Image: John Schnobrich (unsplash)
Reports on network attacks, specifically Intrusion Prevention System (IPS) detections, indicate a relative stability in the past three quarters, with a slight decrease just over 3%, as evidenced by data from WatchGuard.
In the perspective of Corey Nachreiner, CSO at WatchGuard, there’s a vital need for organizations to allocate more focus and maintain proactive strategies regarding their security solutions. Nachreiner emphasized the importance of layered malware defenses in counteracting living-off-the-land attacks, hinting at the effectiveness of unified security platforms managed by dedicated service providers.
Moving to browser-based threats
An evolution in browser-based social engineering is becoming apparent. Despite improved defenses against pop-up abuses in web browsers, cybercriminals have shifted their tactics, leveraging browser notification features to initiate similar interactions. Moreover, the latest quarter’s malicious domains list included a novel destination involved in Search Engine Optimization (SEO) poisoning activities.
Notably, a significant 75% of new threats listed in the Q1 top 10 are linked to threat actors originating from China and Russia. It was reported that three out of the four new threats on the top ten malware list were potentially associated with nation states, although it isn’t definitive that these were state-sponsored actors. The Q1 report by WatchGuard highlighted the debut of the Zuzy malware family in the top 10 list, including a sample that targeted the Chinese population with a compromised browser capable of hijacking the system’s Windows settings.
Persistence in attacks targeting Office products and End-of-Life (EOL) Microsoft ISA firewall were also observed. Document-based threats aimed at Office products were widely spread this quarter. Interestingly, exploits targeting the discontinued Microsoft ISA Server, received a high hit count despite its lack of updates, signaling an unexpected focus of the attackers.
An increase in living-off-the-land attacks was evident
The ViperSoftX malware is the latest example illustrating how malware takes advantage of inbuilt system tools to achieve its objectives. The repetitive inclusion of Microsoft Office- and PowerShell-based malware in quarterly reports highlights the need for endpoint protection that can discern between malicious and legitimate usage of popular tools like PowerShell.
Malware droppers had Linux-based systems in their crosshairs
Among the new high-volume malware detections in Q1 was a malware dropper designed for Linux-based systems. This serves as a stark reminder that even though Windows dominates the enterprise space, organizations cannot afford to disregard Linux and macOS. Inclusion of non-Windows machines when implementing Endpoint Detection and Response (EDR) solutions is a necessity for comprehensive coverage.
Zero day malware dominated the majority of detections
In this quarter, detections from zero day malware were remarkably high, with 70% coming from unencrypted web traffic, and a staggering 93% from encrypted web traffic. Zero day malware has the potential to infect IoT devices, misconfigured servers, and other devices lacking robust host-based defenses.
In Q1 2023, 852 victims were reported on extortion sites and 51 new ransomware variants were discovered according to the data gathered by the Threat Lab. These ransomware groups persist in publishing victims at an alarmingly rapid pace, including notable organizations and Fortune 500 companies.