Study highlights the danger of encrypted malware, a surge in Monero cryptominers, Flawed-Ammyy and Cryxos malware, and more
67% of all malware in Q1 was delivered via HTTPS, so organizations without security solutions capable of inspecting encrypted traffic will miss two-thirds of incoming threats, according to WatchGuard Technologies’ Internet Security Report for Q1, 2020. Additionally, 72% of encrypted malware was classified as zero day (meaning no antivirus signature exists for it, and it will evade signature-based protections). These findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization.
“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, chief technology officer at WatchGuard. “As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”
The report prepares midmarket businesses, the service providers that support them, and the end users that work for them with data on the trends, research and best practices they need to defend against modern security threats. Here are the key findings from the Q1, 2020 report:
- Monero cryptominers surge in popularity: Five of the top ten domains distributing malware in Q1 (identified by WatchGuard’s DNS filtering service DNSWatch) either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility; adding a cryptomining module to malware is an easy way for online criminals to generate passive income.
- Flawed-Ammyy and Cryxos malware variants join top lists: The Cryxos trojan was third on WatchGuard’s top-five encrypted malware list and also third on its top-five most widespread malware detections list, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores. Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.
- Three-year-old Adobe vulnerability appears in top network attacks: An Adobe Acrobat Reader exploit that was patched in Aug. 2017 appeared in WatchGuard’s top network attacks list for the first time in Q1. This vulnerability resurfacing several years after being discovered and resolved illustrates the importance of regularly patching and updating systems.
- Mapp Engage, AT&T and Bet365 targeted with spear phishing campaigns: Three new domains hosting phishing campaigns appeared on WatchGuard top-ten list in Q1, 2020. They impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese) and an AT&T login page (this campaign is no longer active at the time of the report’s publication).
- Malware hits and network attacks decline: Overall there were 6.9% fewer malware hits and 11.6% fewer network attacks in Q1, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the traditional network perimeter with worldwide work-from-home policies in full force during the COVID-19 pandemic.
- Great Britain and Germany heavily targeted by widespread malware threats: WatchGuard’s most widespread malware list showed Germany and Great Britain were top targets for almost all of the most prevalent malware in Q1.