Malware and ransomware in 2021 exceeds 2020 totals

Scripting attacks on endpoints set record pace and encrypted connections are becoming the primary delivery mechanism for zero-day malware says WatchGuard

Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest Internet Security Report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections. 

While zero-day malware increased by just three per cent to 67.2 per cent in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6 per cent to 47 per cent. WatchGuard’s data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

Corey Nachreiner, Chief Security Officer at WatchGuard says: "While the total volume of network attacks shrank slightly, malware per device was up for the first time since the pandemic began.

"The security environment continues to be challenging, so it’s important that organisations go beyond the short-term ups and downs and seasonality of specific metrics and focus on persistent and concerning trends factoring into their security posture. An important example is the accelerating use of encrypted connections to deliver zero days.”  

Key findings from WatchGuard's report 

As users upgrade to more recent versions of Microsoft Windows and Office, attackers are focusing on newer vulnerabilities. While unpatched vulnerabilities in older software continue to provide a rich hunting ground for attackers, they are also looking to exploit weaknesses in the latest versions of Microsoft’s widely used products. In Q3, CVE-2018-0802, which exploits a vulnerability in the Equation Editor in Microsoft Office, cracked WatchGuard’s top 10 gateway antivirus malware by volume list, hitting number six, after showing up in the most-widespread malware list in the previous quarter. In addition, two Windows code injectors (Win32/Heim.D and Win32/Heri) came in at number one and six on the most detected list respectively.

Attackers disproportionately targeted the Americas. The overwhelming majority of network attacks targeted the Americas in Q3 (64.5%) compared to Europe (15.5%) and APAC (20%).

Overall network attack detections resumed a more normal trajectory but still pose significant risks. After consecutive quarters of more than 20 per cent growth, WatchGuard’s Intrusion Prevention Service (IPS) detected roughly 4.1 million unique network exploits in Q3. The drop of 21 per cent brought volumes down to Q1 levels, which were still high compared to the previous year. The shift doesn’t necessarily mean adversaries are letting up as they are possibly shifting their focus towards more targeted attacks.

The top 10 network attack signatures account for the vast majority of attacks. Of the 4,095,320 hits detected by IPS in Q3, 81 per cent were attributed to the top 10 signatures. In fact, there was just one new signature in the top 10 in Q3, ‘WEB Remote File Inclusion /etc/passwd’ (1054837), which targets older, but still widely used Microsoft Internet Information Services (IIS) web servers. One signature (1059160), a SQL injection, has continued to maintain the position it has held atop the list since Q2, 2019.

Scripting attacks on endpoints continue at record pace. By the end of Q3, WatchGuard’s AD360 threat intelligence and WatchGuard Endpoint Protection, Detection and Response (EPDR) had already seen 10 per cent more attack scripts than in all of 2020, which, in turn, saw a 666 per cent increase over the prior year. As hybrid workforces start to look like the rule rather than the exception, a strong perimeter is no longer enough to stop threats. While there are several ways for cybercriminals to attack endpoints – from application exploits to script-based living-off-the-land attacks – even those with limited skills can often fully execute a malware payload with scripting tools like PowerSploit, PowerWare and Cobalt Strike, while evading basic endpoint detection.

Even normally safe domains can be compromised. A protocol flaw in Microsoft’s Exchange Server Autodiscover system allowed attackers to collect domain credentials and compromise several normally trustworthy domains. Overall, in Q3 WatchGuard Fireboxes blocked 5.6 million malicious domains, including several new malware domains that attempt to install software for cryptomining, key loggers and remote access trojans (RATs), as well as phishing domains masquerading as SharePoint sites to harvest Office365 login credentials. While down 23% from the previous quarter, the number of blocked domains is still several times higher than the level seen in Q4 2020 (1.3 million). This highlights the critical need for organisations to focus on keeping servers, databases, websites, and systems updated with the latest patches to limit vulnerabilities for attackers to exploit.

After a steep decline in 2020, ransomware attacks reached 105 per cent of 2020 volume by the end of September, as WatchGuard predicted at the end of the prior quarter and are on pace to reach 150 per cent once the full year of 2021 data is analysed. Ransomware-as-a-service operations such as REvil and GandCrap continue to lower the bar for criminals with little or no coding skills, providing the infrastructure and the malware payloads to carry out attacks globally in return for a percentage of the ransom.

The quarter’s top security incident, Kaseya, was another demonstration of the ongoing threat of digital supply chain attacks. Just before the start of the long 4th of July holiday weekend in the US, dozens of organisations began reporting ransomware attacks against their endpoints. WatchGuard’s incident analysis described how attackers working with the REvil ransomware-as-a-service (RaaS) operation had exploited three zero-day vulnerabilities (including CVE-2021-30116 and CVE-2021-30118) in Kaseya VSA Remote Monitoring and Management (RMM) software to deliver ransomware to some 1,500 organisations and potentially millions of endpoints. While the FBI eventually compromised REvil’s servers and obtained the decryption key a few months later, the attack provided yet another stark reminder of the need for organisations to proactively take steps like adopting zero-trust, employing the principle of least privilege for vendor access and ensuring systems are patched and up to date to minimize the impact of supply chain attacks.

About WatchGuard's reports 

WatchGuard’s quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 16.6 million malware variants (454 per device) and more than four million network threats. 

Share

Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security