SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Endpoints & encrypted connections top malware vectors - WatchGuard report
Thu, 20th Jan 2022
FYI, this story is more than a year old

New research from WatchGuard has found that malware is increasingly targeting endpoints more than perimeter, according to detections reported by customers' Firebox appliances and the WatchGuard Intrusion Prevention Service (IPS).

WatchGuard chief security officer Corey Nachreiner says that network attacks decreased slightly in Q3 2021, however malware per device increased for the first time since the start of the pandemic.

WatchGuard says its IPS detected 4.1 million networks - a substantially high number, even though Q3's figures were lower than in Q1.  WatchGuard suggests that attackers won't forget about network attacks, but they may shift their focus slightly to focus on more targeted attacks.

Of those 4.1 million network attacks, most were already known, however, one new signature made an appearance:  ‘WEB Remote File Inclusion /etc/passwd', which targets Windows, OS, Linux and other systems. It enables remote attackers to access system password files.

WatchGuard also reports that more than half of all malware is now delivered via encrypted connections. Malware using transport layer security (TLS) rose 47%. The company says many organisations are failing to decrypt these connections and have poor visibility into malware arriving through this vector. Zero-day malware accounted for 67.2% of all detections.

The top five encrypted malware connections include XML.JSSLoader (dropper malware), Tearspear (downloader malware), Mail.Stacked (extortion malware), HTML.Phishing (phishing malware), and Razy (a ransomware/botnet)

Endpoints are commonly subject to scripting attacks, which rose 666% over the year prior. WatchGuard says there are several ways criminals can attack endpoints, including application exploits and living-off-the-land scripting attacks.

The report notes, “In Q3 2021, we saw adversaries continue using scripts like PowerShell and JavaScript to start their malware attacks. In fact, in just the first three quarters of the year, the volume of malware at the endpoint that originated from a script in 2021 has already surpassed 2020's total by over 10%.”

Other scripting tools including Cobalt Strike and PowerSploit are also helping criminals with limited skills to conduct more attacks.

“Looking at the year so far as a whole, the security environment continues to be challenging. It's important that organisations go beyond the short-term ups and downs and seasonality of specific metrics, and focus on persistent and concerning trends factoring into their security posture. An important example is the accelerating use of encrypted connections to deliver zero days,” notes Nachreiner.

Findings are from WatchGuard's Q3 2021 Internet Security Report. Findings for the Q4 period are yet to be reported.