WatchGuard uncovers top cyber threat trends of Q4 2020
Fireless malware attacks and cryptominers are coming back in force, while ransomware attacks are on the decline.
This is according to WatchGuard Technologies’ new Internet Security Report for Q4 2020.
Among its most notable findings, the report reveals that fileless malware and cryptominer attack rates grew by nearly 900% and 25% respectively, while unique ransomware payloads plummeted by 48% in 2020 compared to 2019.
Additionally, the WatchGuard Threat Lab found that Q4 2020 brought a 41% increase in encrypted malware detections over the previous quarter and network attacks hit their highest levels since 2018.
WatchGuard's report looked more closely at various trends and attack types, including fileless malware, cryptominers, ransomware, encrypted and evasive malware, botnet malware, supply chain attacks, trojan dupes and network attacks.
Fileless malware rates in 2020 increased by 888% over 2019.
According to WatchGuard, these threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or unknowingly visiting a compromised website.
Toolkits such as PowerSploit and CobaltStrike allow threat actors to easily inject malicious code into other running processes and remain operational even if the victims defences identify and remove the original script.
Deploying endpoint detection and response solutions alongside preventative anti-malware can help identify these threats.
After virtually all cryptocurrency prices crashed in early 2018, cryptominer infections became far less prevalent and reached a low of 633 unique variant detections in 2019.
According to the researchers, attackers continued adding cryptominer modules to existing botnet infections and extract passive income from victims while abusing their networks for other cyber crime.
As a result, and with prices trending upward again in Q4 2020, the volume of cryptominer malware detections climbed more than 25% over 2019 levels to reach 850 unique variants last year.
For the second year in a row, the number of unique ransomware payloads trended downward in 2020, falling to 2,152 unique payloads from 4,131 in 2019 and the all-time-high of 5,489 in 2018.
These figures represent individual variants of ransomware that may have infected hundreds or thousands of endpoints worldwide.
The majority of these detections resulted from signatures originally implemented in 2017 to detect WannaCry and its related variants, showing that ransomworm tactics are still thriving over three years after WannaCry burst onto the scene.
The steady decline in ransomware volume indicates the attackers continued shift away from the unfocused, widespread campaigns of the past toward highly targeted attacks against healthcare organisations, manufacturing firms and other victims for which downtime is unacceptable, WatchGuard states.
Encrypted, evasive malware
Despite being the fourth consecutive quarter of decreasing malware volumes overall, nearly half (47%) of all attacks WatchGuard detected at the network perimeter in Q4 were encrypted.
Additionally, malware delivered via HTTPS connections increased by 41%, while encrypted zero day malware (variants that circumvent antivirus signatures) grew by 22% over Q3.
Botnet malware targeting IoT devices and routers
In Q4, the Linux.Generic virus (also known as The Moon) made its debut on WatchGuards list of top 10 malware detections.
This malware is part of a network of servers that directly targets IoT devices and consumer-grade network devices like routers to exploit any open vulnerabilities.
WatchGuard's investigation uncovered Linux-specific malware designed for ARM processors and another payload designed for MIPS processors within the attackers infrastructure, indicating a clear focus on evasive attacks against IoT devices.
Supply chain attacks
The sophisticated, allegedly state-sponsored SolarWinds supply chain breach will have wide implications throughout the security industry for years to come, WatchGuard states.
Its effects spread far beyond SolarWinds to almost 100 companies, including some major Fortune 500s, big security companies, and even the U.S. government.
WatchGuard's detailed incident breakdown showcases the importance of defending against supply chain attacks in todays interconnected digital ecosystem.
New trojan dupes
Trojan.Script.1026663 made its way onto WatchGuard's top five most-widespread malware detections list in Q4.
The attack begins with an email asking victims to review an order list attachment. The document triggers a series of payloads and malicious code that ultimately lead the victim machine to load the final attack: the Agent Tesla remote access trojan (RAT) and keylogger.
Total network attack detections grew by 5% in Q4, reaching their highest level in over two years, the report shows.
Additionally, total unique network attack signatures showed steady growth as well with a 4% increase over Q3.
This shows that even as the world continues to operate remotely, the corporate network perimeter is still very much in play as threat actors continue to target on-premises assets.
WatchGuard chief technology officer Corey Nachreiner says, “The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections.
"The attacks are coming on all fronts, as cyber criminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter.
"Effective security today means prioritising endpoint detection and response, network defences and foundational precautions such as security awareness training and strict patch management.”