The hidden picture of malware attack trends
Despite the decline in network-detected malware in Q4 2022, endpoint ransomware spiked by 627%, while malware associated with phishing campaigns persisted as a threat, according to WatchGuard.
Malware going undetected
Despite seeing an overall decline in malware, further analysis from WatchGuard Threat Lab researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a higher incidence of malware, indicating malware activity has shifted to encrypted traffic.
Since just ~20% of Fireboxes that provide data for this report have decryption enabled, this indicates that the vast majority of malware is going undetected.
“A continuing and concerning trend in our data and research shows that encryption – or, more accurately, the lack of decryption at the network perimeter – is hiding the full picture of malware attack trends,” said Corey Nachreiner, CSO at WatchGuard.
“It is critical for security professionals to enable HTTPS inspection to ensure these threats are identified and addressed before they can do damage,” Nachreiner added.
Endpoint ransomware detections rose 627%
This spike highlights the need for ransomware defenses such as modern security controls for proactive prevention, as well as good disaster recovery and business continuity (backup) plans.
93% of malware hides behind encryption
The research continues to indicate that most malware hides in the SSL/TLS encryption used by secured websites. Q4 continues that trend with a rise from 82% to 93%. Security professionals that don’t inspect this traffic are likely missing most malware and placing a greater onus on endpoint security to catch it.
Network-based malware detections dropped approximately 9.2% percent quarter over quarter during Q4
This continues a general decline in malware detections over the last two quarters. But as mentioned, when considering encrypted web traffic, malware is up. The team believes this declining trend may not illustrate the full picture and needs more data that leverages HTTPS inspection to confirm this contention.
Endpoint malware detections increased 22%
While network malware detections fell, endpoint detection rose in Q4. This supports the team’s hypothesis of malware shifting to encrypted channels. At the endpoint, TLS encryption is less of a factor, as a browser decrypts it for Threat Lab’s endpoint software to see.
Among the leading attack vectors, most detections were associated with Scripts, which constituted 90% of all detections. In browser malware detections, threat actors targeted Internet Explorer the most with 42% of the detections, followed by Firefox with 38%.
Zero day or evasive malware has dropped to 43% in unencrypted traffic
Though still a significant percentage of overall malware detections, it’s the lowest the researchers has seen in years. That said, the story changes completely when looking at TLS connections. 70% of malware over encrypted connections evades signatures.
Phishing campaigns have increased
Three of the malware variants seen in the report’s top 10 list (some also showing on the widespread list) assist in various phishing campaigns. The most-detected malware family, JS.A gent.UNS, contains malicious HTML that directs users to legitimate-sounding domains that masquerade as well-known websites.
Another variant, Agent.GBPM, creates a SharePoint phishing page titled “PDF Salary Increase,” which attempts to access account information from users. The last new variant in the top 10, HTML.Agent.WR, opens a fake DHL notification page in French with a login link that leads to a known phishing domain.
Phishing and business email compromise (BEC) remains one of the top attack vectors, so make sure you have both the right preventative defenses and security awareness training programs to defend against it.
ProxyLogin exploits continue to grow
An exploit for this well-known, critical Exchange issue rose from eighth place in Q3 to fourth place last quarter. It should be long patched, but if not, security professionals must know attackers are targeting it. Old vulnerabilities can be as useful to attackers as new ones if they’re able to achieve a compromise.
Additionally, many attackers continue to target Microsoft Exchange Servers or management systems. Organisations must be aware and know where to put their efforts into defending these areas.
Network attack volume is flat quarter over quarter
Technically, it increased by 35 hits, which is just a 0.0015% increase. The slight change is remarkable, as the next smallest change was 91,885 from Q1 to Q2 2020.
LockBit remains a prevalent ransomware group and malware variant
The team continues to see LockBit variants often, as this group appears to have the most success breaching companies (through their affiliates) with ransomware.
While down from the previous quarter, LockBit again had the most public extortion victims, with 149 tracked by the WatchGuard Threat Lab (compared to 200 in Q3). Also in Q4, the team detected 31 new ransomware and extortion groups.