WatchGuard Threat Lab report finds endpoint malware volumes decreasing despite campaigns growing more expansive
SEATTLE – Oct. 4, 2023 – WatchGuard® Technologies, a global leader in unified cybersecurity, has announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers. Key findings from the research include 95% of malware now arriving over encrypted connections, a decrease in endpoint malware volumes despite campaigns growing more widespread, ransomware detections on the decline amid a rise in double-extortion attacks, older software vulnerabilities persisting as popular targets for exploit among modern threat actors, and more.
“The data analyzed by our Threat Lab for our latest report reinforces how advanced malware attacks fluctuate in occurrence and multifaceted cyber threats continue to evolve, requiring constant vigilance and a layered security approach to combat them effectively,” said Corey Nachreiner, chief security officer at WatchGuard. “There is no single strategy that threat actors wield in their attacks and certain threats often present varying levels of risk at different times of the year. Organizations must continually be on alert to monitor these threats and employ a unified security approach, which can be administered effectively by managed service providers, for their best defense.”Among the most notable findings, the latest Internet Security Report featuring data from Q2 2023 showed:
- Ninety-five percent of malware hides behind encryption. Most malware lurks behind SSL/TLS encryption used by secured websites. Organizations that don’t inspect SSL/TLS traffic at the network perimeter are likely missing most malware. Furthermore, zero day malware dropped to 11% of total malware detections, an all-time low. However, when inspecting malware over encrypted connections, the share of evasive detections increased to 66%, indicating attackers continue to deliver sophisticated malware primarily via encryption.
- Total endpoint malware volume is down slightly, though widespread malware campaigns increased. There was a slight 8% decrease in endpoint malware detections in Q2 compared to the previous quarter. However, when looking at endpoint malware detections caught by 10 to 50 systems or 100 or more systems, these detections increased in volume by 22% and 21%, respectively. The increased detections among more machines indicate that widespread malware campaigns grew from Q1 to Q2 of 2023.
- Double-extortion attacks from ransomware groups increased 72% quarter over quarter, as the Threat Lab noted 13 new extortion groups. However, the rise in double-extortion attacks occurred as ransomware detections on endpoints declined 21% quarter over quarter and 72% year over year.
- Six new malware variants in the Top 10 endpoint detections. Threat Lab saw a massive increase of detections of the compromised 3CX installer, accounting for 48% of the total detection volume in the Q2 Top 10 list of malware threats. Furthermore, Glupteba, a multi-faceted loader, botnet, information stealer, and cryptominer that targets victims seemingly indiscriminately worldwide, made a resurgence in early 2023 after being disrupted in 2021.
- Threat actors increasingly leverage Windows living off-the-land binaries to deliver malware. In analyzing attack vectors and how threat actors gain access in endpoints, attacks that abused Windows OS tools like WMI and PSExec grew 29%, accounting for 17% of all total volume, while malware that used scripts like PowerShell dropped 41% in volume. Scripts remain the most common malware delivery vector, accounting for 74% of detections overall. Browser-based exploits declined 33% and account for 3% of the total volume.
- Cybercriminals continue to target older software vulnerabilities. Threat Lab researchers found three new signatures in the Top 10 network attacks for Q2 based on older vulnerabilities. One was a 2016 vulnerability associated with an open-source learning management system (GitHub) that was retired in 2018. Others were a signature that catches integer overflows in PHP, the scripting language used by many websites, and a 2010 buffer overflow and HP management application, called Open View Network Node Manager.
- Compromised domains at WordPress blogs and link-shortening service. In researching malicious domains, the Threat Lab team encountered instances of self-managed websites (such as WordPress blogs) and a domain-shortening service that were compromised to host either malware or malware command and control framework. Additionally, Qakbot threat actors had compromised a website dedicated to an educational contest in the Asia Pacific region to host command and control infrastructure for their botnet.
Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.
The Q2 2023 report continues the rollout of the Threat Lab team’s updated methods to normalize, analyze, and present the report findings, which began in last quarter’s report. The network security results are presented as “per device” averages, and this month the updated methodologies extend to the Threat Lab’s network attack and endpoint malware research.
For a more in-depth view of WatchGuard’s research, read the complete Q2 2023 Internet Security Report here.
About WatchGuard Technologies, Inc.
WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.