WatchGuard: Old Equifax Vulnerability, Microsoft Office Targeted Widely in Q3

The report shows an increase in malware attacks targeting the Americas in the third quarter.

Edward Gately, Senior News Editor

December 11, 2019

4 Min Read
Hooded mass of unknown faceless computer hacker and cyber criminals with a world map of internet usage and binary code
Getty Images

One of the most common network attacks during the third quarter targeted the same vulnerability exploited in the massive Equifax data breach in September 2017.

That’s according to WatchGuard Technologies‘ Internet Security Report for Q3 2019. The report, based on anonymized data from nearly 37,000 active WatchGuard firewall appliances, also found a significant spike in zero day/never-before-seen malware, an increase in malware attacks targeting the Americas, and several malware campaigns using tools from the Kali Linux ethical hacking/penetration testing suite.

Corey Nachreiner, WatchGuard’s CTO, tells us that while it’s not a traditional MSSP-delivered service, multifactor authentication (MFA) is a security control that SMBs and midmarket organizations still struggle to deploy throughout their organizations. Smaller companies may use it for administrators and privileged users, but many don’t deploy it for all employees, he said.


WatchGuard’s Corey Nachreiner

“With more SaaS-based MFA solutions hitting the market, MSSPs are in a great position to help deploy MFA more widely,” he said. “Lost or stolen credentials cause a large percentage of data breaches, so MSSPs could really benefit from providing strong authentication services to their customers. Besides that, the amount of advanced malware getting past legacy antivirus (AV) proves the importance of managed detection and response (MDR). Our findings from this quarter indicate this is only getting worse — legacy AV is completely insufficient. If you haven’t started offering MDR services to your clients, now is a great time.”

Debuting on WatchGuard’s list of top 10 most popular network attacks, Apache Struts 2 Remote Code Execution allows attackers to install Python or make a custom HTTP request to exploit the vulnerability used in the Equifax breach with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top 10 network attacks list in Q3, as overall network attacks increased in volume by 8%.

“Successful exploits tend to get reused, but it was unusual to see the exploit resurface after so much time has passed, and indicates that companies may not have been as diligent about patching Apache Struts as they could have been,” Nachreiner said.

Two malware variants affecting Microsoft Office products made WatchGuard’s top 10 list of malware by volume, as well as the top 10 most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting. Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.

After stabilizing at around 38% of all malware detections over the past several quarters, zero-day malware accounted for half of all detections in the third quarter. The overall volume of malware detected increased by 4% compared to the second quarter, with a massive 60% increase over the year-ago quarter. The fact that half of malware attacks from July to September were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats, according to WatchGuard.

Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top 10 list of malware by volume in the quarter. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent, and the second was Hacktool.JQ, which represents the only …

… other authentication attack tool besides Mimikatz to make the list.

“This could mean that more companies are hiring penetration testers to test their security, which is a good thing, Nachreiner said. “Or, it could mean more hackers are using these tools for malicious purposes, which is a bad thing.”

In addition, more than 42% of all malware attacks in the third quarter were aimed at North, Central and South America, up from 27% in the second quarter. This represents a significant geographic shift in focus for attackers compared to the previous quarter, according to the report. Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas.

To combat these threats, organizations may need to improve their patching and MFA, Nachreiner said. As far as additional things companies should be doing the first is advanced malware protection, followed by regular penetration tests to their own network, he said.

Security is going to get harder, not easier, in the coming year, said Don MacLennan, Barracuda‘s senior vice president of email protection, engineering and product management.

“People have to cover more bases, but there just aren’t enough hours in the day,” he said. “If you’re the CEO, you want your business to evolve, but you aren’t giving your security team any relief to keep up with the increased security that evolution requires. In the coming year, organizations will have to rely more than ever on effective use of technology and automation to close this widening gap and alleviate mounting tensions between security teams and corporate objectives.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like