International. WatchGuard Technologies released its latest Quarterly Internet Security Report, which highlights top malware trends and network security threats for the third quarter of 2021, as analyzed by researchers at the WatchGuard Threat Lab.
The data indicates that while the total volume of perimeter malware detection decreased from the highs reached in the previous quarter, endpoint malware detections already exceeded the total volume seen in 2020 (with data from the fourth quarter of 2021 yet to be reported). In addition, a significant percentage of malware continues to arrive through encrypted connections, continuing the trend of previous quarters.
"While the total volume of network attacks decreased slightly in the third quarter, malware per device increased for the first time since the pandemic began," said Corey Nachreiner, Chief Security Officer at WatchGuard. "Looking at the year so far as a whole, the security environment remains a challenge. It's important for organizations to move beyond the short-term ups and downs and seasonality of specific metrics, and focus on persistent and troubling trends that take into account their security posture."
Among its most notable findings, WatchGuard's Third Quarter 2021 Internet Security Report reveals:
Nearly half of zero-day "Zero-Day" malware is now delivered over encrypted connections: while the total amount of zero-day malware increased by a modest 3% to 67.2% in the third quarter, the percentage of malware that arrived through Transport Layer Security (TLS) jumped from 31.6% to 47%. A smaller percentage of encrypted zero-days is considered advanced, but it remains concerning given that WatchGuard data shows that many organizations are not cracking these connections and therefore have little visibility into the amount of malware reaching their networks.
As users upgrade to the latest versions of Microsoft Windows and Office, attackers focus on the newest vulnerabilities: While unpatched vulnerabilities in older software continue to provide a rich hunting ground for attackers, they also seek to exploit weaknesses in the latest versions of Microsoft.
Attackers disproportionately targeted the Americas: the vast majority of network attacks targeted the Americas in the third quarter (64.5%) compared to Europe (15.5%) and APAC (20%).
Overall network attack detections resumed a more normal trajectory, but still pose significant risks: After consecutive quarters of more than 20% growth, WatchGuard's Intrusion Prevention Service (IPS) detected approximately 4.1 million unique network vulnerabilities in the third quarter. The 21% drop reduced volumes to first-quarter levels, which were still high compared to a year earlier. The change doesn't necessarily mean adversaries are giving in, as they may be shifting their focus toward more targeted attacks.
The top 10 signature attacks on the network account for the vast majority of attacks: of the 4,095,320 accesses detected by IPS in the third quarter, 81% were attributed to the top 10 firms. In fact, there was only one new firm in the top 10 in the third quarter, 'WEB Remote File Inclusion /etc/passwd' (1054837), which targets older, but still widely used, Microsoft Internet Information Services (IIS) web servers. A firm (1059160), a SQL injection, has continued to maintain the position it occupied at the top of the list since the second quarter of 2019.
Endpoint scripting attacks continue at a record pace: By the end of the third quarter, WatchGuard's AD360 threat intelligence and endpoint detection and response (EPDR) had already seen 10% more attack scripts than in all of 2020 (which, in turn, saw a 666% increase over the previous year). As hybrid workforces begin to look like the rule rather than the exception, a strong perimeter is no longer enough to stop threats.
- Even normally secure domains can be compromised: A protocol flaw in Microsoft's Exchange Server autodiscover system allowed attackers to collect domain credentials and compromise several normally trusted domains. Overall, in the third quarter, WatchGuard Fireboxes blocked 5.6 million malicious domains, including several new malware domains that attempt to install cryptomining software, key loggers, and remote access Trojans (RATs), as well as phishing domains that impersonate SharePoint sites to collect Office 365 sign-in credentials. While it decreased by 23% from the previous quarter, the number of blocked domains is still several times higher than the level observed in the fourth quarter of 2020 (1.3 million).
Ransomware, Ransomware, Ransomware: After a sharp drop in 2020, ransomware attacks reached 105% of the 2020 volume at the end of September (as Predicted by WatchGuard at the end of the previous quarter) and are on track to reach 150% once the year ends. The 2021 data is analyzed. Ransomware-as-a-service operations, such as REvil and GandCrap, continue to lower the bar for criminals with little or no coding skills, providing the infrastructure and malware payloads to carry out attacks globally in exchange for a percentage ransom.
The main security incident of the quarter, Kaseya, was another demonstration of the constant threat of attacks on the digital supply chain. Just before the start of the long July 4 holiday weekend in the US, dozens of organizations began reporting ransomware attacks against their terminals. WatchGuard's incident analysis described how attackers working with operation REvil ransomware-as-a-service (RaaS) had exploited three zero-day vulnerabilities (including CVE-2021-30116 and CVE-2021-30118) in Kaseya VSA Remote Monitoring and Management (RMM) to deliver ransomware to some 1,500 organizations and potentially millions of endpoints.
