By Corey Nachreiner, Chief Security Officer, WatchGuard Technologies
The threat landscape is an erratic and ever-evolving beast. While it knows no master, its behavior is broadly directed by the host of threat actors that pull on its reins from all corners of the world, constantly adapting their tactics and techniques to better sniff out points of weakness and infiltrate organizations. Businesses must stay up to date on the latest threat intelligence to understand their adversaries, bolster defenses and avoid falling prey. For this reason, the WatchGuard Threat Lab research team produces a quarterly security report detailing the latest malware and network attack trends based on anonymized data from tens of thousands of WatchGuard appliances deployed across the globe.
The Threat Lab’s latest Internet Security Report reveals the highest level of zero-day malware detections we’ve ever recorded. In fact, evasive malware rates have actually eclipsed those of traditional threats, which is yet another sign that organizations must continue to evolve their defenses in order to stay ahead of increasingly sophisticated threat actors. The research also covers new threat intelligence around rising network attack rates, how malicious actors are trying to disguise and repurpose old exploits, and the quarter’s top malware attacks.
Hungry for more? Here are some additional key findings to feast on:
- Network attacks are on the rise – WatchGuard appliances detected more than 4 million network attacks, a 21% increase compared to the previous quarter and the highest volume since early 2018. Corporate servers and assets on site are still high-value targets for attackers despite the shift to remote and hybrid work, so organizations must maintain perimeter security alongside user-focused protections.
- Fileless malware variant surges in popularity–JSLoader is a malicious payload that appeared for the first time in both WatchGuard’s top malware by volume and most widespread malware detections lists. It was also the variant WatchGuard detected most often via HTTPS inspection in Q1’21. The sample WatchGuard identified uses an XML external entity (XXE) attack to open a shell to run command to bypass the local PowerShell execution policy and runs in a non-interactive way, hidden from the actual user or victim. This is another example of the rising prevalence of fileless malware and the need for advanced endpoint detection and response capabilities.
- Attackers disguise ransomware loader as legitimate PDF attachments with the help of a simple file name trick– Ransomware loader Zmutzy surfaced as a top-two encrypted malware variant by volume in Q1’21. Associated with Nibiru ransomware specifically, victims encounter this threat as a zipped file attachment to an email or a download from a malicious website. Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF. Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass the malicious zip file off as a PDF. This type of attack highlights the importance of phishing education and training, as well as implementing back-up solutions in the event that a variant like this unleashes a ransomware infection.
- Hackers co-opt reputable domains to mine cryptocurrency– In Q1’21, WatchGuard’s DNSWatch service blocked several compromised and outright malicious domains associated with cryptomining threats. Cryptominer malware has become increasingly popular due to recent price spikes in the cryptocurrency market and the ease with which threat actors can siphon resources from unsuspecting victims.
- An old directory traversal attack technique comes back with a vengeance– WatchGuard detected a new threat signature in Q1’21 that involves a directory traversal attack via cabinet (CAB) files, a Microsoft-designed archival format intended for lossless data compression and embedded digital certificates. A new addition to WatchGuard’s top 10 network attacks list, this exploit either tricks users into opening a malicious CAB file using conventional techniques, or by spoofing a network-connected printer to fool users into installing a printer driver via a compromised CAB file.
- IoT devices continue to present an attractive attack surface for malicious actors – While it didn’t make WatchGuard’s top 10 malware list for Q1’21, the Linux.Ngioweb.B variant has been used by adversaries recently to target IoT devices. The first version of this sample targeted Linux servers running WordPress, arriving initially as an extended format language (EFL) file. Another version of this malware turns the IoT devices into a botnet with rotating command and control servers.
- Lessons learned from HAFNIUM zero days – Last quarter, Microsoft reported that adversaries used the four HAFNIUM vulnerabilities in various Exchange Server versions to gain full, unauthenticated system remote code execution and arbitrary file-write access to any unpatched server exposed to the Internet, as most email servers are. WatchGuard incident analysis dives into the vulnerabilities and highlights the importance of HTTPS inspection, timely patching and replacing legacy systems. You can read more here.
If there’s one key takeaway from our latest threat analysis, it’s this: Traditional anti-malware solutions alone simply aren’t sufficient for today’s threat environment. Every organization needs to have a layered, proactive security strategy that involves machine learning and behavioral analysis to detect and block new and advanced threats. Remember, to the beast that is the threat landscape, every business is fair game – and the hunt never ends.
About the Author
Corey Nachreiner is the CSO of WatchGuard Technologies. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys “modding” any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.
Corey Nachreiner can be reached at @SecAdept on Twitter, or via https://www.watchguard.com/