WatchGuard’s quarterly report on harmful activity in cyberspace highlights the dangers of encrypted malware. He also returns to the influence of the pandemic on the threat landscape, the increased activity of the Monero cryptominers, not to mention the most used malware during these 3 months, such as Flawed-Ammyy and Cryxos. The report’s statistics are based on anonymized data collected by WatchGuard appliances, which their owners have agreed to share, in order to support the research programs of the WatchGuard Threat Lab.
For the first time, WatchGuard experts looked at the data, and percentages, of malware delivered over encrypted HTTPS connections. In the 1st quarter of 2020, 67% of malware was transmitted via HTTPS. Without security solutions capable of inspecting encrypted traffic, two-thirds of incoming threats will therefore fall through the cracks. In addition, 72% of encrypted malware is classified as new or Zero Day. In other words, there is no antivirus signature associated with them and they will therefore escape detection by signature-based protection systems. “These results demonstrate the need for any security-conscious organization to inspect HTTPS traffic and adopt advanced behavior-based threat detection and response solutions,” said the report.
The imperative to implement HTTPS inspection
” Some companies are reluctant to implement an HTTPS inspection due to the additional workload that it induces, but our threat data clearly shows that the majority of malware is transmitted via encrypted connections and that it is not more possible to ignore the inspection of this traffic Says Corey Nachreiner, CTO of WatchGuard.
Here are the main conclusions of the report for the first quarter of 2020:
- the Trojan horse Cryxos occupies the third position in the Top 5 of encrypted malware as well as the third place in the ranking of the five most widespread malware. In the form of an invoice attached to an email, Cryxos invites the user to enter their email and password, which are then stored. Flawed-Ammyy is a fake tech support scam in which the cybercriminal uses Ammyy Admin support software to remotely access the victim’s computer;
- Monero cryptominators increasingly popular. Five of the top ten domains that originated malware distribution in the first quarter (identified by WatchGuard’s DNS filtering service, DNSWatch) hosted or controlled Monero cryptominers. This sudden spike in popularity of cryptominers may simply be due to their usefulness. Adding a crypto module to malware is indeed a simple way for cybercriminals to generate income;
- A three-year-old Adobe vulnerability is among the major network attacks. An exploit by Adobe Acrobat Reader, corrected in August 2017, appeared for the first time in the first quarter in the list of major network attacks. The fact that this vulnerability resurfaces several years after its discovery and correction highlights the importance of regularly updating systems and applying patches.
- Impact of Covid-19. The first quarter of 2020 marks the start of a drastic change in the cyber threat landscape induced by the coronavirus pandemic: an incalculable number of attacks have thus targeted during these 3 months the multitude of individuals forced to pass into overnight telecommuting.
- Reduction of malware infections and network attacks. Overall, malware infections fell 6.9% and network attacks fell 11.6% in the first quarter, despite a 9% increase in the number of Firebox Appliances providing data. These figures may result from the lower number of potential targets located within the traditional network perimeter following the telework policies implemented worldwide during the pandemic.
- Britain and Germany heavily targeted by widespread malware. They were the main targets of the majority of the most widespread malware in the first quarter.