Double-extortion is increasingly the keyword in cases of ransomware attacks. The attackers put the victim under double pressure: either they pay to have their data decrypted or the attackers publish the data. This and more in the WatchGuard Threat Lab Internet Security Report Q2/2023.
WatchGuard Technologies' Second Quarter 2023 Internet Security Report highlights top malware trends and threats to network and endpoint security. The analysis by researchers at the WatchGuard Threat Lab revealed, among other things, that 95 percent of malware is transmitted over encrypted connections. Further insight: Although there is less endpoint malware overall, corresponding campaigns are broader in scope.
Double-Extortion Attacks in Ransomware
A similar development can be seen with regard to ransomware. There were fewer of these in circulation during the period examined, but individual attacks were much more often aimed at encryption and data theft. The so-called “double-extortion attacks”, in which companies are blackmailed not only by releasing “hijacked” systems but also by publishing stolen data, are now being observed much more frequently. At the same time, older software vulnerabilities continue to be a popular means to an end for attackers.
“The data our Threat Lab analyzed for the latest report shows that advanced malware attacks fluctuate in frequency and that multi-faceted cyber threats are consistently evolving. Combating these effectively requires constant vigilance and a multi-layered security approach,” said Corey Nachreiner, Chief Security Officer at WatchGuard. “There is no ONE strategy on the part of attackers and certain threats often pose different risks at different times of the year. Companies must therefore always be on guard and keep an eye on the situation at all times. In addition, a uniform, comprehensive and stringent security concept is important for optimal protection. Managed service providers can leverage decisive strengths in implementation here.”
Key findings from the WatchGuard Internet Security Report Q2-2023
95 percent of malware is hidden behind encryption
Much of the malware hides behind the SSL/TLS encryption used by secure websites. Companies that do not check SSL/TLS traffic at the network perimeter are most likely missing out on an enormous amount of malware. Additionally, the share of zero-day malware in total malware volume has fallen to 11 percent - a historic low. However, when examining malware transmitted over encrypted connections, more evasive malware was detected. Their share is 66 percent for the study period. This suggests that attackers are still primarily spreading the particularly sophisticated malware using encryption.
Overall volume of endpoint malware is declining slightly, while the prevalence of malware campaigns is increasing
Endpoint malware detections declined slightly by 8 percent in the second quarter compared to the previous quarter. However, when looking at endpoint malware hit frequency by occurrence on 10 to 50 systems or 100 or more systems, the volume increased by 22 and 21 percent, respectively. This suggests that more widespread malware campaigns in particular increased from the first to the second quarter.
Double extortion attacks by ransomware groups are increasing by 72 percent compared to the previous quarter
As part of the analysis, the Threat Lab discovered 13 new extortion groups. Although double extortion attacks increased significantly, ransomware detections on endpoints fell 21 percent quarter-over-quarter and 72 percent year-over-year.
Six new malware variants in the top 10 endpoint detections
The Threat Lab has seen a massive increase in hits related to the compromised 3CX installer. With a 48 percent share of the total volume, this relevant threat scenario is guaranteed first place in the top 10 list of malware threats in the second quarter. Additionally, the Glupteba Trojan resurfaced in early 2023 after largely disappearing from the scene in 2021.
Threat actors rely on LOLBAS to deliver malware
When analyzing attack vectors and how threat actors gain access to endpoints, there has been an increase in Living Off The Land Binaries And Scripts (LOLBAS) attacks. There was a 29 percent increase in cases of misuse of Windows operating system tools such as WMI and PSExec. This represents 17 percent of the total volume, while malware that relies on scripts such as PowerShell decreased by 41 percent. Scripts remain the most common way malware spreads, accounting for 74 percent of detections. Browser-based exploits fell 33 percent and represented 3 percent of total volume in the second quarter of this year.
Cybercriminals continue to target older software vulnerabilities
Threat Lab researchers identified three new signatures based on older vulnerabilities in the top 10 network attacks in the second quarter. One of them dates back to 2016 and is linked to the vulnerability of an open source learning management system that was decommissioned in 2018.
Compromised domains on WordPress blogs and link shortening service
When searching for malicious domains, the team found “self-managed websites” (e.g. WordPress blogs) and a URL shortener, among other things. These have been compromised and used as hosts for malware or malware command and control systems. In addition, the WatchGuard Threat Lab discovered a website infiltrated by the Qakbot gang from an educational competition in the Asia-Pacific region, which hid the botnet's command-and-control infrastructure.
All insights are based on the WatchGuard Unified Security Platform concept and in accordance with previous quarterly evaluations on the anonymized, aggregated data of all active WatchGuard network and endpoint protection solutions whose owners have agreed to share the threat intelligence to support the Threat Lab's research work have.
As part of the current Internet Security Report, the Threat Lab team's methods, which have been updated since the previous edition, are again used to normalize, analyze and present the report results. Network security results are presented as averages per device. There are also advanced evaluations around network attacks and malware at the endpoint.
More at WatchGuard.com
About WatchGuard WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,