The number of malware infections on endpoints already exceeded the total volume of 2020 in Q3 of 2021. This is what WatchGuard Technologies concludes in the latest edition of the Internet Security Report. The security specialist also saw a further increase in the number of zero-day attacks with malware that enter via encrypted connections.
The Internet Security Report informs organizations about the current threat landscape and proposes best practices for IT security. Here are the key conclusions from the report for Q3 2021:
Malware enters through encrypted connections
More and more, malware came in via encrypted connections. In Q3 this was an increase from 31.6% to 47% of the cases. Often these were untargeted, simple malware attacks. Still, it’s worrying, because according to WatchGuard, many organizations don’t control what comes in via encrypted connections.
Attackers focus on new vulnerabilities
Unpatched vulnerabilities in older software are still a welcome entry point for attackers. Yet the focus is increasingly shifting to exploiting newer vulnerabilities. That’s because many users have switched to new Windows and Office variants.
In Q3, CVE-2018-0802 entered the top 10 of WatchGuard’s list of gateway antivirus malware at number 6. This exploits a vulnerability in Equation Editor in Microsoft Office. In the previous quarter, it was already in the list of most widespread malware. In addition, two Windows code injectors (Win32/Heim.D and Win32/Heri) came in at number 1 and 6 respectively on the list of most detected malware.
The US is disproportionately often victimized
The vast majority of network attacks in the third quarter targeted the Americas (64.5%), versus Europe (15.5%) and APAC (20%).
The number of network attacks normalizes, but still poses a high risk
After consecutive quarters of growth of more than 20%, WatchGuard’s Intrusion Prevention Service (IPS) detected approximately 4.1 million unique network exploits in the third quarter. The drop of 21% brought volumes back to Q1 levels, which were still high compared to the previous year. The shift doesn’t necessarily mean the attackers are failing. Thus, they may shift their attention to more targeted attacks.
Scripting attacks on endpoints are still very popular
At the end of the third quarter, WatchGuard’s systems were already detecting 10% more attack scripts than in all of 2020. That year already saw a 666% increase compared to the previous year.
In hybrid work environments, a strong perimeter is no longer enough to stop threats. Even hackers with limited skills can typically execute a malware payload entirely with scripting tools such as PowerSploit, PowerWare, and Cobalt Strike. These attacks pass basic endpoint detection undetected.
Even secure domains are compromised
A protocol flaw in Microsoft’s Exchange Server Autodiscover system allowed attackers to collect domain credentials and compromise several domains listed as safe. In total, WatchGuard Fireboxes blocked 5.6 million malicious domains in the third quarter, including several new malware domains that attempt to install software for crypto mining, keyloggers and remote access Trojans (RATs).
Phishing domains masquerading as SharePoint sites to collect Office365 credentials were also often spotted. Although the number of blocked domains decreased by 23% from the previous quarter, it is still many times higher than the level of the fourth quarter of 2020 (1.3 million). This highlights that organizations should focus on keeping servers, databases, websites and systems up-to-date with the latest patches in order to limit attack possibilities.
Ransomware remains incredibly popular
After a steep decline in 2020, ransomware attacks reached 105% of the 2020 volume by the end of September. That percentage is likely to reach 150% once full-year 2021 data has been analyzed. Ransomware-as-a-service like REvil and GandCrap lower the bar for criminals with little or no encryption skills. These services provide the infrastructure and malware payloads for global attacks in exchange for a percentage of the ransom.
The Kaseya incident exemplifies the vulnerability of the digital supply chain
In early July 2021, dozens of organizations reported ransomware attacks targeting their endpoints. Attackers took advantage of the REvil ransomware-as-a-service (RaaS) organization. The attacks exploited three zero-day vulnerabilities in Kaseya VSA Remote Monitoring and Management (RMM), including CVE-2021-30116 and CVE-2021-30118. Some 1,500 organizations and possibly millions of endpoints were affected. In the end, the FBI managed to compromise REvil’s servers. A few months later, they got their hands on the decryption key.
The attack demonstrates the need for proactive security measures. Think of regular patches and updates, the application of zero trust and the principle of ‘least privilege’ for access to suppliers. This is the only way they can minimize the impact of attacks on the supply chain.
Long term strategy
“While the overall volume of network attacks declined slightly in the third quarter, malware per device rose for the first time since the start of the pandemic,” said Corey Nachreiner, chief security officer at WatchGuard. “It is important that organizations look beyond the short-term ups and downs and seasonality of specific metrics and focus on ongoing and worrying trends that impact their security policies. A key example is the increasing use of encrypted connections for delivering zero days.”
