pixel_dreams - Fotolia
Recent research reveals that 30% of malware attacks are zero-day exploits that cannot be identified by legacy antivirus (AV) systems because they have not been seen in the wild before.
The finding confirms that cyber criminals’ capability to morph their malware has outpaced the AV industry’s ability to keep up with new signatures.
This means that without advanced threat prevention, companies could be missing up to a third of malware, according to first quarterly internet security report by network security firm WatchGuard.
Typically, macro-based malware requires more user interaction, since macros are not enabled by default. However, this type of malware has made a comeback since many users consider documents benign, and these documents sometimes evade legacy security scans, the report said.
Web shells or backdoor shells are malicious pieces of code uploaded to web servers that give hackers a page where they can access a web server’s file system to upload and download files, or in some cases even execute commands to gain full control of a server.
The report said the research finding that PHP web shells is the fourth most common type of malware is a good reminder that old does not necessarily mean irrelevant.
Despite their basic nature, hackers have continued to modify and improve on the original PHP shells, and still use them on websites they can gain access to through web application attacks, the report said.
Other findings in the WatchGuard Q4 2016 report include:
- Most network attacks were aimed at web services and browsers, with 73% of the top attacks targeting web browsers in drive-by download attacks.
- The top 10 exploits were all web-based attacks.
- Sophisticated attackers continue to target banks with evasive malware.
- There is a significant number of Linux-based trojans, likely connected with IoT attacks.
- Nation-state hackers use similar hacking tools as criminals, but with more sophisticated obfuscation and evasion techniques.
The findings in the report are based on anonymised Firebox Feed data from WatchGuard’s 24,000 active unified threat management (UTM) appliances worldwide.
According to WatchGuard, the threat analytics from Fireboxes deployed around the world provide first-hand, acute insight into the evolution of cyber attacks and how threat actors are behaving.
“With ransomware attempts and malicious websites dominating the headlines, along with cyber attacks such as the Mirai Botnet, the Swift banking attacks and alleged Russian interference in the US presidential election, it was a busy quarter for cyber criminals,” said Jonathan Whitley, sales director for Northern Europe at WatchGuard.
“The insight trends, research and security tips in our quarterly internet security reports are designed to help companies stay educated and vigilant in such a dynamic threat landscape,” he said.
Read more about zero-day exploits
- A cyber attack that forced parts of Barts NHS trust offline in January 2017 has been blamed on previously unknown malware that was able to bypass the antivirus systems, highlighting a common weakness in cyber defences.
- Google disclosed an unpatched Windows zero-day vulnerability, which Microsoft claims is actively being exploited by a Russian APT group connected to the DNC hack.
- Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft released a security update.
- Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits, such as Angler.
WatchGuard said the UTM devices used for the report blocked more than 18.7 million malware variants in the fourth quarter, which averages to 758 variants per device. They also blocked more than 3 million network attacks, which averages 123 attacks per device.
In response to the rapid spread of the Mirai botnet, the WatchGuard Threat Lab has launched an ongoing research project that analyses devices that make up the internet of things (IoT) for security flaws.
The research in the report evaluated Wi-Fi cameras, fitness accessories and network-enabled novelty devices. This includes a deeper look at vulnerabilities the Threat Lab found in a relatively popular wireless IP camera and steps that can be taken to secure IoT devices.
In the light of the Mirai IoT botnet attacks, WatchGuard recommends that organisations replace default credentials with a strong password, protect IoT devices with a firewall and scan the network for unauthorized IoT devices.
Business owners should first ensure that their organisation is not helping to perpetuate the problem by scanning the network to ensure employees have not connected any unauthorised devices that may be vulnerable to attack and restricting remote access to IoT devices wherever possible, the report said.