Global malware surge revealed in WatchGuard's latest Internet Security Report
A recent Internet Security Report revealed a significant surge in evasive malware, amplifying the total volume of malware globally. Global cybersecurity leader WatchGuard Technologies compiled the report, which also outlined crucial trends among top malware and both network and endpoint security threats, exploring data collected and analysed by their Threat Lab researchers.
Key findings showed threat actors increasingly exploiting on-premises email servers and a continuing decline in ransomware detections, potentially due to law enforcement's concerted international efforts to dismantle ransomware extortion groups.
Corey Nachreiner, WatchGuard's Chief Security Officer, stated that their latest research shows threat actors using various techniques to target vulnerabilities, especially in older software and systems. He emphasised, "Organisations must adopt a defence-in-depth approach to protect against such threats. Updating the systems and software on which organisations rely is a vital step toward addressing these vulnerabilities."
Among the report's key findings was a parallel increase in evasive, basic, and encrypted malware in Q4 2023, contributing to an overall rise in malware. The average malware detection per Firebox grew by 80% compared to the previous quarter, evidencing a significant volume of malware threats arriving at the network perimeter. Geographically, the Americas and the Asia-Pacific region experienced the most significant increase in malware instances.
TLS and zero-day malware instances were also noted to rise. Approximately 55% of malware arrived over encrypted connections, a 7% increase from Q3. Meanwhile, zero-day malware detections jumped to 60% of all malware detections, up from 22% the previous quarter. However, zero-day malware detections with TLS fell to 61%, exhibiting a 10% decrease from Q3, shedding light on the unpredictability of malware in the wild.
Two of the top five malware variants led users to the DarkGate network. JS.Agent.USF and Trojan.GenericKD.67408266, both in the top five, redirected users to malicious links. Both of these malware loaders also attempted to load DarkGate malware onto the victim's computer.
A resurgence of script-based threats was seen; scripts were the most prominent endpoint attack vector, with detected threats increasing by 77% from Q3. Browser-based exploits also significantly increased, stepping up by 56%.
Interestingly, four of the top five most widespread network attacks were Exchange server attacks. These attacks have been associated with one of the ProxyLogon, ProxyShell, or ProxyNotShell exploits. A ProxyLogon signature first appeared in the top five in Q4 2022 at position 4, elevating to position 2 in Q4 2023. These attacks underline the necessity of decreasing reliance on on-premises email servers to mitigate security threats.
Cyber-attack commoditisation trended towards victim-as-a-service offerings, with Glupteba and GuLoader being once again among the top ten most prevalent endpoint malware in Q4, reappearing as two of the most prolific variants analysed during the quarter. Notably, Glupteba's multifaceted malware-as-a-service (MaaS) capabilities include downloading additional malware, masquerading as a botnet, stealing sensitive information, and mining cryptocurrency, reportedly with an extraordinary level of stealth.
Final observations revealed a continuing decline in ransomware detections in Q4, presenting a 20% decrease in overall volume for the last three months of 2023. This trend is attributed to law enforcement's ongoing efforts to dismantle ransomware extortion groups.