Zero-Day Malware Attacks Spike in Q2

Despite a decrease in number, evasive zero-day malware attacks circumventing antivirus protections jumped in the second quarter.

That’s according to WatchGuard Technologies’ Internet Security Report for Q2 2020. Seventy percent of all attacks involved zero-day malware. That’s a 12% increase over the previous quarter.

WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard appliances.

Attacks sent over encrypted HTTPS connections accounted for 34% of attacks. Organizations that aren’t able to inspect encrypted traffic will miss one-third of incoming threats.

Even though the percentage of threats using encryption decreased from 64% in the first quarter, the volume of HTTPS-encrypted malware increased dramatically.

It appears more administrators are taking the necessary steps to enable HTTPS inspection on Firebox security appliances. But there’s still more work to be done.

Surprising Increase in Network Attacks

Corey Nachreiner is WatchGuard‘s CTO.

WatchGuard’s Corey Nachreiner

“One of the things we found slightly surprising in our [second quarter] results was that network attacks increased despite the general shift to working from home for many employees,” he said. “As the pandemic accelerated the adoption of remote work, we had expected to see some of our threat volume numbers drop. Note, this isn’t because cybercriminals are attacking less, but more because they are now attacking users at home — which employers’ corporate perimeter security devices may not detect.”

While malware volume fell, network attacks actually rose, Nachreiner said.

“In hindsight, this makes sense, as companies’ network services still remain in the cloud and at the office, even when employees access them from home,” he said. “Our takeaway is that businesses do need to reinforce their endpoint protection to keep workers at home safe. But network security is still necessary to protect the services within their organization’s physical and cloud perimeter.”

This is a great time for MSSPs to focus on technologies and services that can protect these users no matter where they work, Nachreiner said.

Other findings include:

• JavaScript-based attacks are on the rise.
• Attackers increasingly use encrypted Excel files to hide malware.
• A six-year-old denial of service (DoS) vulnerability affecting WordPress and Drupal made a comeback in the second quarter. It affects every unpatched Drupal and WordPress installation. Bad actors can cause CPU and memory exhaustion on underlying hardware.
• Malware domains leverage command and control servers to wreak havoc.

What Organizations Should Do

“There are three primary things we think organizations should be doing better to protect themselves,” Nachreiner said. “First, scanning HTTPS traffic for malware and network threats. In both our second quarter and previous first quarter report, we found a significant portion of malware arrives via encrypted, HTTPS traffic. Previously, we found about two-thirds of malware arrived via HTTPS, and during the second quarter that dropped to about one-third. Despite the drop, one-third is a lot of malware to miss for an organization, especially when the average WatchGuard Firebox sees at least 670 variants of malware a quarter.”

Second, organizations should use advanced or proactive malware detection, he said.

“Every quarter, our zero-day malware statistic shows a big portion of malware evades traditional, signature-based protections,” Nachreiner said. “If you don’t have behavioral or ML-based anti-malware services, you could miss two-thirds of the threats out there.

 And finally, multifactor authentication (MFA) is necessary for every employee, he said.

“Our report consistently shows signs that cybercriminals focus on credential theft and leaks as one of the easiest ways to compromise a network,” Nachreiner said. “MFA is the best way to protect your users’ credential and secure your authentication process. While some SMBs have deployed MFA to privileged users for certain workloads, we find few deploy it throughout their organization for every user — but doing so is one of the best ways to secure your company.”