Content, Content

Encrypted Malware Threat Rises, WatchGuard Research Says


Two-thirds of all malware delivered in the first quarter of 2020 arrived encrypted, a new report said, underscoring the consequence that security setups incapable of examining such traffic will miss most incoming threats.

The figure is gleaned from network security provider Watchguard’s Internet Security Report, Q1 2020, drawn on anonymized data from roughly 44,000 of the vendor’s security appliances installed worldwide that offered information for the study. In Q1 2020, those devices blocked some 32 million malware variants and about 1.7 million network attacks, Watchguard said. Based on the same data, 72 percent of encrypted malware in the period was classified as zero day, without patches or updates, the report said.

The findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are requirements for every security-conscious organization, said Corey Nachreiner, chief technology officer at WatchGuard.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” he said. “As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Here are seven key findings from Watchguard’s Q1 2020 report:

  • Monero cryptominers surge. Five of the top ten domains distributing malware in Q1 either hosted or controlled Monero cryptominers. Adding a cryptomining module to malware is an easy way for online criminals to generate passive income.
  • Flawed-Ammyy and Cryxos malware variants. The Cryxos trojan is delivered as an email attachment disguised as an invoice and asks the user to enter their email and password, which it then stores. Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.
  • Three-year-old Adobe vulnerability. An Adobe Acrobat Reader exploit remediated in Aug. 2017 resurfaced, illustrating the importance of regular patching and system updates.
  • New spear phishing campaigns. New domains hosting phishing campaigns appeared, impersonating digital marketing and analytics product Mapp Engage, online betting platform Bet365 and a since inactive AT&T login page.
  • COVID-19 Impact. A massive rise in remote workers and attacks targeting individuals occurred in Q1 2020.
  • Malware hits, network attacks decline. Overall, there were about seven percent fewer malware hits and 12 percent fewer network attacks in Q1, despite a nine percent increase in the number of appliances contributing data.
  • Great Britain and Germany. Germany and Great Britain were top targets for almost all of the most prevalent malware in Q1.

The complete report includes key defensive best practices that organizations can use to protect themselves from threats and an analysis of how the COVID-19 pandemic and the associated shift to teleworking has affected the cyber security landscape.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.