Decrease in malware volume, but surge in encrypted malware
There has been a reduction in overall malware detections from the peaks seen in the first half of 2021, an increase in threats for Chrome and Microsoft Office, the ongoing Emotet botnet resurgence, and much more, according to a new report.
WatchGuard Technologies has announced findings from its most recent Internet Security Report, which details the top malware trends and network security threats analysed by WatchGuard Threat Lab researchers in Q2 2022.
"While overall malware attacks in Q2 fell off from the all-time highs seen in previous quarters, over 81% of detections came via TLS encrypted connections, continuing a worrisome upward trend," says Corey Nachreiner, Chief Security Officer at WatchGuard.
"This could reflect threat actors shifting their tactics to rely on more elusive malware."
The Q2 Internet Security Report found office exploits continue to spread more than any other category of malware.
In fact, the quarter's top incident was the Follina Office exploit (CVE-2022-30190), which was first reported in April and not patched until late May. Delivered via a malicious document, Follina was able to circumvent Windows Protected View and Windows Defender and has been actively exploited by threat actors, including nation states. Three other Office exploits (CVE-2018-0802, RTF-ObfsObjDat.Gen, and CVE-2017-11882) were widely detected in Germany and Greece.
According the report, endpoint detections of malware were down overall, but not equally.
Despite a 20% decrease in total endpoint malware detections, malware exploiting browsers collectively increased by 23%, with Chrome seeing a 50% surge. One potential reason for the increase in Chrome detections is the persistence of various zero day exploits. Scripts continued to account for the lions share of endpoint detections (87%) in Q2.
The top 10 signatures accounted for more than 75% of network attack detections, the report shows. This quarter saw increased targeting of ICS and SCADA systems that control industrial equipment and processes, including new signatures (WEB Directory Traversal -7 and WEB Directory Traversal -8). The two signatures are very similar; the first exploits a vulnerability first uncovered in 2012 in a specific SCADA interface software while the second is most widely detected in Germany.
The report also says a resurgent Emotet looms large. While Emotet volume has declined since last quarter, Emotet remains one of network security's biggest threats. One of the quarters top 10 overall and top 5 encrypted malware detections, XLM.Trojan.abracadabra a Win Code injector that spreads the Emotet botnet was widely seen in Japan.
WatchGuard's quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Labs research efforts. In Q2, WatchGuard blocked a total of more than 18.1 million malware variants (234 per device) and more than 4.2 million network threats (55 per device).