sb-as logo
Story image

Surge in encrypted malware prompts warning about detection strategies

29 Jun 2020

WatchGuard Technologies’ Q1 2020 Internet Security Report has shown a massive surge in malware delivery over encrypted connections, highlighting what could become the next most common attack vector after phishing emails.

According to the report, 67% of all malware in the quarter was delivered by HTTPS encrypted connections.  Furthermore, 72% of the malware is zero-day malware, meaning there is no identifiable signature that can be detected by signature-based security platforms.

“If you are not decrypting and scanning your secure web connections, you are likely missing a large majority of malware,” the report states.

The Flawed-Ammyy and Cryxos malware variants took top spots on WatchGuard’s top five encrypted malware list. Cryxos is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores. 

The report states, “Filling out the form doesn’t lead you to any file or page, but it does send the username and password to a compromised WordPress site where the attacking server stores the input.”

Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.        

The report states, “As always, never download files from an untrusted source. Also, know what a Microsoft scam looks like. Microsoft will never call you first and will never give a phone number to call with an error.”

Other top malware variants include Lnkr, an encrypted malware that places ads on websites and hides from Chrome.

“Some organisations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” comments WatchGuard’s chief technology officer, Corey Nachreiner. 

“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Findings are taken from anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. 

WatchGuard says that today, more than 44,000 appliances worldwide contribute threat intelligence data to the report. In Q1 2020, the appliances collectively blocked more than 32,148,519 malware variants in total (730 samples per device) and more than 1,660,000 network attacks (38 attacks per device).

Story image
Gigamon & FireEye tackle security in hybrid cloud environments
The partnership is an extension to a ‘long-standing’ relationship that aims to ‘simplify, secure, and optimise hybrid cloud environments’.More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More
Link image
Virtual demo: Diagnose network cabling problems with the LinkIQ Cable+Network Tester
If you’re finding it difficult to install access points and cabling, or if you can’t pinpoint an issue with a video camera or end user, the LinkIQ Cable+Network Tester could be exactly what you need. Try a free, fully interactive demo now.More
Story image
Hybrid IAM solutions are the way of the future, study states
“As this first-of-its-kind research shows, while IT leaders are faced with unique criteria and conditions that shape their IT strategy, hybrid IAM has emerged as a necessity."More
Story image
Almost a third of malware threats previously unknown - HP report
A new report has found 29% of malware captured was previously unknown due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection. More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More