HTTPS insecurity: Malware uses encrypted connections

HTTPS insecurity: Malware uses encrypted connections

Share post

WatchGuard analyzes commercial Adversary-in-the-Middle attacks, JavaScript-based exploit kits and Gothic Panda-related malware in the Internet Security Report Q3 (ISR). The biggest threats were only sent over HTTPS encrypted connections.

Just before the end of the year, WatchGuard Technologies published its latest Internet Security Report (ISR). In this, the most important malware trends as well as currently relevant attack methods on networks and endpoints are described in detail in the usual way. WatchGuard Threat Lab researchers' findings show that the top malware threat for the third quarter of 2022 was sent exclusively over encrypted connections.

Attackers exploit HTTPS

Attacks on ICS and SCADA systems have also increased. Computer gamers are also at risk because a malicious payload was discovered in a Minecraft cheat engine. The ISR also contains a variety of other information and examples of the current threat situation.

“We cannot stress enough the importance of inspecting HTTPS connections: Organizations should definitely enable the appropriate security feature - even if it requires some adjustments and exception rules. Because the majority of malware comes via encrypted HTTPS. If this attack vector is left unchecked, threats of all kinds are wide open,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “More attention should also be paid to Exchange servers or SCADA management systems. As soon as a patch is available for these, it is important to apply this update immediately and update the application. Attackers benefit from any company that has not yet fixed vulnerabilities.”

Key Findings from the Q3 Internet Security Report

Findings of the Internet Security Report Q3 -ISR (Image: WatchGuard).

The vast majority of malware comes through encrypted connections

Although the Agent.IIQ malware ranked third in the regular top 2022 malware list for the July-September 10 period, it ended up #1 in the encrypted malware lineup. Because all Agent.IIQ detections were found in HTTPS connections. As the analyzes show, 82 percent of all malware came via secure connections, but only 18 percent unencrypted. If HTTPS traffic is not inspected on the Firebox, there is a high probability that a large part of the malware will go undetected. In this case, companies can only hope that effective endpoint protection is implemented to at least have a chance of intercepting the malware somewhere else in the so-called cyber kill chain.

ICS and SCADA systems continue to be popular targets for attacks

New to the list of the ten most common network attacks in the third quarter of 2022 is an attack of the type SQL injection, which hit several providers at once. One such company is Advantech, whose WebAccess portal provides access to SCADA systems on a variety of critical infrastructures. Another major attack in Q5, which also made the top 1.2.1 network threats, affected Schneider Electric's U.motion Builder software, version XNUMX and earlier. This is a clear indication that attackers are still actively attempting to compromise systems wherever possible.

Vulnerabilities in Exchange servers continue to pose a risk

The latest CVE vulnerability (CVE-2021-26855) discovered by the Threat Lab affects Microsoft Exchange Server Remote Code Execution (RCE) on on-premises servers. This RCE vulnerability, which received a CVE score of 9,8, has been known to be exploited. The date and the severity of this vulnerability also make one sit up and take notice, as it is a vulnerability exploited by the HAFNIUM group. While most of the affected Exchange servers may have been patched by now, some are still vulnerable and at risk.

Threat actors targeting free software users

Further findings of the Internet Security Report Q3 -ISR (Image: WatchGuard).

The Fugrafa Trojan downloads malware that injects malicious code. In Q3 2022, WatchGuard analysts investigated a variant found in a cheat engine for the popular game Minecraft. The file, which was mainly shared on Discord, pretends to be the Minecraft Cheat Engine Vape V4 Beta - but that's not all it contains. Agent.FZUW shares some similarities with Variant.Fugrafa, however instead of installing via a cheat engine, the file itself appears to contain cracked software. In the specific case, there were also connections to Racoon Stealer: This is a cryptocurrency hacking campaign that is used to steal account information from cryptocurrency services.

LemonDuck malware is now more than a cryptominer

Although the number of blocked or tracked malware domains decreased in Q2022 XNUMX, it's easy to see that the number of attacks targeting unsuspecting users remains high. With three new additions to the top malware domains list - two belonging to former LemonDuck malware domains and the third being part of an Emotet classified domain - there were more new malware sites than usual. This trend is expected to continue to intensify when it comes to the cryptocurrency landscape as attackers look for new ways to fool users. An effective countermeasure is active protection at the DNS level. This can monitor users' systems and prevent hackers from introducing malware or other serious problems into the company.

JavaScript obfuscation in exploit kits

Signature 1132518 - an indicator of JavaScript obfuscation attacks on browsers - was the only new addition to the list of the most common network attack signatures. JavaScript has long been a common attack vector, and cybercriminals have consistently used JavaScript-based exploit kits, including for malvertising and phishing attacks. As browser defenses improve, attackers are stepping up their efforts to obfuscate malicious JavaScript code.

Anatomy of Standardized Adversary-in-the-Middle Attacks

Multi-factor authentication (MFA) is undeniably an immensely important measure in the course of IT security, but it is also not a panacea. The best example of this is the rapid rise and commercialization of Adversary-in-the-Middle (AitM) attacks. The Threat Lab's investigation shows how malicious actors are migrating to increasingly sophisticated AitM techniques. Similar to the increasingly frequented ransomware-as-a-service offering, the release of the AitM toolkit called EvilProxy in September 2022 has significantly lowered the barrier to entry for suitably sophisticated attacks. The only way to defend against them is through a combination of technical tools and raising user awareness.

Malware family related to Gothic Panda

Already in the Threat Lab's report for the second quarter of 2022, the language fell on Gothic Panda - a cyberespionage group with close ties to the Chinese Ministry of State Security. Interestingly, the top list of encrypted malware for the third quarter includes a malware family called Taidoor, which was not only developed by Gothic Panda, but was only used by attackers of relevant Chinese origin. While the related malware has typically been focused on targets in Japan and Taiwan to date, the Generic.Taidoor sample analyzed was mostly found targeting organizations in France - possibly a clear indication of a specific, state-sponsored cyberattack.

New ransomware and extortionist groups in the wild

Chief Security Officer (CSO), WatchGuard Technologies (Image: WatchGuard).

From now on, the WatchGuard Threat Lab is even more dedicated to detecting ransomware initiatives. To this end, the underlying threat intelligence options have been specifically expanded. In the third quarter of 2022, LockBit tops the list with over 200 relevant incidents - almost four times more than the ransomware group Basta, which was the second most talked about from July to September 2022.

WatchGuard's quarterly research reports are based on de-identified Firebox Feed data from active WatchGuard Fireboxes whose owners have chosen to share data in direct support of the Threat Lab's research. In Q17,3, WatchGuard blocked a total of more than 211 million malware variants (2,3 per device) and more than 28 million network threats (3 per device). The full report details other malware and network trends for Q2022 XNUMX, recommended security strategies, top defense tips for organizations of all sizes and industries, and more.

More at


About WatchGuard

WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

[starbox id=USER_ID] <🔎> ff7f00