Security Research Shows Zero Day Malware Surge and More

By Emil Hozan, Threat Analyst at WatchGuard Technologies

Every quarter, WatchGuard’s Threat Lab research team releases an Internet Security Report (ISR) that covers the top cyber threats and statistics, including insights on malware, zero day malware, network attacks and DNS-level attacks. Based on anonymized data from WatchGuard Firebox owners located around the world, this threat intelligence feed captures information from more than 36,000 actively deployed devices. As a result, Threat Lab can provide analysis on the quarter’s top security incidents and explore key trends and takeaways for the reader. What did we learn in our most recent Q3’19 report? Let’s dive in.

At a high level, WatchGuard identified 29,255,063 malware variants (or 797 per device) across three anti-malware engines, and 2,398,986 network attacks (or 65 per device).

Expanding first on the malware attacks, the data showed that malware detections were up 4% from the previous quarter (Q2’19), but up 60% year-over-year (from Q3’18). Even more alarmingly, zero day malware (new or evasive malware that doesn’t match any existing antivirus signatures) accounted for just under 50% of all malware detected – which was the highest it’s ever been. Furthermore, two of the attacks in the Top 10 were Office exploits (and they were also the most widespread attacks). In the Americas region, malware accounted for 42% of all attacks detected, with EMEA in second place (30%) and APAC in third (28%). It’s worth noting that two new attacks debuted on the Top 10 list ­– both were penetration testing tools. And finally, while Mimikatz appearances plummeted nearly 50% over the previous quarter, one of the new attacks that emerged was Hacktool.JQ, also known as Windows Credentials Editor (WCE), which includes features for pass-the-hash attacks.

Moving on, network attacks increased by 8% over Q2’19, breaking the normal trend of attacks dropping from Q2 to Q3. Despite the increase in attacks, there was a decrease of unique signatures, which were down slightly. Three new network attacks debuted on the Top 10: Apache Struts 2 Remote Code Execution (leveraged in the Equifax data breach), Apache Struts Dynamic Method Invocation, and Generic JavaScript Remote Code Execution. The first allows attacks to exploit vulnerabilities in Apache web servers that include Struts, a Java web app framework. This attack rates 10 out of 10 for severity. The second attack similarly targets Apache web servers with Struts, but it uses Struts 1 plugin for Struts 2. The final JavaScript vulnerability is more of an issue with Flash Player – if users go to an attacker-controlled website with Flash content, the attacker can run arbitrary code on that user’s computer. Regionally, the Americas received 60% of network attacks, followed by EMEA (23%) and APAC (17%).

Let’s now look at DNS-level protection. In Q3’19, our data identified multiple malware campaigns using popular content delivery networks (CDNs), such as CloudFront and CloudFlare (dc44qjwal3p07[.]cloudfront[.]net and d3l4qa0kmel7is[.]cloudfront[.] net). This approach helps malware avoid detection by security services that only look at root domains. Instead, WatchGuard’s DNSWatch service uses upstream DNS resolvers to compare requested domains to lists of malicious domains in a Domain Feed, and to domains in filtered categories. If a DNS request matched either, it is blocked. The top three DNSWatch categories in Q3’19 were malware domains (web sites hosting malware outright), compromised domains (web sites that threat actors exploited to host their malicious JavaScript code), and the phishing domains (where threat actors direct users to spoofed login screens to harvest credentials for respective accounts).

Finally, let’s look at one of the top security incidents in Q3’19. At the cost of individual privacy, the country of Kazakhstan forced its citizens to install an HTTPS certificate that effectively allowed the government to man-in-the-middle encrypted network connections. Official statements claimed it was just a test to ensure protective measures “would not inconvenience Kazakh Internet users.” But we’re not buying it. Kazakhstan’s forced certificate authority (CA) install continued from July 17, 2019 until the end of August when it was finally blocked by Google, Mozilla and Apple. As a side note, this wasn’t the first time that Kazakhstan violated its citizen’s privacy. Back in December 2015, the government tried to have Mozilla add a government CA to Firefox’s trusted list. Mozilla refused the request. During the same timeframe, Kazakhstan issued a declaration requiring users to install the government-issued certificate by January 1^st, 2016 (this was eventually halted after being sued by multiple organization over security concerns).

What are some key lessons from the Q3’19 report? First, as we saw from the network attacks leveraged against Apache web servers, you shouldn’t skimp on patching. Make it a priority to stay apprised on the latest updates that vendors push out. To that end, Flash Player is obsolete at this point. If you don’t have a specific use case for it, remove it. Second, ensure you’re protected by more than just signature-based malware solutions. With so many zero day attacks, it’s evident that signature-based solutions simply won’t cut it today. Third, use multi-factor authentication (MFA). Yes, Mimikatz appearances dropped in Q3’19, but with another password-stealing tool on our malware Top 10 list, go the extra step and use an MFA solution and stop relying on just a password to protect critical systems and accounts. And finally, Kazakhstan has taught us to never blindly install any CA certificate without understanding why it’s required or what it’s doing. Stay safe!