How did cyberattacks develop in the second quarter of 2021? New report provides answers
- Posted: Thursday September 30 2021 11:43 AM
WatchGuard Technologies has released its latest Quarterly Internet Security Report, detailing the top malware and network security threat trends analyzed by WatchGuard Threat Lab researchers in Q2 2021. The report also includes new information. based on information on endpoint threats detected in the first half of 2021. Top Research results revealed an astonishing 91.5% malware arriving over HTTPS encrypted connections, alarming outbreaks of software threats malware, a dramatic growth in ransomware, and a surge in network attacks.
The main findings of the report include:
Massive amounts of malware arrive over encrypted connections
In the second quarter, 91.5% of malware arrived over an encrypted connection, a dramatic increase from the previous quarter. Simply put, any organization that doesn’t examine perimeter encrypted HTTPS traffic is missing 9/10 of all malware.
Malware uses PowerShell tools to bypass powerful protections
AMSI.Disable.A first appeared in WatchGuard’s malware section in Q1 and immediately soared for this quarter, reaching No. 2 overall in volume and No. 1 in all encrypted threats. . This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. But what makes him particularly interesting is his evasive technique. WatchGuard discovered that AMSI.Disable.A uses code capable of disabling the Antimalware Scanning Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its undetected malware payload.
Fileless threats are skyrocketing, becoming even more evasive
In the first six months of 2021 alone, malware detections from scripting engines like PowerShell have already reached 80% of the total volume of script-initiated attacks last year, which in itself was a substantial increase. compared to the previous year. At its current rate, 2021 fileless malware detections are set to double in volume over one year.
Network attacks are on the rise despite the shift to a predominantly remote workforce
WatchGuard appliances detected a substantial increase in network attacks, which increased 22% from the previous quarter and reached the highest volume since early 2018. The first quarter saw nearly 4.1 million network attacks . In the following quarter, that number jumped another million – setting an aggressive course that highlights the growing importance of maintaining perimeter security alongside user-centric protections.
Ransomware attacks are back in force
While the total number of ransomware detections on the device was on a downward trajectory from 2018 to 2020, this trend came to a halt in the first half of 2021, with the six-month total falling just below the full-year total. for 2020. If daily ransomware detections remain stable through 2021, this year’s volume will reach an increase of over 150% from 2020.
Big game ransomware eclipses shotgun blast attacks
The attack on the Colonial Pipeline on May 7, 2021 made it clear and terrifying that ransomware as a threat is here to stay. As the major security incident of the quarter, the breach highlights how cybercriminals not only put the most vital services – such as hospitals, industrial control and infrastructure – in their sights, but appear to be stepping up attacks. against those high value targets as well. WatchGuard Incident Analysis examines the fallout, what the future of critical infrastructure security looks like, and the steps organizations in any industry can take to defend against these attacks and slow their spread.
Old services continue to be attractive targets
Deviating from the usual one to two new signatures seen in previous quarterly reports, there were four new signatures among WatchGuard’s top 10 network attacks for the second quarter. Notably, the most recent was a 2020 vulnerability in the popular PHP web scripting language, but the other three are not new at all. These include an Oracle GlassFish Server 20ll vulnerability, a SQL 2013 injection flaw in the OpenEMR medical records application, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. Although dated, all still present risks if not corrected.
Microsoft Office-based threats persist in popularity
The second quarter saw a new addition to the list of the 10 most common network attacks, and it debuted at the top. The signature, 1133630, is the aforementioned RCE 2017 vulnerability that affects Microsoft browsers. While this is an old exploit and fixed in most systems (hopefully), the ones that haven’t been fixed yet are about to wake up abruptly if an attacker is able to there. access before them. In fact, a very similar high-severity RCE security vulnerability identified as CVE-2021-40444 made headlines earlier this month when it was actively exploited in targeted attacks against Microsoft Office and Office 365. on Windows 10 computers. Desktop-based threats continue to be popular when it comes to malware, so we always spot these proven attacks in the wild. Fortunately, they are still detected by proven IPS defenses.
Phishing domains masquerade as legitimate and widely recognized domains
WatchGuard recently observed an increase in the use of malware targeting Microsoft Exchange servers and generic email users to download Remote Access Trojans (RATs) to highly sensitive locations. This is most likely due to the second quarter in a row where workers and distance learners returned to either hybrid offices and academic environments or to previously normal on-site business behaviors. In any case – or location – a strong security awareness and monitoring of outgoing communications on devices that are not necessarily connected directly to the connected devices is advised.