WatchGuard Threat Lab Report Reveals Decrease in Endpoint Malware, Rise in Double-Extortion Attacks, and More

WatchGuard® Technologies, a global leader in unified cybersecurity, has unveiled key findings in its latest Internet Security Report, shedding light on significant malware trends, network, and endpoint security threats as analysed by WatchGuard Threat Lab researchers. The report highlights several crucial observations, including a noteworthy decrease in endpoint malware volumes despite the expansion of malware campaigns, a surge in double-extortion attacks, the persistent exploitation of older software vulnerabilities by threat actors, and more.

Corey Nachreiner, Chief Security Officer at WatchGuard, emphasised the need for constant vigilance and a layered security approach to combat evolving cyber threats. He stated, “There is no single strategy that threat actors wield in their attacks and certain threats often present varying levels of risk at different times of the year. Organisations must continually be on alert to monitor these threats and employ a unified security approach, which can be administered effectively by managed service providers, for their best defense.”

Key findings from the report include:

  1. Malware Concealed Behind Encryption: A staggering 95% of malware now arrives via encrypted connections, primarily utilising SSL/TLS encryption found on secured websites. This presents a challenge as organisations not inspecting SSL/TLS traffic at the network perimeter may be missing most malware. Additionally, while zero-day malware dropped to an all-time low of 11%, when inspecting malware over encrypted connections, the share of evasive detections increased to 66%, indicating attackers’ preference for delivering sophisticated malware via encryption.
  2. Endpoint Malware Volume and Widespread Campaigns: Despite a slight 8% decrease in endpoint malware detections in Q2 compared to the previous quarter, detections increased significantly among machines where 10 to 50 systems or 100 or more systems were involved, indicating the growth of widespread malware campaigns from Q1 to Q2 of 2023.
  3. Double-Extortion Attacks Surge: Double-extortion attacks from ransomware groups increased by 72% quarter over quarter, with the Threat Lab identifying 13 new extortion groups. This rise in double-extortion attacks coincided with a 21% decrease in ransomware detections on endpoints quarter over quarter and a 72% decline year over year.
  4. New Malware Variants: The Top 10 endpoint detections included six new malware variants, with the compromised 3CX installer accounting for a significant portion of the total detection volume in Q2. Additionally, Glupteba, a multi-faceted threat targeting victims worldwide, saw a resurgence in early 2023 after disruptions in 2021.
  5. Windows Living Off-the-Land Binaries: Threat actors increasingly leverage Windows living off-the-land binaries for malware delivery, with attacks using Windows OS tools such as WMI and PSExec growing by 29%. These accounted for 17% of the total attack volume. In contrast, the use of scripts like PowerShell decreased by 41%, but scripts remained the most common malware delivery vector, representing 74% of overall detections. Browser-based exploits declined by 33%, accounting for just 3% of the total volume.
  6. Targeting Older Software Vulnerabilities: Cybercriminals continue to target older software vulnerabilities, with the report identifying three new signatures in the Top 10 network attacks for Q2 based on older vulnerabilities, including a 2016 vulnerability associated with an open-source learning management system and others related to PHP and HP management applications.
  7. Compromised Domains and Services: The Threat Lab team encountered instances of compromised self-managed websites (e.g., WordPress blogs) and domain-shortening services used to host malware or malware command and control frameworks. Additionally, Qakbot threat actors compromised a website dedicated to an educational contest in the Asia Pacific region for hosting command and control infrastructure.

This report is based on anonymised, aggregated threat intelligence from active WatchGuard network and endpoint products. The data supports WatchGuard’s Unified Security Platform® approach and highlights the need for ongoing vigilance and adaptable cybersecurity strategies.

For a detailed view of WatchGuard’s research, you can read the complete Q2 2023 Internet Security Report here.

Leave a Reply

Your email address will not be published. Required fields are marked *