WatchGuard Technologies has released findings from its most recent Internet Security Report, detailing the top malware trends and network and endpoint security threats analysed by WatchGuard Threat Lab researchers in Q4 2022.
While key findings from the data showed declines in network-detected malware, endpoint ransomware increased 627%, and malware associated with phishing campaigns continued to be a persistent threat.
Despite seeing an overall decline in malware, further analysis from WatchGuard Threat Lab researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a higher incidence of malware, indicating malware activity has shifted to encrypted traffic.
Since just ~20% of Fireboxes that provide data for this report have decryption enabled, this indicates that the vast majority of malware is going undetected, the researchers state. Encrypted malware activity has been a recurring theme in recent Threat Lab reports.
Corey Nachreiner, Chief Security Officer at WatchGuard, comments, “A continuing and concerning trend in our data and research shows that encryption - or, more accurately, the lack of decryption at the network perimeter - is hiding the full picture of malware attack trends.
“It is critical for security professionals to enable HTTPS inspection to ensure these threats are identified and addressed before they can do damage.”
Other key findings from the Q4 Internet Security Report include:
Endpoint ransomware detections rose 627%. This spike highlights the need for ransomware defences such as modern security controls for proactive prevention, as well as good disaster recovery and business continuity (backup) plans, the researchers state.
93% of malware hides behind encryption. Threat Lab research continues to indicate that most malware hides in the SSL/TLS encryption used by secured websites. Q4 continues that trend with a rise from 82% to 93%.
Network-based malware detections dropped approximately 9.2% percent quarter over quarter during Q4. This continues a general decline in malware detections over the last two quarters. But as mentioned, when considering encrypted web traffic, malware is up. The Threat Lab team believes this decline trend may not illustrate the full picture and needs more data that leverages HTTPS inspection to confirm this contention.
Endpoint malware detections increased 22%. While network malware detections fell, endpoint detection rose in Q4. This supports the Threat Lab team’s hypothesis of malware shifting to encrypted channels. At the endpoint, TLS encryption is less of a factor, as a browser decrypts it for Threat Lab’s endpoint software to see. Among the leading attack vectors, most detections were associated with Scripts, which constituted 90% of all detections. In browser malware detections, threat actors targeted Internet Explorer the most with 42% of the detections, followed by Firefox with 38%.
Zero day or evasive malware has dropped to 43% in unencrypted traffic. Though still a significant percentage of overall malware detections, it’s the lowest the Threat Lab team has seen in years. That said, the story changes completely when looking at TLS connections. 70% of malware over encrypted connections evades signatures, WatchGuard finds.
Phishing campaigns have increased. Three of the malware variants seen in the report’s top 10 list (some also showing on the widespread list) assist in various phishing campaigns. The most-detected malware family, JS.A gent.UNS, contains malicious HTML that directs users to legitimate-sounding domains that masquerade as well-known websites. Another variant, Agent.GBPM, creates a SharePoint phishing page titled “PDF Salary_Increase,” which attempts to access account information from users. The last new variant in the top 10, HTML.Agent.WR, opens a fake DHL notification page in French with a login link that leads to a known phishing domain.
ProxyLogin exploits continue to grow. An exploit for this well-known, critical Exchange issue rose from eighth place in Q3 to fourth place last quarter. Old vulnerabilities can be as useful to attackers as new ones if they’re able to achieve a compromise, WatchGuard states. Additionally, many attackers continue to target Microsoft Exchange Servers or management systems. Organisations must be aware and know where to put their efforts into defending these areas.
Network attack volume is flat quarter over quarter. Technically, it increased by 35 hits, which is just a 0.0015% increase. The slight change is remarkable, as the next smallest change was 91,885 from Q1 to Q2 2020.
LockBit remains a prevalent ransomware group and malware variant. The Threat Lab team continues to see LockBit variants often, as this group appears to have the most success breaching companies (through their affiliates) with ransomware. While down from the previous quarter, LockBit again had the most public extortion victims, with 149 tracked by the WatchGuard Threat Lab (compared to 200 in Q3). Also in Q4, the Threat Lab team detected 31 new ransomware and extortion groups.
WatchGuard’s quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. The full report includes details on additional malware and network trends from Q4 2022, recommended security strategies, critical defence tips for businesses of all sizes and in any sector, and more.