In its latest Internet Security Report, WatchGuard Technologies, a global leader in unified cybersecurity, has unveiled key findings that shed light on the evolving landscape of malware trends, network security threats, and endpoint security. Despite a decrease in endpoint malware volumes, the report highlights the growing expansiveness of malware campaigns and other significant trends in the cybersecurity landscape. Here are the key findings from the research:
Malware Concealed in Encryption: A striking 95% of malware now arrives over encrypted connections, often using SSL/TLS encryption employed by secure websites. This underscores the importance of inspecting SSL/TLS traffic at the network perimeter to detect most malware. Additionally, while zero-day malware reached an all-time low at 11% of total malware detections, the share of evasive detections increased to 66%, indicating that attackers are increasingly using encryption to deliver sophisticated malware.
Endpoint Malware Trends: Although there was a slight 8% decrease in endpoint malware detections in Q2 compared to the previous quarter, detections among larger groups of systems (10 to 50 systems and 100 or more systems) increased by 22% and 21%, respectively. This suggests a growth in widespread malware campaigns from Q1 to Q2 of 2023.
Double-Extortion Attacks: Double-extortion attacks by ransomware groups surged by 72% quarter over quarter, with the Threat Lab identifying 13 new extortion groups. This surge occurred even as ransomware detections on endpoints decreased by 21% quarter over quarter and 72% year over year.
Top 10 Endpoint Detections: The report identified six new malware variants in the Top 10 endpoint detections, with the compromised 3CX installer accounting for 48% of the total detection volume in the Q2 list. Additionally, Glupteba, a versatile threat encompassing loader, botnet, information stealer, and cryptominer, made a resurgence in early 2023 after being disrupted in 2021.
Windows Living Off-the-Land Binaries: Threat actors increasingly employ Windows “living off-the-land” binaries to deliver malware. Attacks abusing Windows OS tools like WMI and PSExec grew by 29%, accounting for 17% of the total volume, while malware using scripts like PowerShell dropped by 41%. Scripts remained the most common malware delivery vector, constituting 74% of detections, while browser-based exploits declined by 33%.
Targeting Older Software Vulnerabilities: Cybercriminals continue to target older software vulnerabilities, with three new signatures in the Top 10 network attacks for Q2 based on older vulnerabilities, including one dating back to 2016.
Compromised Domains: Malicious domains included compromised self-managed websites (e.g., WordPress blogs) and link-shortening services. These were exploited to host malware or malware command and control frameworks. For instance, Qakbot threat actors compromised an educational contest website in the Asia Pacific region to serve as command and control infrastructure for their botnet.
The report emphasises the need for constant vigilance and a layered security approach to combat evolving cyber threats. Corey Nachreiner, chief security officer at WatchGuard, stressed that there is no one-size-fits-all strategy for dealing with these multifaceted cyber threats and that organisations must remain alert and employ Unified Security Platform® approach.
The data in this report is derived from anonymised, aggregated threat intelligence from active WatchGuard network and endpoint products. The report aims to provide valuable insights into the ever-changing landscape of cybersecurity threats and trends.
For a more comprehensive view of the research findings, you can access the complete Q2 2023 Internet Security Report here.
