Security Research Shows Zero Day Malware Surge and More

By Emil Hozan, Threat Analyst at WatchGuard Technologies

Every quarter, WatchGuardās Threat Lab research team releases an Internet Security Report (ISR) that covers the top cyber threats and statistics, including insights on malware, zero day malware, network attacks and DNS-level attacks. Based on anonymized data from WatchGuard Firebox owners located around the world, this threat intelligence feed captures information from more than 36,000 actively deployed devices. As a result, Threat Lab can provide analysis on the quarterās top security incidents and explore key trends and takeaways for the reader. What did we learn in our most recent Q3ā19 report? Letās dive in.
At a high level, WatchGuard identified 29,255,063 malware variants (or 797 per device) across three anti-malware engines, and 2,398,986 network attacks (or 65 per device).
Expanding first on the malware attacks, the data showed that malware detections were up 4% from the previous quarter (Q2ā19), but up 60% year-over-year (from Q3ā18). Even more alarmingly, zero day malware (new or evasive malware that doesnāt match any existing antivirus signatures) accounted for just under 50% of all malware detected ā which was the highest itās ever been. Furthermore, two of the attacks in the Top 10 were Office exploits (and they were also the most widespread attacks). In the Americas region, malware accounted for 42% of all attacks detected, with EMEA in second place (30%) and APAC in third (28%). Itās worth noting that two new attacks debuted on the Top 10 list Āā both were penetration testing tools. And finally, while Mimikatz appearances plummeted nearly 50% over the previous quarter, one of the new attacks that emerged was Hacktool.JQ, also known as Windows Credentials Editor (WCE), which includes features for pass-the-hash attacks.
Moving on, network attacks increased by 8% over Q2ā19, breaking the normal trend of attacks dropping from Q2 to Q3. Despite the increase in attacks, there was a decrease of unique signatures, which were down slightly. Three new network attacks debuted on the Top 10: Apache Struts 2 Remote Code Execution (leveraged in the Equifax data breach), Apache Struts Dynamic Method Invocation, and Generic JavaScript Remote Code Execution. The first allows attacks to exploit vulnerabilities in Apache web servers that include Struts, a Java web app framework. This attack rates 10 out of 10 for severity. The second attack similarly targets Apache web servers with Struts, but it uses Struts 1 plugin for Struts 2. The final JavaScript vulnerability is more of an issue with Flash Player ā if users go to an attacker-controlled website with Flash content, the attacker can run arbitrary code on that userās computer. Regionally, the Americas received 60% of network attacks, followed by EMEA (23%) and APAC (17%).
Letās now look at DNS-level protection. In Q3ā19, our data identified multiple malware campaigns using popular content delivery networks (CDNs), such as CloudFront and CloudFlare (dc44qjwal3p07[.]cloudfront[.]net and d3l4qa0kmel7is[.]cloudfront[.] net). This approach helps malware avoid detection by security services that only look at root domains. Instead, WatchGuardās DNSWatch service uses upstream DNS resolvers to compare requested domains to lists of malicious domains in a Domain Feed, and to domains in filtered categories. If a DNS request matched either, it is blocked. The top three DNSWatch categories in Q3ā19 were malware domains (web sites hosting malware outright), compromised domains (web sites that threat actors exploited to host their malicious JavaScript code), and the phishing domains (where threat actors direct users to spoofed login screens to harvest credentials for respective accounts).
Finally, letās look at one of the top security incidents in Q3ā19. At the cost of individual privacy, the country of Kazakhstan forced its citizens to install an HTTPS certificate that effectively allowed the government to man-in-the-middle encrypted network connections. Official statements claimed it was just a test to ensure protective measures āwould not inconvenience Kazakh Internet users.ā But weāre not buying it. Kazakhstanās forced certificate authority (CA) install continued from July 17, 2019 until the end of August when it was finally blocked by Google, Mozilla and Apple. As a side note, this wasnāt the first time that Kazakhstan violated its citizenās privacy. Back in December 2015, the government tried to have Mozilla add a government CA to Firefoxās trusted list. Mozilla refused the request. During the same timeframe, Kazakhstan issued a declaration requiring users to install the government-issued certificate by January 1st, 2016 (this was eventually halted after being sued by multiple organization over security concerns).
What are some key lessons from the Q3ā19 report? First, as we saw from the network attacks leveraged against Apache web servers, you shouldnāt skimp on patching. Make it a priority to stay apprised on the latest updates that vendors push out. To that end, Flash Player is obsolete at this point. If you donāt have a specific use case for it, remove it. Second, ensure youāre protected by more than just signature-based malware solutions. With so many zero day attacks, itās evident that signature-based solutions simply wonāt cut it today. Third, use multi-factor authentication (MFA). Yes, Mimikatz appearances dropped in Q3ā19, but with another password-stealing tool on our malware Top 10 list, go the extra step and use an MFA solution and stop relying on just a password to protect critical systems and accounts. And finally, Kazakhstan has taught us to never blindly install any CA certificate without understanding why itās required or what itās doing. Stay safe!