WatchGuard report reveals surge in endpoint malware

WatchGuard Technologies has unveiled its latest Internet Security Report. This quarterly analysis details the top malware, network, and endpoint security threats observed by WatchGuard Threat Lab researchers during the first quarter of the current year.

The report highlights several significant findings. Notably, overall network detections of malware decreased by nearly half compared to the previous quarter. In contrast, detections of malware targeting endpoints surged by 82%. The analysis also reveals a 23% reduction in ransomware detections compared to the final quarter of 2023, with a 36% drop in zero-day malware detections. One of the critical threats identified is the Pandoraspear malware, which has made its way into the top 10 most widely detected malware. Pandoraspear primarily targets smart TVs running on an open-source Android OS, raising concerns about vulnerabilities in Internet of Things (IoT) devices within enterprise environments.

Corey Nachreiner, Chief Security Officer at WatchGuard, emphasized the importance of robust security measures across all internet-connected devices, irrespective of their function. He stated, "As we have seen in many recent breaches, attackers can gain a foothold in an enterprise network through any connected device and move laterally to do tremendous damage to critical resources and exfiltrate data. It is now imperative for organisations to adopt a unified security approach, which can be governed by managed service providers, that includes broad monitoring of all devices and endpoints."

The report includes additional key findings:

The average volume of malware detections per WatchGuard Firebox dropped significantly by 49% during the first quarter. Meanwhile, the proportion of malware delivered over an encrypted connection climbed by 14 points, reaching 69% in the first quarter.

A new variant of the Mirai malware family targeting TP-Link Archer devices, utilising a newer exploit (CVE-2023-1389) to access compromised systems, emerged as one of the most widespread malware campaigns of the quarter. This Mirai variant affected nearly 9% of all WatchGuard Fireboxes globally.

Chromium-based browsers were responsible for producing over three-quarters (78%) of the total volume of malware originating from web browser or plugin attacks, a significant increase from the previous quarter's 25%.

A vulnerability in the widely used HAProxy Linux-based load balancer application, initially identified in 2023, was among the top network attacks of the quarter. This situation underlines how weaknesses in popular software can lead to widespread security issues.

In alignment with WatchGuard's Unified Security Platform approach and consistent with their previous quarterly research updates, the data analysed in this report is based on anonymised, aggregated threat intelligence from active WatchGuard network and endpoint products. These contributions come from product owners who have opted to share their data in direct support of WatchGuard's research efforts.

For those interested in a comprehensive analysis, the complete Q1 2024 Internet Security Report can be accessed via WatchGuard’s official resources.