International. The Internet Security Report for the first quarter of 2020 presented data on the percentage of malware that is around, delivered through encrypted HTTPS connections. This analysis was developed by WatchGuard Technologies.
WatchGuard's threat intelligence shows that 67% of all malware in Q1 was delivered over HTTPS, so organizations without security solutions capable of inspecting encrypted traffic won't see two-thirds of incoming threats. In addition, 72% of encrypted malware was classified as zero-day (meaning there is no antivirus signature against it, and it will evade signature-based protections).
These findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for all security-conscious organizations. The report also includes a special section detailing the impact of COVID-19 on the threat landscape.
Here are the key findings of the Q1 2020 report:
• Monero cryptominers increase in popularity. Five of the top ten domains that distribute malware in Q1 (identified by WatchGuard's DNS filtering service, DNSWatch), either hosted or controlled Monero cryptominers. This sudden jump in cryptominer's popularity could simply be due to its usefulness. Adding a crypto mining module to malware is an easy way for online criminals to generate passive income.
• Malware variants Flawed-Ammyy and Cryxos join the top lists. The Cryxos Trojan was third on WatchGuard's list of the top five encrypted malicious codes and also third on its list of the five most widespread malware detections, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores. Flawed-Ammyy is a support scam in which the attacker uses the Ammyy Admin support software to gain remote access to the victim's computer.
• Three-year Adobe vulnerability appears in major network attacks. An Adobe Acrobat Reader exploit that was patched in August 2017 first appeared on WatchGuard's list of top network attacks in the first quarter. This vulnerability that resurfaced several years after being discovered and resolved illustrates the importance of regularly patching and updating systems.
• Mapp Engage, AT&T and Bet365 attacked with spear phishing campaigns. Three new domains hosting phishing campaigns appeared on WatchGuard's top ten list in the first quarter of 2020. They posed as digital analytics and marketing product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese), and an AT&T login page (this campaign is no longer active at the time of report release).
• COVID-19 impact. The first quarter of 2020 was just the beginning of the massive changes in the cyber threat landscape brought on by the COVID-19 pandemic. Even in these first three months of 2020, we still saw a massive increase in remote workers and attacks against individuals.
• Malware attacks and network attacks decrease. Overall, there were 6.9% fewer malware attacks and 11.6% fewer network attacks in the first quarter, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the perimeter of the traditional network with global work-from-home policies in full force during the COVID-19 pandemic.
• Britain and Germany heavily targeted by widespread malware threats. WatchGuard's most widespread malware list showed that Germany and Britain were the top targets for almost all of the most prevalent malware in the first quarter.
The findings in WatchGuard Internet Security Reports come from anonymized Firebox Feed data from active WatchGuard devices whose owners have chosen to share data to support Threat Lab's research efforts. Today, more than 44,000 devices worldwide contribute threat intelligence data to the report. In the first quarter of 2020, they blocked more than 32,148,519 malware variants in total (730 samples per device) and more than 1,660,000 network attacks (38 attacks per device).
