Cybercriminals leverage malicious Office docs, Mac malware, web app exploits
There’s been a 62% increase in overall malware detections in Q1 2019 compared to the previous quarter. A new WatchGuard report also found that cybercriminals are leveraging a wide array of varied attack techniques, including malicious Microsoft Office documents, Mac malware and web application exploits.
These results illustrate that hackers are doubling down on well-known tactics like credential theft and ransomware by utilizing fake Office documents and other attack vectors that require advanced defenses to combat a wider variety of threat vectors.
More than 17% of WatchGuard Fireboxes blocked malicious Office documents, with two threats in this category making it into WatchGuard’s most widespread malware list, and one in the top 10 malware attacks by volume. Over half of these malicious documents were blocked in EMEA. The advice to users is to avoid interacting with unsolicited Office documents and consider any attachments that seek to enable macros as a threat.
“The key findings from this latest report illustrate the importance of layered security protections in today’s advanced threat landscape,” said Corey Nachreiner, CTO at WatchGuard Technologies. “Whether it be DNS-level filtering to block connections to malicious websites and phishing attempts, intrusion prevention services to ward off web application attacks, or multi-factor authentication to prevent attacks leveraging compromised credentials – it’s clear that modern cyber criminals are leveraging a bevy of diverse attack methods. The best way for organizations to protect themselves is with a unified security platform that offers a comprehensive range of security services.”
Key findings from the Q1 2019 report
macOS malware on the rise – Mac malware first appeared on WatchGuard’s top 10 malware list in Q3 2018, and now two variants have become prevalent enough to make the list in Q1 2019. This increase in Mac-based malware further debunks the myth that Macs are immune to viruses and malware and reinforces the importance of advanced threat protection for all devices and systems.
Web application exploits soar – Despite a decrease in the overall volume of network attacks, web application attacks grew significantly. WatchGuard’s IPS service caught attackers exploiting many cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities – both popular methods for credential theft. Two SQLi attacks made it onto WatchGuard’s top 10 network attacks list, while one web XSS attack accounted for more than 10% of network attacks on the top 10 list overall.
DNS filtering blocks more than 5 million malicious sites – WatchGuard’s DNSWatch service successfully prevented 5,192,883 attempted visits to nefarious destinations, blocking over half a million connections to known malware-hosting domains, 187,101 connections to compromised websites and 61,096 connections to known phishing sites. Compromised websites can be difficult to identify and block, so DNS-level filtering is critical to prevent users from unknowingly falling victim to malware infections, credential theft or botnet command and control systems.
Fileless malware stakes its claim – Fileless threats appeared in both WatchGuard’s top 10 malware and top 10 network attack lists. On the malware side, a PowerShell-based code injection attack showed up in the top 10 list for the first time, while the popular fileless backdoor tool, Meterpreter, made its first appearance in the top 10 list of network attacks too. This trend further demonstrates cyber criminals’ continued focus on utilizing this evasive threat category.
Mimikatz malware skyrockets by 73%, remains the #1 threat – Accounting for 20.6% of all malware found in Q1, this popular open source tool is often used for password theft and represents a major driver behind many network infiltrations. Mimikatz is a mainstay on WatchGuard’s top 10 malware list, which highlights the importance of using lengthy, complex passwords unique to each individual account. Furthermore, with cyber criminals’ persistent focus on credential theft, organizations of all sizes should consider adopting multi-factor authentication solutions in order to prevent bad actors from compromising legitimate user accounts.