WatchGuard Internet Security Report shows record speed of scripting attacks on end devices. […]
WatchGuard Technologies has released its latest quarterly Internet Security Report (ISR), which highlights the top malware trends and network security threats for the third quarter of 2021. The researchers at the WatchGuard Threat Lab used anonymized Firebox feed data to understand which targets the attackers were primarily targeting during this period: although the total volume of detected perimeter malware attacks decreased compared to the highest values of the previous quarter, the total volume of all incidents of the previous year was already reached at the end of the third quarter of 2021 for the endpoints – although the data for Q4 2021 are still pending. Another finding was that a significant percentage of malware is still transported via encrypted connections – a trend that has been steadily continuing for several quarters, according to a statement from WatchGuard.
“While the total volume of network attacks decreased slightly in the third quarter, the number of malware per device increased for the first time since the beginning of the pandemic,” says Corey Nachreiner, chief security officer at WatchGuard. “Looking at the year so far as a whole, the security environment remains challenging. It is important that companies look beyond the short-term ups and downs as well as the seasonal fluctuations of certain key figures and focus on ongoing trends that affect their security situation. An important example is the increasing use of encrypted connections for zero-day attacks. The WatchGuard Unified Security Platform offers comprehensive protection in this context. This makes it possible to combat the various threats that companies are exposed to today holistically.“
Among the most notable findings of the WatchGuard Q3 2021 Internet Security Report are:
Almost half of zero-day malware is transmitted over encrypted connections: while the total number of zero-day malware increased by a modest three percentage points to 67.2 percent in the third quarter, the share of malware transmitted via Transport Layer Security (TLS) increased from 31.6 percent to 47 percent. Although an overall lower percentage of encrypted zero-days is generally to be welcomed in this context, there is still cause for concern, as many companies still do not decrypt such connections at all. They therefore have an inadequate overview of the amount of malware that actually reaches their networks.
Newer versions of Microsoft Windows and Office bring new vulnerabilities with them: Unpatched vulnerabilities in Microsoft software are popular attack vectors. In addition to older versions, the latest products from Redmond are now being attacked. In the third quarter, CVE-2018-0802, which exploits a vulnerability in the equation editor of Microsoft Office, made it to 6th place in the top 10 list of gateway antivirus malware by volume from WatchGuard. This malware had already appeared in the list of the most widespread malware in the previous quarter. In addition, two Windows code injectors (Win32/Heim.D and Win32/Heri) ranked 1st and 6th respectively on the list of the most frequently detected pests.
Further results of the study
Attackers targeted North and South America disproportionately: the overwhelming majority of network attacks targeted North and South America in the 3rd quarter (64.5 percent), followed by Asia Pacific (APAC) with 20 percent and Europe with 15.5 percent.
The total number of detected network attacks has returned to normal, but still represents a significant risk – after consecutive quarters of growth of more than 20 percent, WatchGuard’s Intrusion Prevention Service (IPS) detected about 4.1 million individual network attacks in the third quarter. The decline of 21 percent brought the volume back to the level of the first quarter, which, however, was still high compared to the previous year. The shift does not necessarily mean that the attackers are slowing down, but that they may shift their focus to more targeted attacks.
The top 10 signatures for network attacks are responsible for the vast majority of attacks: of the 4,095,320 hits recorded by IPS in the third quarter, the top 10 signatures accounted for 81 percent. In fact, there was only one new signature in the top 10 in the third quarter, ‘WEB Remote File Inclusion/etc/passwd’ (1054837), targeting older but still widely used Microsoft Internet Information Services (IIS) web servers. At the top of the list since the second quarter of 2019 is the signature 1059160, an SQL injection.
Scripting attacks on endpoints continue at a record pace: by the end of the third quarter, WatchGuards AD360 Threat Intelligence and WatchGuard Endpoint Protection, Detection and Response (EPDR) had already registered ten percent more attack scripts than in the entire year 2020 (which in turn recorded an increase of 666 percent compared to the previous year). Since hybrid workgroups are the rule rather than the exception, a strong perimeter is no longer enough to stop threats. There are several ways for cybercriminals to attack endpoints – from application exploits to scripted living-off-the-land attacks, whereby even people with limited knowledge can fully execute a malware payload using scripting tools such as PowerSploit, PowerWare and Cobalt Strike, bypassing basic endpoint detection.
Even normally secure domains can be compromised: a protocol error in Microsoft’s Exchange Server Autodiscover system allowed attackers to collect domain credentials and compromise several normally trusted domains. In total, WatchGuard fireboxes blocked 5.6 million malicious domains in the third quarter. Among them were several new malware domains that try to install software for cryptomining, key loggers and remote access Trojans (RAT), as well as phishing domains that pretend to be SharePoint sites to steal Office365 credentials. Although the number of blocked domains decreased by 23 percent compared to the previous quarter, it is still several times higher than the level of Q4 2020 (1.3 million). This underlines the importance for companies to keep their servers, databases, websites and systems up to date with the latest patches. This is the only way to limit vulnerabilities that attackers can exploit.
Ransomware, ransomware, ransomware: after a steep decline in 2020, ransomware attacks already totaled 105 percent of the previous year’s volume at the end of September 2021 (as WatchGuard had predicted at the end of the previous quarter) and are on track to reach 150 percent once the data for the entire year is analyzed. Ransomware-as-a-service providers such as REvil and GandCrap continue to lower the bar for criminals with little or no programming skills by providing the infrastructure and malware payloads to carry out attacks worldwide for a percentage of the ransom.
The most important security incident of the quarter, Kaseya, was further proof of the ongoing threat of attacks on digital supply chains: shortly before the start of the long weekend of July 4 in the US, dozens of companies reported ransomware attacks on their end devices. The WatchGuard analysis of the incident describes how attackers working with the REvil ransomware-as-a-Service (RaaS) company exploited three zero-day vulnerabilities (including CVE-2021-30116 and CVE-2021-30118) in the Kaseya VSA Remote Monitoring and Management (RMM) software. Subsequently, ransomware was distributed to about 1,500 organizations and potentially millions of endpoints. True, the FBI eventually compromised REvil’s servers and received the decryption key a few months later. Still, the attack was another stark reminder for companies to take proactive action. These include, for example, the introduction of zero-trust, the application of the principle of the least privileges for employee access and ensuring that the systems are patched and up-to-date in order to minimize the impact of attacks on the supply chain.