International. WatchGuard Technologies highlighted in its most recent report important findings indicating that despite an 8% decrease in overall malware detections in the second quarter, 70% of all attacks involved zero-day malware (variants that bypass antivirus signatures), representing a 12% increase over the previous quarter.
"Companies are not the only ones that have adjusted their operations due to the global COVID-19 pandemic; cybercriminals have too," said Corey Nachreiner, Chief Technology Officer at WatchGuard. "The increase in well-planned attacks, despite the fact that overall malware detections declined in the second quarter (likely due to the shift to remote work), shows that attackers are resorting to more evasive and effective tactics than traditional, signature-based anti-malware defenses simply cannot capture. All organizations must prioritize behavior-based threat detection, cloud sandbox, and a suite of layered security services to protect both the core network and remote workforces."
The WatchGuard Internet Security Report provides a detailed look at the latest trends in network attacks and malware, in-depth threat research, and best security best practices that organizations can leverage to better protect themselves, their partners, and customers.
Key findings from the Q2 2020 report include:
Attackers continue to take advantage of evasive and encrypted threats: Zero-day malware accounted for more than two-thirds of total detections in the second quarter, while attacks sent over encrypted HTTPS connections accounted for 34%. Organizations that cannot inspect encrypted traffic will lose a third of incoming threats. Although the percentage of threats using encryption decreased from 64% in the first quarter, the volume of https-encrypted malware increased dramatically. It seems that more administrators are taking the necessary steps to enable HTTPS inspection on Firebox security devices, but there is still more work to be done.
• JavaScript-based attacks are on the rise: The Trojan.Gnaeus scam script made its debut at the top of WatchGuard's top 10 malware list for the second quarter, accounting for nearly one in five malware detections. The Gnaeus malware allows threat actors to hijack control of the victim's browser with obfuscated code and forcibly redirect away from their intended web destinations to domains under the attacker's control. Another pop-up style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans the victim's system properties and blocks debugging attempts as an anti-detection tactic. To combat these threats, organizations must prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers, and maintain an up-to-date anti-malware engine.
• Attackers are increasingly using encrypted Excel files to hide malware: XML-Trojan.Abracadabra is a new addition to WatchGuard's top 10 malware detections list, showing rapid growth in popularity since the technique emerged in April. Abracadabra is a malware variant that is delivered as an Excel file encrypted with the password "VelvetSweatshop" (the default password for Excel documents). Once opened, Excel automatically decrypts the file and a VBA macro script within the spreadsheet is downloaded and runs an executable. Using a default password allows this malware to bypass many basic antivirus solutions, as the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source and leverage cloud sandbox to securely verify the true intent of potentially dangerous files before they can cause an infection.
• A highly exploitable old DoS attack returns: A denial-of-service (DoS) vulnerability from six years ago that affects WordPress and Drupal appeared on WatchGuard's list of the top 10 network attacks by volume in the second quarter. This vulnerability is particularly severe because it affects all unpatched Drupal and WordPress installations and creates DoS scenarios where bad actors can cause CPU and memory exhaustion on the underlying hardware. Despite the high volume of these attacks, they were hyper-concentrated on a few dozen networks mainly in Germany. Since DoS scenarios require sustained traffic to victims' networks, this means that there is a high probability that attackers intentionally selected their targets.
• Malware domains leverage command and control servers to wreak havoc: Two new targets were included in WatchGuard's list of most important malware domains in the second quarter. The most common site was findresults [.], which uses a C&C server for a variant of the Dadobra Trojan that creates an obfuscated file and associated log to ensure the attack runs and can leak sensitive data and download additional malware when users start Windows systems. A user alerted the WatchGuard team about Cioco-froll [.] Com, which uses another C&C server to support an Asprox botnet variant (often delivered via PDF document) and provides a C&C beacon to let the attacker know they have gained persistence and are ready to participate in the botnet. The DNS firewall can help organizations detect and block these types of threats regardless of the application protocol for the connection.
WatchGuard's quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard devices whose owners have chosen to share data to support Threat Lab's research efforts. In the second quarter, nearly 42,000 WatchGuard devices contributed data to the report, blocking a total of more than 28.5 million malware variants (684 per device) and more than 1.75 million network threats (42 per device). Firebox devices collectively detected and blocked 410 unique attack signatures in the second quarter, a 15% increase from the first quarter and the most since the fourth quarter of 2018.
The full report includes more insight into the top networking and malware trends affecting midsize businesses today, as well as recommended security strategies and best practices for defending against them. The report also includes a detailed analysis of the recent wave of data breaches triggered by the hacking group ShinyHunters.
Read WatchGuard's full Q2 2020 Internet Security Report by clicking here.
