WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS

WatchGuard’s latest Internet Security Report finds that cybercriminals shifted their focus to network attacks and sending malware over encrypted channels during the third quarter. Security researchers noted that over half the malware they saw in Q3 could bypass basic signature-based malware protection, even if security teams scan encrypted traffic. The report also noted that there has been a steady increase in network attacks on the perimeter since Q1 with much of the volume coming from automated tools.

The report is based on data from cybersecurity devices used by WatchGuard clients, a data stream that the company calls the Firebox Feed. This includes data from DNSWatch which has both a network and a client component.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Other highlights from the Q3 2020 report include:

• 50% of malicious files are zero-day malware, down from 64% in Q2 but still high
• 54% of malware came in over encrypted communication channels
• Network attacks and unique exploit detections hit two-year highs
• DNSWatch blocked 2.7 million malicious domain connections
• DNSWatch blocked 262 malware domains, 71 compromised websites and 52 clicked phishes per organization in Q3
• Password stealer FareIt showed up in WatchGuard’s top five most widespread malware detections in Q3

WatchGuard recommends taking these steps to increase cybersecurity defenses:

1. Do a data audit to map out what corporate data is most important and where it lives in the network
2. Protect your users with multi-factor authentication and endpoint protection solutions
3. Don’t relax your perimeter defenses
4. Track evolving threats to keep your defense strategy up to date

Here are more details on how cybersecurity threats evolved during Q3.

Most widespread network attacks in Q3 2020

WatchGuard found a 90% increase in network attacks during the third quarter. The number of unique attack signatures went up also from 410 in the second quarter of 2020 to 438 in Q3. Malware detections have dropped over this same time, as cybercriminals adjust their tactics in response to the remote work trend. The most widespread network attacks that affected the most individual networks around the world in Q3 were:

1. WEB SQL injection attempt -97.2
2. WEB SQL injection attempt -33
3. WEB Cross-site Scripting -36
4. WEB Cross-site scripting -9
5. WEB Null-Byte injection -7

WatchGuard noted that one of the newest network attacks aims at a vulnerability in a popular supervisory control and data acquisition system (SCADA) control system. This attack is number five on the list above, also known as Signature 1133499.  In 2016, the company that built this software patched a vulnerability that could have let a hacker bypass authentication and read files on the server, according to the WatchGuard report. Power plants, oil and gas companies, and aviation firms use these SCADA systems. WatchGuard found that 46% of SCADA networks in the US were targeted by this threat in Q3 2020.

Malware activity and DNS analysis in Q3 2020

The latest WatchGuard report also reviewed overall malware trends and conducted DNS analysis to spot malicious activity. Overall malware was down but there was an increase in malware that arrived over encrypted network connections compared to Q2.

The five most widespread malware detections were:

1. Adware.Popundr.B
2. CVE-2017-11883.Gen
3. RTF-obfsStrm.Gen
4. Adware.Popunder.D
5. Delf.Fareit.Gen.7

The top five encrypted malware detections in Q3 were:

1. GenericKD
2. Adware.Popunder
3. Mail.RKR
4. Trohjan.MultiDrop
5. SpamMalware

Evasive and zero-day malware continue to be a threat as many zero-day malware samples change frequently while others morph on every copy, which makes signature-based anti-malware less effective, as the report notes.

The DNS section of the report analyzed domains that have been blocked the most frequently for hosting malware, hosting phishing campaigns, and  serving as command and control servers for malware. These command and control servers are often domains that have been hijacked or modified by hackers to serve this purpose. There are no new entrants on the top malware domain list but there are two new sites on the compromised site list and six new domains on the phishing list.

Twitter breach illustrates need for employee training

WatchGuard used the Twitter breach in July as an example of the security vulnerabilities that come with social media platforms: “All it takes is one employee falling for a phish to completely undo much of the protections you put in place to secure your systems.” Companies should prioritize regular phishing training to prevent this. WatchGuard also recommends that companies also use visibility tools to spot suspicious behavior such as multiple employees all logging in to a VPN from the same IP address.

Finally, high-profile accounts need additional security. This ranges from IT team members to the CEO. WatchGuard points out that Twitter could have used anomaly detection to prevent breaches like this, given the massive amount of data the company has on user posts and historical user behavior.

The Q3 report reviews the mistakes the hackers made as well as the flaws in Twitter’s response.

Also see