The findings show that hackers are ratcheting up their use of well-known tactics such as credential theft and ransomware by using fake Office documents and other attack vectors, requiring organisations to be able to combat a wider variety of threats.
More than 17% of WatchGuard’s unified threat management devices blocked malicious Office documents, with two threats in this category making it into WatchGuard’s most widespread malware list, and one in the top 10 malware attacks by volume.
More than half of these malicious documents were blocked in Europe, the Middle East and Africa (EMEA), mainly in Eastern European countries. The report advises users to avoid interacting with unsolicited Office documents and to consider any attachments that seek to enable macros as a potential threat.
“The key findings illustrate the importance of layered security protections,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies.
“Whether it be DNS-level [domain name system- level] filtering to block connections to malicious websites and phishing attempts, intrusion prevention services to ward off web application attacks, or multifactor authentication to prevent attacks using compromised credentials – it’s clear that modern cyber criminals are using a bevy of diverse attack methods.
“The best way for organisations to protect themselves is with a unified security platform that offers a comprehensive range of security services,” he said.
Another key finding of the report is that Mac OS malware on the rise. Mac malware first appeared on WatchGuard’s top 10 malware list in the third quarter of 2018, and now two variants have become prevalent enough to make the list in the first quarter of 2019, the report said. It added that this increase in Mac-based malware further debunks the myth that Macs are immune to viruses and malware and reinforces the importance of threat protection for all devices and systems.
The report also highlights a sharp rise in web application exploits. Despite a decrease in the overall volume of network attacks, Watchguard data shows that web application attacks grew significantly.
WatchGuard’s intrusion prevention service caught attackers exploiting many cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities – both popular methods for credential theft. Two SQIi attacks made it onto WatchGuard’s top 10 network attacks list, while one web XSS attack accounted for more than 10% of network attacks on the top 10 list overall.
According to Watchguard, its DNS filtering service prevented nearly 5.2 million attempted visits to malicious destinations, blocking more than 500,000 connections to known malware-hosting domains, 187,000 connections to compromised websites and 61,000 connections to known phishing sites. DNS-level filtering is critical to prevent users from unknowingly falling victim to malware infections, credential theft or botnet command and control systems, the report said.
Fileless malware appeared in both WatchGuard’s top 10 malware and top 10 network attack lists. On the malware side, a PowerShell-based code injection attack showed up in the top 10 list for the first time, while the popular fileless backdoor tool, Meterpreter, also made its first appearance in the top 10 list of network attacks. This trend further demonstrates cyber criminals’ continued focus on using this evasive threat category, the report said.
Mimikatz-based malware skyrocketed by 73%, the report said, remaining the top malware threat. Accounting for 20.6% of all malware found in the first quarter, this popular open source tool is often used for password theft and represents a major driver behind many network infiltrations.
Mimikatz is a mainstay on WatchGuard’s top 10 malware list, which highlights the importance of using unique passwords for each individual account, the report said. In light of cyber criminals’ persistent focus on credential theft, the report recommends that organisations of all sizes should consider adopting multifactor authentication to prevent would-be attackers from compromising legitimate user accounts.
The report is based on anonymised data from more than 42,000 Watchguard appliances around the world, which the company said have blocked more than 23,884,979 malware variants, at a rate of 564 samples blocked per device.
Read more about malware
- iOS and Android apps equally vulnerable to being exploited remotely by malware, report reveals.
- Document-based malware spiked in the first quarter of the year, building on a gradual rise in the past year, warn researchers.
- More than a dozen US-based web servers are operating as the malware equivalent of an Amazon fulfilment centre to target businesses, security researchers have found.
- Security researchers have found traces of a Russian-linked cyber attack group in another critical infrastructure facility, prompting calls for increased diligence around industrial cyber security.