WatchGuard Research Finds 12% Spike in Evasive Threats Despite Decrease in Overall Malware Volume

WatchGuard

New report underscores the importance of layered security as zero day malware variants, JavaScript malware attacks and Microsoft Excel-based threats rise

In its latest Internet Security Report, WatchGuard Technologies found that despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter.

WatchGuard’s Internet Security Report, which provides a detailed look at the latest malware and network attack trends, found that attackers are continuing to leverage evasive and encrypted threats. Zero-day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats. Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.

“Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cybercriminals have too,” said Corey Nachreiner, CTO of WatchGuard. “The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defenses simply can’t catch. Every organization should be prioritizing behavior-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

Other key findings of the WatchGuard report include:

  • JavaScript-based Attacks Are on the Rise

The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control. Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic. To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

Read More: Top Vulnerabilities that CIOs Need to Consider as the Workforce Returns to Offices

  • Attackers Increasingly Use Encrypted Excel Files to Hide Malware

XML-Trojan.Abracadabra is a new addition to WatchGuard’s top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April. Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable. The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organisations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

  • An Old, Highly Exploitable DoS Attack Makes a Comeback

A six-year-old denial of service (DoS) vulnerability affecting WordPress and Drupal made an appearance on WatchGuard’s list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware. Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

  • Malware Domains Leverage Command and Control Servers to Wreak Havoc

Two new destinations made WatchGuard’s top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C (command & Control) server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems. One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet. DNS firewalling can help organisations detect and block these kinds of threats independent of the application protocol for the connection.

Read More: Identity and Access Management Framework for Remote Business Scalability

WatchGuard’s quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. In Q2, nearly 42,000 WatchGuard appliances contributed data to the report, blocking a total of more than 28.5 million malware variants (684 per device) and more than 1.75 million network threats (42 per device). Firebox appliances collectively detected and blocked 410 unique attack signatures in Q2, a 15% increase over Q1 and the most since Q4 2018.

The complete report includes more insights on the top malware and network trends affecting midmarket businesses today, as well as recommended security strategies and best practices to defend against them. The report also includes a detailed analysis of the recent data breach spree brought on by hacking group ShinyHunters.