Content, Content

Malware Research: Q2 2020 Volume Drops, Zero Day Bounces Rise

Malware volume dipped in the second quarter of 2020 for the second time in a row, likely due to employees working from home during the coronavirus (COVID-19) pandemic rather than inside their company’s network, a new report said.

In a normal year, WatchGuard said in its Q2 2020 Internet Security Report, the number of malware incidents would rise year-over-year. Of note, the security provider believes that cyber attacks detected by endpoint anti-malware solutions have not skidded in volume. Meanwhile, WatchGuard’s data showed an increase in advanced evasive threats.

Despite the eight percent decrease in overall malware detections in Q2, nearly 70 percent of all attacks involved zero day malware for a 12 percent increase over the previous quarter, and an indication that more malware variants skirted signature-based detection and required more advanced detection engines to prevent.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 shows that attackers are turning to more evasive tactics that traditional signature-based, anti-malware defenses simply can’t catch,” said Corey Nachreiner, WatchGuard chief technology officer.

Here are some additional highlights from the study's Q2 measurements:

  • Organizations that aren’t able to inspect encrypted traffic will miss 33% of incoming threats.
  • 34% of malware attacks are using encrypted HTTPS communication channels.
  • 67% of all threats were zero day malware.
  • Gnaeus, a mal-advertising threat new to Watchguard’s list of top malware, amounted to 20% of malware in the quarter. Gnaeus redirects users away from their intended web destinations to domains under the attacker’s control.
  • AirCrack, a greyware Wi-Fi hacking tool created by penetration-testers, is being used by criminal hackers in wireless attacks.
  • Web application attacks are the most common network exploit. Sites like,, and are being leveraged in malware and phishing attacks.
  • An ominous DDoS vulnerability dating to 2014 that can corrupt unpatched WordPress and Drupal installations causing CPU and memory exhaustion, appeared on WatchGuard’s list of top 10 network attacks by volume in Q2.

To guard against these types of intrusions, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable ad blockers and maintain an updated anti-malware engine, WatchGuard said.

“Every organization should be prioritizing behavior-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces,” Nachreiner said.

Some 42,000 WatchGuard appliances provided data for the report, the company said. Those units blocked about 28.5 million malware variants and roughly 1.75 million network threats, officials said. WatchGuard said its Firebox appliances collectively detected and blocked 410 unique attack signatures in Q2, a 15 percent increase over Q1 and the most since Q4 2018.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.