Endpoint Malware Volumes Drop Amid Expanding Campaigns: WatchGuard Threat Lab Report

WatchGuard® Technologies Analyzes Latest Internet Security Trends

Introduction

WatchGuard® Technologies, a global leader in unified cybersecurity, has released its latest Internet Security Report, unveiling the top malware trends and network and endpoint security threats identified by the WatchGuard Threat Lab researchers. The report sheds light on the evolving strategies employed by advanced threat actors and the need for organizations to adopt a layered security approach to combat these multifaceted cyber threats effectively. Key findings include the increasing prevalence of malware delivered through encrypted connections, a decline in ransomware detections but a rise in double-extortion attacks, the persistence of older software vulnerabilities as favored targets for exploit, and emerging trends in malware variants and delivery vectors.

The Rise of Encrypted Malware

One of the most striking findings of the report is that 95% of malware is now hidden behind encryption. The use of SSL/TLS encryption by secured websites has become a common technique for threat actors to conceal their malicious activities. This poses a significant challenge for organizations that do not inspect SSL/TLS traffic at the network perimeter, as they are likely missing the majority of malware. Notably, the report highlights that when inspecting malware over encrypted connections, the share of evasive detections increases to 66%, indicating an ongoing trend of attackers delivering sophisticated malware primarily via encryption.

Recommendation:

Organizations must take measures to effectively inspect encrypted traffic without compromising security or privacy. Implementing SSL/TLS inspection technologies can help identify and prevent the spread of malware hiding behind encryption, providing organizations with stronger defense against advanced threats.

Endpoint Malware Trends

While the overall volume of endpoint malware has slightly decreased, the report reveals that widespread malware campaigns have increased. There was an 8% decrease in endpoint malware detections in the second quarter compared to the previous quarter. However, when examining malware detections caught by multiple systems, the volume increased by 22% and 21% for 10 to 50 systems and 100 or more systems, respectively. This suggests that threat actors are increasingly launching large-scale campaigns targeting multiple endpoints.

Recommendation:

Organizations should not underestimate the impact of widespread malware campaigns. It is crucial to continuously update and strengthen endpoint security measures, such as antivirus software and intrusion detection systems, to safeguard against evolving threats and protect sensitive data.

The Rise of Double-Extortion Attacks

While ransomware detections on endpoints have declined, the report highlights a significant increase in double-extortion attacks. The WatchGuard Threat Lab noted a 72% increase in double-extortion attacks quarter over quarter, with the emergence of 13 new extortion groups. Double-extortion attacks involve threat actors not only encrypting and demanding a ransom for data, but also threatening to publicly release the stolen information if payment is not made. This tactic has proven to be lucrative for cybercriminals, leading to its growing adoption.

Recommendation:

Organizations need to be prepared for double-extortion attacks and adopt a proactive approach to mitigate risks. Regularly backing up critical data and implementing robust data protection measures can minimize the impact of such attacks. It is crucial to maintain offline backups and develop an incident response plan that prioritizes response and recovery strategies in the event of a ransomware attack.

Emerging Malware Variants and Delivery Vectors

The report highlights the detection of six new malware variants in the top 10 endpoint detections. Of particular concern is the significant increase in the detection of the compromised 3CX installer, accounting for 48% of the total detection volume in the second quarter. Additionally, the multifaceted loader and information stealer known as Glupteba made a resurgence after being disrupted in 2021. This highlights the adaptability and persistence of malware variants.

In terms of delivery vectors, threat actors are increasingly leveraging Windows living off-the-land binaries to deliver malware. Attacks that abuse Windows OS tools like WMI (Windows Management Instrumentation) and PSExec have increased by 29%, accounting for 17% of the total volume. However, there has been a 41% decrease in malware using scripts like PowerShell. Browser-based exploits have also declined by 33%, accounting for 3% of the total volume.

Recommendation:

Organizations should remain vigilant against emerging malware variants and continuously update their security defenses. Implementing robust endpoint protection solutions that can detect and block new malware variants, as well as monitoring and restricting the usage of Windows OS tools, can greatly enhance the overall security posture.

Persistence of Older Software Vulnerabilities

The report emphasizes that threat actors continue to target older software vulnerabilities, leveraging their familiarity and the potential for successful exploits. The WatchGuard Threat Lab researchers identified three new signatures in the top 10 network attacks for the second quarter, all based on older vulnerabilities. This includes a 2016 vulnerability associated with an open-source learning management system retired in 2018, as well as vulnerabilities in PHP and HP management applications.

Recommendation:

Organizations must prioritize patch management and ensure that software and systems are regularly updated with the latest security patches. Implementing vulnerability scanning tools and staying informed about the latest security advisories can help identify and remediate vulnerabilities before they can be exploited by threat actors.

Conclusion

The latest Internet Security Report from WatchGuard® Technologies shines a light on the ever-evolving landscape of cybersecurity threats. The high prevalence of malware hidden behind encryption, the rise of double-extortion attacks, and the persistence of older software vulnerabilities demand constant vigilance from organizations. A comprehensive and layered security approach, combined with regular updates, robust endpoint protection, and continuous monitoring, is essential in combatting these evolving threats effectively. Cybersecurity must remain a top priority for organizations, and partnerships with managed service providers who specialize in unified security solutions can be a valuable asset to bolster defenses and respond to emerging threats.