91.5% of malware arrived via encrypted connections in Q2 2021
WatchGuard’s latest report shows an astonishing 91.5% of malware arriving through encrypted connections during the second quarter of 2021. This is a dramatic increase from the previous quarter and means any organization that doesn’t review no perimeter encrypted HTTPS traffic is missing 9/10 of all malware.
Researchers have also seen an alarming increase in fileless malware threats, a dramatic growth in ransomware, and a sharp increase in network attacks.
“While much of the world still operates firmly in a mobile or hybrid workforce model, the traditional network perimeter is not always factored into the cybersecurity defense equation,” said Corey Nachreiner, CSO at WatchGuard.
“While strong perimeter defense is always an important part of a layered security approach, enhanced Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) are increasingly becoming the norm. more essential. “
Malware uses PowerShell tools to bypass powerful protections
AMSI.Disable.A first appeared in the first malware section in the first quarter and immediately skyrocketed for this quarter, reaching second overall in volume and first place for all encrypted threats. This malware family uses PowerShell tools to exploit various vulnerabilities in Windows, but what makes it particularly interesting is its evasion technique.
AMSI.Disable.A uses code capable of disabling the Antimalware Scanning Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its undetected malware payload.
Fileless threats are skyrocketing, becoming even more evasive
In the first six months of 2021 alone, malware detections from scripting engines like PowerShell have already reached 80% of the total volume of script-initiated attacks last year, which in itself was a substantial increase. compared to the previous year. At its current rate, 2021 fileless malware detections are set to double in volume over one year.
Network attacks are on the rise despite the shift to a predominantly remote workforce
WatchGuard appliances detected a substantial increase in network attacks, which increased 22% from the previous quarter and reached the highest volume since early 2018. The first quarter saw nearly 4.1 million network attacks .
In the following quarter, that number jumped another million – setting an aggressive course that highlights the growing importance of maintaining perimeter security alongside user-centric protections.
Ransomware retaliates with vengeance
While the total number of ransomware detections on the device was on a downward trajectory from 2018 to 2020, this trend came to a halt in the first half of 2021, with the six-month total ending just below the total for 2020. .
If daily ransomware detections remain unchanged through 2021, this year’s volume will reach an increase of over 150% from 2020.
Big game ransomware eclipses shotgun blast attacks
The attack on the Colonial Pipeline on May 7, 2021 made it clear and terrifying that ransomware as a threat is here to stay. As the major security incident of the quarter, the breach highlights how cybercriminals are not only putting the most vital services – such as hospitals, industrial control, and infrastructure – in their sights, but appear to be stepping up their sights. attacks against these high value targets as well.
Old services continue to be attractive targets
Deviating from the usual one to two new signatures seen in previous quarterly reports, there were four new signatures among WatchGuard’s top 10 network attacks for the second quarter.
Notably, the most recent was a 2020 vulnerability in the popular PHP web scripting language, but the other three are not new at all. These include an Oracle GlassFish Server 20ll vulnerability, a SQL 2013 injection flaw in the OpenEMR medical records application, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. Although dated, all still present risks if not corrected.
Microsoft Office-based threats persist in popularity
The second quarter saw a new addition to the list of the 10 most common network attacks, and it debuted at the top. The signature, 1133630, is the aforementioned RCE 2017 vulnerability that affects Microsoft browsers.
While this is an old exploit and fixed in most systems (hopefully), the ones that haven’t been fixed yet are about to wake up abruptly if an attacker is able to there. access before them. In fact, a very similar high-severity RCE security vulnerability identified as CVE-2021-40444 made headlines earlier this month when it was actively exploited in targeted attacks against Microsoft Office and Office. 365 on Windows 10 computers.
Desktop-based threats continue to be popular when it comes to malware, which is why we always spot these proven attacks in the wild. Fortunately, they are still detected by proven IPS defenses.
Phishing domains masquerade as legitimate and widely recognized domains
There has recently been an increase in the use of malware targeting Microsoft Exchange servers and generic email users to download Remote Access Trojans (RATs) to highly sensitive locations. This is most likely due to the second quarter in a row where workers and distance learners returned to either hybrid offices and academic environments or to previously normal on-site business behaviors.
In any case – or location – a strong security awareness and monitoring of outgoing communications on devices that are not necessarily connected directly to the connected devices is advised.