International. In its latest Quarterly Internet Security Report, WatchGuard Technologies details the top malware trends and network security threats analyzed by WatchGuard Threat Lab Researchers during the second quarter of 2021.
The report also includes new insights based on endpoint threat intelligence detected during the first half of 2021.
The main findings of the research uncovered a staggering 91.5% of malware arriving via HTTPS encrypted connections, leading to alarming increases in fileless systems, malware threats, dramatic ransomware growth, a huge increase in network attacks, and much more.
"With much of the world still operating firmly in a mobile or hybrid workforce model, the perimeter of the traditional network is not always a factor in the cybersecurity defense equation," said Corey Nachreiner, Chief Security Officer at WatchGuard. "While strong perimeter defense remains an important part of a layered security approach, robust endpoint protection (EPP) and endpoint detection and response (EDR) are increasingly essential."
Among its most notable findings, WatchGuard's Second Quarter 2021 Internet Security Report reveals:
Large amounts of malware arrive through encrypted connections: In the second quarter, 91.5% of malware arrived through an encrypted connection, a dramatic increase over the previous quarter. Simply put, any organization that isn't scanning encrypted HTTPS traffic at the edge is missing 9/10 of all malware to examine.
Malware is using PowerShell tools to bypass powerful protections: AMSI. Disable.A first appeared in the main malware section of WatchGuard in the first quarter and immediately skyrocketed for this quarter, making the list at No. 2 overall by volume and No. 1. spot for encrypted threats in general. This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. But what makes it especially interesting is its evasive technique. WatchGuard discovered that AMSI. Disable.A uses code capable of disabling the Anti-Malware Scanning Interface (AMSI) in PowerShell, allowing it to bypass security checks on scripts with their malware payload undetected.
Fileless threats skyrocket and become even more evasive: In the first six months of 2021 alone, malware detections originating from scripting engines such as PowerShell have already reached 80% of the total volume of script-initiated attacks last year, which in itself represented a substantial increase over the previous year. At the current rate, fileless malware detections in 2021 are on track to double their volume year-on-year.
Network attacks are booming despite the shift to primarily remote workforces: WatchGuard devices detected a substantial increase in network attacks, which increased 22% from the previous quarter and reached the highest volume since early 2018. The first quarter saw nearly 4.1 million attacks on the network. In the following quarter, that number increased by another million, charting an aggressive course that highlights the growing importance of maintaining perimeter security alongside user-centric protections.
Ransomware attacks with force: While total ransomware detections at the endpoint were on a downward trajectory from 2018 to 2020, that trend was broken in the first half of 2021, as the six-month total ended just below the full year's total for 2020. If daily ransomware detections remain stable for the rest of 2021, this year's volume will reach an increase of more than 150% compared to 2020.
Large ransomware attacks overshadow shotgun blast attacks: The Colonial Pipeline attack of May 7, 2021 made it clear that ransomware as a threat is here to stay. As the most significant security incident of the quarter, the breach underscores how cybercriminals are not only putting the most vital services, such as hospitals, industrial control, and infrastructure, in their crosshairs, but appear to be stepping up attacks against these high-value targets as well. WatchGuard Incident Analysis examines the consequences, what the future looks like for critical infrastructure security, and the steps organizations in any industry can take to help defend against these attacks and slow their spread.
Legacy services continue to prove worthy targets: Deviating from the usual new signatures of one to two views in previous quarterly reports, there were four new firms among WatchGuard's top 10 network attacks for the second quarter. In particular, the most recent was a 2020 vulnerability in the popular web programming language PHP, but the other three are not new at all. These include an Oracle GlassFish Server vulnerability 20ll, a 2013 SQL injection flaw in the OpenEMR medical records application, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. While outdated, they all continue to present risks if not updated.
Microsoft Office-based threats persist in popularity: The second quarter saw a new addition to the list of the 10 most widespread network attacks, and debuted at the top. The signature, 1133630, is the 2017 RCE vulnerability mentioned above that affects Microsoft browsers. Although it may be an old, patched exploit on most systems (hopefully), those that have yet to patch will have a rude awakening if an attacker can access it before them. In fact, a very similar high-severity RCE security flaw, tracked as CVE-2021-40444, made headlines earlier this month when it was actively exploited in attacks targeting Microsoft Office and Office 365 on Windows 10 computers. Office-based threats continue to be popular when it comes to malware, so we're still detecting these tried and true attacks in nature. Fortunately, they are still being detected by tried and true IPS defenses.
-Phishing domains pose as legitimate and widely recognized domains: WatchGuard has observed an increase in the use of malware recently targeting Microsoft Exchange servers and generic email users to download Remote Access Trojans (RATs) in highly sensitive locations. This is most likely because the second quarter is the second consecutive quarter in which remote workers and students returned to hybrid offices and academic environments or previously normal on-site activity behaviors. In any case, or location, a strong knowledge of the security and monitoring of outgoing communications on devices that are not necessarily directly connected to the connected devices is recommended.
WatchGuard's quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have chosen to share data in direct support of Threat Lab's research efforts. In the second quarter, WatchGuard blocked a total of more than 16.6 million malware variants (438 per device) and nearly 5.2 million network threats (137 per device). The full report includes details on additional malware and network trends from the second quarter of 2021, an even deeper analysis of threats detected at the endpoint during the first half of 2021, recommended security strategies and critical defense tips for businesses of all sizes and in any industry, and more.
Leave your comment