sb-au logo
Story image

Malware hiding on popular content delivery networks - WatchGuard

30 Sep 2019

Network security and intelligence company WatchGuard Technologies has announced the release of its quarterly Internet Security Report for Q2 2019.

The report reveals and ranks the most common domains attackers use to host malware and launch phishing attacks including several subdomains of legitimate sites and Content Delivery Networks (CDNs) such as, SharePoint and

It also highlights that modules from the popular Kali Linux penetration testing tool made the top ten malware list for the first time, year-over-year malware volume increased by 64%, and more.

“This edition of the Internet Security Report exposes the gritty details of the methods hackers use to sneak malware or phishing emails onto networks by hiding them on legitimate content-hosting domains,” says WatchGuard Technologies chief technology officer Corey Nachreiner.

“Luckily there are several ways to defend against this, including DNS-level filtering to block connections to known malicious websites, advanced anti-malware services, multi-factor authentication to prevent attacks leveraging compromised credentials, and training to help employees recognise phishing emails.

“No one defence will prevent every attack, so the best way for organisations to protect themselves is with a unified security platform that offers multiple layered security services.”

WatchGuard’s Internet Security Report provides real-world data on security threats, as well as analysis of major security incidents and best practices to help organisations of all sizes protect their business and their customers’ data.

Key findings from the Q2 2019 report include:

  • Malware and phishing attacks abusing legitimate domains – WatchGuard’s DNS Watch service intercepts connections intended for known malicious domains at the DNS level and redirects them. By tracking the most common malicious domains blocked by DNSWatch, WatchGuard can identify the top domains hosting malware and phishing attacks. Of note, several of these domains are subdomains of legitimate CDNs like (which belongs to Amazon) and legitimate file-sharing websites like my[.]mixtape[.]moe. While this attack method isn’t new, WatchGuard’s research sheds light on the specific domains used in these attacks.
  • Kali Linux makes its debut on the top ten malware list – For the first time, two modules from the popular hacking operating system Kali Linux appear on WatchGuard’s list of most common malware. Trojan.GenericKD, which covers a family of malware that creates a backdoor to a command-and-control server, and Backdoor.Small.DT, a web shell script used to create backdoors on web servers, were numbers six and seven on the list. This could indicate either growing adoption among malicious actors or more penetration testing by white hat hackers using Kali Linux.
  • Significant year-over-year increase in overall malware volume – Across the board, the total volume of malware hitting WatchGuard Fireboxes is up significantly compared to last year. Two of WatchGuard’s three malware detection services saw increased malware in Q2 2019 than Q2 2018; one blocked 58% more and the other blocked 68% more, for an overall year-over-year increase of 64%.
  • Widespread phishing and Office exploit malware increases – Two pieces of malware (a phishing attack that threatens to release fake compromising information on the victim, and a Microsoft Office exploit) that appeared on the most widespread malware list in Q1 2019 and Q4 2018 have graduated to the top ten list by volume. This illustrates that these campaigns are on the rise and are sending a high volume of attacks at a wide range of targets. Users should update Office regularly and invest in anti-phishing and DNS filtering security solutions.
  • SQL injection dominates network attacks – SQL injection attacks made up 34% of all network attacks detected in Q2 2019 and have increased significantly in volume year-over-year (one specific attack increased over 29,000% from Q2 2018 to Q2 2019). Anyone who maintains a SQL database, or a web server with access to one, should patch systems regularly and invest in a web application firewall.
  • Malware increasingly targets Europe and APAC – In Q2 2019, nearly 37% of malware targeted the EMEA region, with several individual attacks focusing on the UK, Italy, Germany, and Mauritius. APAC came in second, targeted by 36% of overall malware attacks. The Razy and Trojan.Phishing.MH malware variants in particular primarily targeted the APAC region, with 11% of Trojan.Phishing.MH detections found in Japan.

WatchGuard’s Internet Security Report is based on anonymised Firebox Feed data from a subset of active WatchGuard UTM appliances whose owners have opted-in to share data to support the Threat Lab’s research efforts.

Today, 41,229 appliances throughout the world contribute to the Internet Security Report data pool.

In total, those appliances blocked more than 22,619,836 malware variants, at a rate of 549 samples per device.

Additionally, those Firebox appliances prevented 2,265,425 network attacks (60 per device), a significant increase from Q1 2019 that runs counter to past trends in network attack volume.

The complete report includes more detailed statistics on the most impactful malware and network attack trends from Q2 2019, an analysis of the RobbinHood ransomware attack that paralysed the city of Baltimore in May 2019 (and cost approximately $17 million in total damages), and advice and best practices that readers can use to better protect themselves and their organisations.

Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
SOC as a Service: Fortinet’s answer to today’s network challenges
Jon McGettigan, Fortinet A/NZ Regional Director, explains how SOC as a Service can back up your current SOC team, fast-track deployments and ensure regulatory compliance.More