WatchGuard Technologies today released its latest quarterly Internet Security Report (ISR), revealing the top malware trends and network security threats for the third quarter of 2021. The ransomware and malware volume is particularly high compared to 2020.
Record speed of scripting attacks on endpoints, the US in the crosshairs of network attacks and HTTPS connections now standard for zero-day malware. Using anonymized Firebox Feed data, researchers at the WatchGuard Threat Lab used anonymized Firebox Feed data to understand which targets attackers primarily targeted during this period: While the overall volume of detected perimeter malware attacks decreased compared to the previous quarter's highs, it did For endpoints, the total volume of all incidents from the previous year had already been reached by the end of the third quarter of 2021 - with data for Q4 2021 still pending. Another finding was that a significant percentage of malware is still transported over encrypted connections, a trend that has continued steadily for several quarters.
Increasing number of malware per device
"While the overall volume of network attacks decreased slightly in the third quarter, the number of malware per device increased for the first time since the pandemic began," said Corey Nachreiner, chief security officer at WatchGuard. “Looking at the year to date as a whole, the security environment remains challenging. It's important for organizations to look beyond short-term ebbs and flows and seasonal fluctuations in certain metrics and focus on ongoing trends affecting their security posture. A key example is the increasing use of encrypted connections for zero-day attacks. The WatchGuard Unified Security Platform offers comprehensive protection in this context. This allows the diverse threats that companies are exposed to today to be combated holistically.”
WatchGuard Q3/2021 Internet Security Report
Almost half of zero-day malware is transmitted over encrypted connections
While total zero-day malware increased a modest three percentage points to 67,2 percent in the third quarter, malware delivered via Transport Layer Security (TLS) increased from 31,6 percent to 47 percent . An overall lower percentage of encrypted zero-days is generally to be welcomed in this context, but there is still cause for concern because many companies still do not decrypt such connections at all. As a result, they have insufficient visibility into the amount of malware that actually reaches their networks.
Newer versions of Microsoft Windows and Office introduce new vulnerabilities
Unpatched vulnerabilities in Microsoft software are commonly used attack vectors. In addition to older versions, the latest products from Redmond are now also being attacked. In Q2018, CVE-0802-6, which exploits a vulnerability in Microsoft Office's Equation Editor, ranked #10 in WatchGuard's top 32 list of gateway antivirus malware by volume. This malware had already appeared in the list of the most prevalent malware in the previous quarter. In addition, two Windows code injectors (Win32/Heim.D and Win1/Heri) ranked #6 and #XNUMX, respectively, on the list of most commonly detected malware samples.
Attackers Disproportionately Targeted Americas – The overwhelming majority of network attacks in Q3 were targeted at Americas (64,5 percent), followed by Asia Pacific (APAC) at 20 percent and Europe at 15,5, XNUMX percent.
The total number of detected network attacks has returned to normal, but still poses a significant risk
After consecutive quarters of growth of more than 20 percent, WatchGuard's Intrusion Prevention Service (IPS) detected approximately 4,1 million unique network attacks in the third quarter. The 21 percent decline brought volume back to first-quarter levels, which were still high compared to a year ago. The shift doesn't necessarily mean that attackers are slowing down, but that they may be shifting their focus to more targeted attacks.
The top 10 network attack signatures are responsible for the vast majority of attacks
Of the 4.095.320 hits IPS found in the third quarter, the top 81 signatures accounted for 10 percent. In fact, there was only one new signature in the top 10 in Q1054837, 'WEB Remote File Inclusion /etc/passwd' (2019), which targets older but still widely used Microsoft Internet Information Services (IIS) web servers. Since the second quarter of 1059160, the signature XNUMX, an SQL injection, has been at the top of the list.
Scripting attacks on endpoints continue at record pace
By the end of Q360, WatchGuard's AD2020 Threat Intelligence and WatchGuard Endpoint Protection, Detection and Response (EPDR) already registered 666 percent more attack scripts than in all of XNUMX (which again saw a XNUMX percent increase year-over-year). With hybrid workgroups becoming the rule rather than the exception, a strong perimeter is no longer enough to stop threats. There are a variety of ways cybercriminals target endpoints, from application exploits to scripted living-off-the-land attacks, where even those with limited knowledge can fully execute a malware payload using scripting tools like PowerSploit, PowerWare, and Cobalt Strike while bypassing basic device detection.
Even normally secure domains can be compromised
A protocol flaw in Microsoft's Exchange Server Autodiscover system allowed attackers to collect domain credentials and compromise several normally trusted domains. Overall, WatchGuard Fireboxes blocked 5,6 million malicious domains in the third quarter. These included several new malware domains attempting to install cryptomining, key-logger, and remote access Trojan (RAT) software, as well as phishing domains impersonating SharePoint sites to steal Office365 credentials. Although the number of blocked domains decreased by 23 percent compared to the previous quarter, it is still several times above the level of Q4 2020 (1,3 million). This underscores the importance for organizations to keep their servers, databases, websites and systems up to date with the latest patches. This is the only way to limit vulnerabilities that attackers can exploit.
Ransomware, ransomware, ransomware
After a steep decline in 2020, ransomware attacks already totaled 2021 percent of last year's volume by the end of September 105 (as WatchGuard had forecast at the end of the previous quarter) and are on track to reach 150 percent once the data are analyzed for the whole year. Ransomware-as-a-service providers such as REvil and GandCrap further lower the bar for criminals with little or no programming knowledge, providing the infrastructure and malware payloads to launch attacks worldwide for a percentage of the ransom .
The top security incident of the quarter, Kaseya, was further evidence of the ongoing threat of digital supply chain attacks
As the 4th of July long weekend began in the US, dozens of companies reported ransomware attacks on their endpoints. WatchGuard's analysis of the incident details how attackers working with ransomware-as-a-service (RaaS) company REvil exploited three zero-day vulnerabilities (including CVE-2021-30116 and CVE-2021-30118 ) in the Kaseya VSA Remote Monitoring and Management (RMM) software. Subsequently, ransomware was distributed to approximately 1.500 organizations and potentially millions of endpoints. True, the FBI eventually compromised REvil's servers and received the decryption key a few months later. Still, the attack was another stark reminder for organizations to take proactive action. This includes, for example, adopting zero trust, applying the principle of least privilege to employee access, and ensuring systems are patched and up-to-date to minimize the impact of supply chain attacks.
WatchGuard quarterly research reports are based on de-identified Firebox Feed data from active WatchGuard Fireboxes whose owners have consented to the sharing of data to support the Threat Lab's research. In the first quarter, WatchGuard blocked a total of more than 16,6 million malware variants (454 per device) and over 4 million network threats. The full report provides details on additional malware and network trends from Q2021 2021, an even deeper dive into the threats detected at the endpoint in the first half of XNUMX, recommended security strategies, key defense tips for organizations of all sizes and industries, and much more .
More at WatchGuard.com
About WatchGuard WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,