WatchGuard Threat Lab Report Indicates Increase in Threat Actor Exploits of Remote Access Software

Unified cybersecurity firm WatchGuard Technologies announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats as analyzed by WatchGuard Threat Lab researchers.

Key findings from the data include increasing instances of remote access software abuse, password- and info-stealers to thieve valuable credentials and other “living-off-the-land” techniques to initiate an endpoint attack.

“Threat actors continue using different tools and methods in their attack campaigns, making it critical for organizations to keep abreast of the latest tactics to fortify their security strategy,” said Corey Nachreiner, WatchGuard’s CSO. “Modern security platforms that include firewalls and endpoint protection software can deliver enhanced protection for networks and devices. But when it comes to attacks that employ social engineering tactics, the end user becomes the last line of defense between malicious actors and their success in infiltrating an organization. It’s important for organizations to provide social engineering education as well as adopt a unified security approach that provides layers of defense, which can be administered effectively by managed service providers.”

The latest Internet Security Report featuring data from Q3 2023 also showed:

  • Threat actors increasingly use remote management tools and software to evade anti-malware detection, which both the FBI and CISA have acknowledged.
  • Medusa ransomware variant surges in Q3, driving endpoint ransomware attacks to increase 89 percent, quarter over quarter.
  • Threat actors pivot from using script-based attacks and increasingly employ other living-off-the-land techniques. Malicious scripts declined as an attack vector by 11 percent in Q3 after dropping by 41 percent in Q2. Still, script-based attacks remain the largest attack vector, accounting for 56 percent of total attacks, and scripting languages like PowerShell are often used in living-off-the-land attacks. Alternatively, Windows living-off-the-land binaries increased 32 percent.
  • Malware arriving over encrypted connections declined to 48 percent, meaning just under half of all malware detected came via encrypted traffic. This figure is notable because it is down considerably from previous quarters. Overall, total malware detections increased by 14 percent.
  • An email-based dropper family that delivers malicious payloads comprised four of the Top Five encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the dropper family named Stacked, which arrives as an attachment in an email spear phishing attempt.
  • Commoditized malware emerged, including a new malware family, Lazy.360502, that made the Top 10 list. It delivers the adware variant 2345explorer as well as the Vidar password stealer. This malware threat connected to a Chinese website that provided a credential stealer and appeared to operate like a “password stealer as a service,” where threat actors could pay for stolen credentials, illustrating how commoditized malware is being used.
  • Network attacks saw a 16 percent increase in Q3. ProxyLogon was the number-one vulnerability targeted in network attacks, comprising 10 percent of all network detections in total.
  • Three new signatures appeared in the Top 50 network attacks. These included a PHP Common Gateway Interface Apache vulnerability from 2012 that would result in a buffer overflow. Another was A Microsoft .NET Framework 2.0 vulnerability from 2016 that could result in a denial-of-service attack. There was also a SQL injection vulnerability in Drupal, the open-source CMS, from 2014. This vulnerability allowed attackers to remotely exploit Drupal without any need for authentication.

Analyzed data was based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.

The complete Q3 2023 Internet Security Report is available here.