Report: Endpoint Malware and Ransomware Continue to Grow

Report: Endpoint Malware and Ransomware Continue to Grow

WatchGuard Technologies, a provider of network security and intelligence, advanced endpoint protection, multi-factor authentication (MFA), and secure Wi-Fi, today released its latest quarterly Internet Security Report, highlighting the top malware trends and network security threats for Q3 2021, as analyzed by WatchGuard Threat Lab researchers. The data indicates that while total perimeter malware detection volume decreased from the highs reached in the previous quarter, endpoint malware detections have already surpassed the total volume seen in 2020 (with Q4 2021 data yet to be reported). In addition, a significant percentage of malware continues to arrive over encrypted connections, continuing the trend from previous quarters.

“While the total volume of network attacks shrank slightly in Q3, malware per device was up for the first time since the pandemic began,” said Corey Nachreiner, chief security officer at WatchGuard. “Looking at the year so far as a whole, the security environment continues to be challenging. It’s important that organizations go beyond the short-term ups and downs and seasonality of specific metrics, and focus on persistent and concerning trends factoring into their security posture. An important example is the accelerating use of encrypted connections to deliver zero days. We continue to believe that the WatchGuard Unified Security Platform offers the best comprehensive protection for combatting the variety of threats organizations face today.”

Among its most notable findings, WatchGuard’s Q3 2021 Internet Security Report reveals:

Nearly half of zero-day malware is now delivered via encrypted connections – While the total amount of zero-day malware increased by a modest 3% to 67.2% in Q3, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. A lower percentage of encrypted zero-days are considered advanced, but it is still concerning given that WatchGuard’s data shows that many organizations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

As users upgrade to more recent versions of Microsoft Windows and Office, attackers are focusing on newer vulnerabilities – While unpatched vulnerabilities in older software continue to provide a rich hunting ground for attackers, they are also looking to exploit weaknesses in the latest versions of Microsoft’s widely used products. In Q3, CVE-2018-0802 – which exploits a vulnerability in the Equation Editor in Microsoft Office – cracked WatchGuard’s top 10 gateway antivirus malware by volume list, hitting number 6, after showing up in the most-widespread malware list in the previous quarter. In addition, two Windows code injectors (Win32/Heim.D and Win32/Heri) came in at number 1 and 6 on the most detected list respectively.

Attackers disproportionately targeted the Americas – The overwhelming majority of network attacks targeted the Americas in Q3 (64.5%) compared to Europe (15.5%) and APAC (20%).

Overall network attack detections resumed a more normal trajectory but still pose significant risks – After consecutive quarters of more than 20% growth, WatchGuard’s Intrusion Prevention Service (IPS) detected roughly 4.1 million unique network exploits in Q3. The drop of 21% brought volumes down to Q1 levels, which were still high compared to the previous year. The shift doesn’t necessarily mean adversaries are letting up as they are possibly shifting their focus towards more targeted attacks.

The top 10 network attack signatures account for the vast majority of attacks – Of the 4,095,320 hits detected by IPS in Q3, 81% were attributed to the top 10 signatures. In fact, there was just one new signature in the top 10 in Q3, ‘WEB Remote File Inclusion /etc/passwd’ (1054837), which targets older, but still widely used Microsoft Internet Information Services (IIS) web servers. One signature (1059160), a SQL injection, has continued to maintain the position it has held atop the list since Q2, 2019.

Scripting attacks on endpoints continue at record pace – By the end of Q3, WatchGuard’s AD360 threat intelligence and WatchGuard Endpoint Protection, Detection and Response (EPDR) had already seen 10% more attack scripts than in all of 2020 (which, in turn, saw a 666% increase over the prior year). As hybrid workforces start to look like the rule rather than the exception, a strong perimeter is no longer enough to stop threats. While there are several ways for cybercriminals to attack endpoints – from application exploits to script-based living-off-the-land attacks – even those with limited skills can often fully execute a malware payload with scripting tools like PowerSploit, PowerWare and Cobalt Strike, while evading basic endpoint detection.

Even normally safe domains can be compromised – A protocol flaw in Microsoft’s Exchange Server Autodiscover system allowed attackers to collect domain credentials and compromise several normally trustworthy domains. Overall, in Q3 WatchGuard Fireboxes blocked 5.6 million malicious domains, including several new malware domains that attempt to install software for cryptomining, key loggers and remote access trojans (RATs), as well as phishing domains masquerading as SharePoint sites to harvest Office365 login credentials. While down 23% from the previous quarter, the number of blocked domains is still several times higher than the level seen in Q4 2020 (1.3 million). This highlights the critical need for organizations to focus on keeping servers, databases, websites, and systems updated with the latest patches to limit vulnerabilities for attackers to exploit.

Ransomware, Ransomware, Ransomware – After a steep decline in 2020, ransomware attacks reached 105% of 2020 volume by the end of September (as WatchGuard predicted at the end of the prior quarter) and are on pace to reach 150% once the full year of 2021 data is analyzed. Ransomware-as-a-service operations such as REvil and GandCrap continue to lower the bar for criminals with little or no coding skills, providing the infrastructure and the malware payloads to carry out attacks globally in return for a percentage of the ransom.

The quarter’s top security incident, Kaseya, was another demonstration of the ongoing threat of digital supply chain attacks – Just before the start of the long 4th of July holiday weekend in the US, dozens of organizations began reporting ransomware attacks against their endpoints. WatchGuard’s incident analysis described how attackers working with the REvil ransomware-as-a-service (RaaS) operation had exploited three zero-day vulnerabilities (including CVE-2021-30116 and CVE-2021-30118) in Kaseya VSA Remote Monitoring and Management (RMM) software to deliver ransomware to some 1,500 organizations and potentially millions of endpoints. While the FBI eventually compromised REvil’s servers and obtained the decryption key a few months later, the attack provided yet another stark reminder of the need for organizations to proactively take steps like adopting zero-trust, employing the principle of least privilege for vendor access and ensuring systems are patched and up to date to minimize the impact of supply chain attacks.

Featured

  • Maximizing Your Security Budget This Year

    Perimeter Security Standards for Multi-Site Businesses

    When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now

  • Getting in Someone’s Face

    There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now

    • Industry Events
    • ISC West
  • Live From ISC West 2024: Post-Show Recap

    ISC West 2024 is complete. And from start to finish, the entire conference was a huge success with almost 30,000 people in attendance. Read Now

    • Industry Events
    • ISC West
  • ISC West 2024 is a Rousing Success

    The 2024 ISC West security tradeshow marked a pivotal moment in the industry, showcasing cutting-edge technology and innovative solutions to address evolving security challenges. Exhibitors left the event with a profound sense of satisfaction, as they witnessed a high level of engagement from attendees and forged valuable connections with potential clients and partners. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3