds are wide open,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “More attention should also be paid to Exchange servers or SCADA management systems. As soon as a patch is available for these, it is important to apply this update immediately and update the application. Attackers benefit from any company that has not yet fixed vulnerabilities.”
Key Findings from the Q3 Internet Security Report
The vast majority of malware comes through encrypted connections
Although the Agent.IIQ malware ranked third in the regular top 2022 malware list for the July-September 10 period, it ended up #1 in the encrypted malware lineup. Because all Agent.IIQ detections were found in HTTPS connections. As the analyzes show, 82 percent of all malware came via secure connections, but only 18 percent unencrypted. If HTTPS traffic is not inspected on the Firebox, there is a high probability that a large part of the malware will go undetected. In this case, companies can only hope that effective endpoint protection is implemented to at least have a chance of intercepting the malware somewhere else in the so-called cyber kill chain.
ICS and SCADA systems continue to be popular targets for attacks
New to the list of the ten most common network attacks in the third quarter of 2022 is an attack of the type SQL injection, which hit several providers at once. One such company is Advantech, whose WebAccess portal provides access to SCADA systems on a variety of critical infrastructures. Another major attack in Q5, which also made the top 1.2.1 network threats, affected Schneider Electric's U.motion Builder software, version XNUMX and earlier. This is a clear indication that attackers are still actively attempting to compromise systems wherever possible.
Vulnerabilities in Exchange servers continue to pose a risk
The latest CVE vulnerability (CVE-2021-26855) discovered by the Threat Lab affects Microsoft Exchange Server Remote Code Execution (RCE) on on-premises servers. This RCE vulnerability, which received a CVE score of 9,8, has been known to be exploited. The date and the severity of this vulnerability also make one sit up and take notice, as it is a vulnerability exploited by the HAFNIUM group. While most of the affected Exchange servers may have been patched by now, some are still vulnerable and at risk.
Threat actors targeting free software users
The Fugrafa Trojan downloads malware that injects malicious code. In Q3 2022, WatchGuard analysts investigated a variant found in a cheat engine for the popular game Minecraft. The file, which was mainly shared on Discord, pretends to be the Minecraft Cheat Engine Vape V4 Beta - but that's not all it contains. Agent.FZUW shares some similarities with Variant.Fugrafa, however instead of installing via a cheat engine, the file itself appears to contain cracked software. In the specific case, there were also connections to Racoon Stealer: This is a cryptocurrency hacking campaign that is used to steal account information from cryptocurrency services.
LemonDuck malware is now more than a cryptominer
Although the number of blocked or tracked malware domains decreased in Q2022 XNUMX, it's easy to see that the number of attacks targeting unsuspecting users remains high. With three new additions to the top malware domains list - two belonging to former LemonDuck malware domains and the third being part of an Emotet classified domain - there were more new malware sites than usual. This trend is expected to continue to intensify when it comes to the cryptocurrency landscape as attackers look for new ways to fool users. An effective countermeasure is active protection at the DNS level. This can monitor users' systems and prevent hackers from introducing malware or other serious problems into the company.
JavaScript obfuscation in exploit kits
Signature 1132518 - an indicator of JavaScript obfuscation attacks on browsers - was the only new addition to the list of the most common network attack signatures. JavaScript has long been a common attack vector, and cybercriminals have consistently used JavaScript-based exploit kits, including for malvertising and phishing attacks. As browser defenses improve, attackers are stepping up their efforts to obfuscate malicious JavaScript code.
Anatomy of Standardized Adversary-in-the-Middle Attacks
Multi-factor authentication (MFA) is undeniably an immensely important measure in the course of IT security, but it is also not a panacea. The best example of this is the rapid rise and commercialization of Adversary-in-the-Middle (AitM) attacks. The Threat Lab's investigation shows how malicious actors are migrating to increasingly sophisticated AitM techniques. Similar to the increasingly frequented ransomware-as-a-service offering, the release of the AitM toolkit called EvilProxy in September 2022 has significantly lowered the barrier to entry for suitably sophisticated attacks. The only way to defend against them is through a combination of technical tools and raising user awareness.
Malware family related to Gothic Panda
Already in the Threat Lab's report for the second quarter of 2022, the language fell on Gothic Panda - a cyberespionage group with close ties to the Chinese Ministry of State Security. Interestingly, the top list of encrypted malware for the third quarter includes a malware family called Taidoor, which was not only developed by Gothic Panda, but was only used by attackers of relevant Chinese origin. While the related malware has typically been focused on targets in Japan and Taiwan to date, the Generic.Taidoor sample analyzed was mostly found targeting organizations in France - possibly a clear indication of a specific, state-sponsored cyberattack.
New ransomware and extortionist groups in the wild
From now on, the WatchGuard Threat Lab is even more dedicated to detecting ransomware initiatives. To this end, the underlying threat intelligence options have been specifically expanded. In the third quarter of 2022, LockBit tops the list with over 200 relevant incidents - almost four times more than the ransomware group Basta, which was the second most talked about from July to September 2022.
WatchGuard's quarterly research reports are based on de-identified Firebox Feed data from active WatchGuard Fireboxes whose owners have chosen to share data in direct support of the Threat Lab's research. In Q17,3, WatchGuard blocked a total of more than 211 million malware variants (2,3 per device) and more than 28 million network threats (3 per device). The full report details other malware and network trends for Q2022 XNUMX, recommended security strategies, top defense tips for organizations of all sizes and industries, and more.
More at WatchGuard.com
About WatchGuard WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,