Key Research Revelations: An 89% Surge in Endpoint Ransomware Attacks and Decrease in Encrypted Malware Incidents
The recent Internet Security Report from WatchGuard Technologies highlights critical trends and threats in cybersecurity. Researchers from the WatchGuard Threat Lab have emphasized several key findings, including a rise in the abuse of remote access software, cyber adversaries increasingly utilizing password-stealers and info-stealers to pilfer valuable credentials, and a shift among threat actors from scripting to employing alternative living-off-the-land techniques for initiating endpoint attacks. These insights underscore evolving cybersecurity challenges and the need for vigilance against diverse network and endpoint security threats.
“Threat actors continue using different tools and methods in their attack campaigns, making it critical for organizations to keep abreast of the latest tactics to fortify their security strategy. Modern security platforms that include firewalls and endpoint protection software can deliver enhanced protection for networks and devices. But when it comes to attacks that employ social engineering tactics, the end user becomes the last line of defense between malicious actors and their success in infiltrating an organization. It’s important for organizations to provide social engineering education as well as adopt a unified security approach that provides layers of defense, which can be administered effectively by managed service providers.” – Corey Nachreiner, Chief Security Officer at WatchGuard
Key Findings from the Internet Security Report
Increased Utilization of Remote Management Tools by Threat Actors
The report highlights a growing trend among threat actors employing remote management tools and software to bypass anti-malware systems. This method, acknowledged by the FBI and CISA, was exemplified by a tech support scam observed by the Threat Lab. The scam led victims to download an unauthorized version of TeamViewer, providing attackers complete remote access to the victim’s computer.
Surge in Medusa Ransomware Variant
Q3 experienced a rise in the Medusa ransomware variant, resulting in an 89% increase in endpoint ransomware attacks. While endpoint ransomware detections seemingly decreased, the emergence of the Medusa variant within the Top 10 malware threats led to an 89% rise in ransomware attacks upon considering these detections.
Shift in Attack Techniques
Threat actors are transitioning away from script-based attacks, favoring alternative living-off-the-land techniques. While malicious scripts decreased by 11% in Q3 and remained the primary attack vector, other methods like Windows living-off-the-land binaries saw a 32% increase. This shift indicates a strategic adaptation by threat actors in response to enhanced protections around scripting languages.
Decrease in Malware via Encrypted Connections
The percentage of malware arriving through encrypted connections declined to 48% in Q3, notably from previous quarters. However, overall, malware detections increased by 14%.
Email-Based Dropper Family
An email-based dropper family, primarily the Stacked variant, was responsible for four of the Top 5 encrypted malware detections in Q3. Threat actors used spear phishing techniques, sending emails with malicious attachments disguised as legitimate documents to deceive end users into downloading malware.
The emergence of Commoditized Malware
A new malware family, Lazy.360502, surfaced among the top threats, delivering the adware variant 2345explorer and the Vidar password stealer. This discovery revealed a connection to a Chinese website offering stolen credentials as a service, highlighting the commoditization of malware.
Network Attack Trends
Network attacks witnessed a 16% increase in Q3, with ProxyLogon as the primary vulnerability targeted, constituting 10% of all network detections.
New Signatures in Top 50 Network Attacks
Three new signatures, encompassing vulnerabilities from PHP, Microsoft .NET Framework, and Drupal, emerged in the Top 50 network attacks, potentially leading to critical exploits.
The findings in this quarterly report from the WatchGuard Threat Lab align with WatchGuard’s Unified Security Platform strategy. The data analyzed in this report is sourced from anonymized, aggregated threat intelligence gathered from active WatchGuard networks and endpoint products. These insights are derived from users who have chosen to participate, directly supporting WatchGuard’s ongoing research initiatives.
FAQs
1. What specific trends in cyber threats did the report emphasize?
The report notes a rising trend in threat actors utilizing remote management tools, shifting from script-based attacks to living-off-the-land techniques, and decreasing malware delivered through encrypted connections.
2. What was the significant rise in ransomware attacks mentioned in the report?
The Medusa ransomware variant contributed to an 89% increase in endpoint ransomware attacks, although endpoint ransomware detections seemed to decrease.
3. What were the notable malware families highlighted in the report?
The report identified the Stacked email-based dropper family and the emergence of Lazy.360502, indicating a connection to a Chinese website offering stolen credentials, illustrating the commoditization of malware.
[To share your insights with us, please write to sghosh@martechseries.com]
