WatchGuard Technologies has released its Internet Security Report for Q4 2020, including new endpoint protection threat insights based on their product and a recent acquisition.
The report reveals that fileless malware and cryptominer attack rates grew by nearly 900% and 25% respectively, while unique ransomware payloads plummeted by 48% in 2020 compared to 2019.
Additionally, the WatchGuard Threat Lab found that Q4 2020 brought a 41% increase in encrypted malware detections over the previous quarter and network attacks hit their highest levels since 2018.
Here are some of the trends Corey Nachreiner, CTO of WatchGuard, says IT departments should watch out for in 2021.
Fileless malware skyrockets
You’ve likely heard of malware before, but with most strains, the goal is to be persistent and live on a victim for a long time to maximize the return on investment for the bad guy.
Fileless malware rates in 2020 increased by 888% over 2019. These threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or visiting a compromised website.
“The good part about traditional filed malware is a lot of the security mechanisms you rely on whether you call it anti virus Endpoint Protection, anti malware, those protections in the past traditionally have been very geared to looking for those files,” Nachreiner says.
This malware is different in that attackers are using different attack techniques to run code on your computer to get something to run as code without necessarily using a file persistently.
Toolkits like PowerSploit and CobaltStrike allow endpoint protection threat actors to easily inject malicious code into other running processes and remain operational even if the victim’s defenses identify and remove the original script. Deploying endpoint detection and response solutions alongside preventative anti-malware can help identify these threats.
“Maybe there’s a malicious email that has a Word document with a lot of people think is a benign file. But Word documents can contain things like active content, scripts, or macros,” he explains.
“If you get a Word document and you allow that content to run, that script can be the entry point for an attacker to actually run something like PowerShell. If you’re a Windows IT person, PowerShell is a very legitimate Windows application used to do lots of administrative tasks. But if me as an attacker, if I can run PowerShell with your privilege, there’s a lot of evil things I can do on your computer.”
Fileless malware typically starts with some sort of script and it’s a way of of using programs that come with operating systems typically windows but other operating systems to administrative software that’s on a Windows operating system to do bad stuff.
Because old school antivirus doesn’t detect this, it wriggles a way around security controls.
Nachreiner says IT departments to consider Endpoint Detection and Response, making sure your EDR suite includes post execution and file list detection capabilities.
Ransomware attack volumes shrink
For the second year in a row, the number of unique ransomware payloads trended downward in 2020, falling to 2,152 unique payloads from 4,131 in 2019 and the all-time-high of 5,489 in 2018.
These figures in the report represent individual variants of ransomware that may have infected hundreds or thousands of endpoints worldwide. The majority of these detections resulted from signatures originally implemented in 2017 to detect WannaCry and its related variants, showing that ransomworm tactics are still thriving over three years after WannaCry burst onto the scene.
“Between 2013 through 2016, or 17, bad guys were using what we call crypto ransomware, the kind that actually encrypts your files, and that’s how they extorted,” Nachreiner says.
It was new, and it was very effective. As a result, the extortionists had a kind of “shotgun approach,” where they would blast ransomware emails to everybody.
“But what happened between 2017 and now is the industry as a whole got better at detecting this kind of shotgun blast ransomware, so the reason you see the volume in the variants decline but not the victims necessarily decline is these bad guys have switched to a very targeted method where now they are targeting and only sending ransomware to very specific people,” he explains.
Botnet malware targeting IoT devices & routers
The report details how the Linux.Generic virus (a.k.a. “The Moon”) directly targets IoT devices and network devices to exploit vulnerabilities. WatchGuard’s investigation uncovered Linux-specific malware designed for ARM processors and another payload designed for MIPS processors within the attacker’s infrastructure, indicating a clear focus on evasive attacks against IoT devices.
“The reason it’s Linux-based is a lot of these IoT devices run a Linux subsystem,” Nachreiner says.
“The Moon is an IoT threat that specifically targets consumer routers, consumer network access storage devices, and even in some cases, other consumer IoT devices. We saw this target use a very specific version of the NASA network access storage operating system that many use.
“One of the interesting things about all these devices is your normal computer is probably an x86 computer, and most of them have an x86 processor. The issue there is a lot of these kind of embedded low cost devices are using these arm and MIPS processors, so the malware you need to create for these IoT devices is pretty specific.”
The main takeaway is to to make sure to have a layered security strategy where it’s not just endpoint protection on your desktops.
New trojan dupes email scanners
The Trojan.Script.1026663 made its way onto WatchGuard’s top five most widespread malware detections list in Q4.
The attack begins with an email asking victims to review an order list attachment. The document triggers a series of payloads and malicious code that ultimately lead the victim machine to load the final attack: the Agent Tesla remote access trojan (RAT) and keylogger.
“It’s not until the script downloads that you would actually have something really bad. So you really need to pay attention to these multi staged approaches to to running malware. The reason they have these stages of starting with a document then script to finally downloading the payload, is to try to evade your security. So make sure you have those layers that can catch these different types of attacks, including the EDR.”