The cybersecurity threat landscape is constantly evolving with hackers employing increasingly sophisticated and unpredictable methods and targeting organizations of all sizes. With an ongoing cybersecurity skills shortage, the need for Managed Service Providers (MSPs), unified security and automated platforms to bolster cybersecurity and protect organizations from more frequent and more dangerous threats has never been greater.
Each quarter WatchGuard Technologies Threat Lab publishes an Internet Security Report that provides insight into the top malware trends and network security threats over the previous three months using data from firewalls and endpoints around the world. In addition, the Threat Lab DNSWatch service shows trends about the malicious web links that users are clicking on and the top phishing, malware, and compromised sites we blocked during the quarter. For cybersecurity professionals, understanding key trends can help in developing effective defensive strategies.
Specifically, the most recent Q3 2023 report shows that:
- Threat actors increasingly used remote management tools and software to evade anti-malware detection. For instance, in researching the top phishing domains, the Threat Lab observed a tech support scam that would result in a victim downloading a pre-configured, unauthorized version of TeamViewer, which would allow an attacker full remote access to their computer. Both the FBI and CISA have noted this trend.
- The Medusa ransomware variant surged in Q3, driving endpoint ransomware attacks to increase 89%. On the surface, endpoint ransomware detections appeared to decrease in Q3. Yet the Medusa ransomware variant – which emerged in the Top 10 malware threats for the first time – was detected with a generic signature from the Threat Lab’s automated signature engine. When factoring in the Medusa detections, ransomware attacks rose 89% quarter over quarter.
- Threat actors pivoted from using script-based attacks and increasingly employed other living-off-the-land techniques. Malicious scripts declined as an attack vector by 11% in Q3 after dropping by 41% in Q2. Still, script-based attacks remain the largest attack vector, accounting for 56% of total attacks, and scripting languages like PowerShell are often used in living-off-the-land attacks. Alternatively, Windows living-off-the-land binaries increased 32%. These findings indicate that threat actors continue to utilize multiple living-off-the-land techniques, likely in response to more protections around PowerShell and other scripting tools. Living-off-the-land attacks account for the largest number of endpoint attacks.
- Malware arriving over encrypted connections declined to 48%. This figure marks a considerable reduction from previous quarters. Overall, total malware detections increased by 14%.
- An email-based dropper family that delivers malicious payloads comprised 4 of the Top 5 encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the Stacked dropper family, which arrives as an attachment in an email spear phishing attempt. Threat actors send emails with malicious attachments that appear to come from a known sender and claim to include an invoice or important document for review, aiming to trick end users into downloading malware. Two of the Stacked variants – Stacked.1.12 and Stacked.1.7 – also appeared in the Top 10 malware detections.
- Commoditized malware emerges. Among the top malware threats, a new malware family, Lazy.360502, made the Top 10 list. It delivers the adware variant 2345explorer as well as the Vidar password stealer. This malware threat connected to a Chinese website that provided a credential stealer and appeared to operate like a “password stealer as a service,” where threat actors could pay for stolen credentials. This is an illustration of how commoditized malware is being used.
- Network attacks saw a 16% increase in Q3. ProxyLogon was the number-one vulnerability targeted in network attacks, comprising 10% of all network detections in total. Like many ongoing threats, this critical, remote code execution vulnerability against Microsoft Exchange servers is one that administrators should have patched long ago.
- Three new signatures appeared in the Top 50 network attacks. These included a PHP Common Gateway Interface Apache vulnerability from 2012 that would result in a buffer overflow. Another was A Microsoft .NET Framework 2.0 vulnerability from 2016 that could result in a denial-of-service attack. There was also a SQL injection vulnerability in Drupal, the open-source CMS, from 2014. This vulnerability allowed attackers to remotely exploit Drupal without any need for authentication.
Overall, these trends – the increasing instances of remote access software abuse, the rise of cyber adversaries using password-stealers and info-stealers to obtain valuable credentials, and threat actors pivoting from utilizing scripting to employing other living-off-the-land techniques to initiate an endpoint attack – show the complex nature of the threat environment. They also reinforce the need for organizations to have a comprehensive, multi-layered cybersecurity strategy, with network, endpoint, Wi-Fi and identity protection working together to speed up threat detection and response processes. At the same time, the persistence of old threats highlights the importance of ensuring timely patching of critical vulnerabilities. By staying tuned in to today’s threat landscape, MSPs and MSSPs can protect their customers against the most threatening bugs lurking in the corners of the Internet.
