TRENDING to utilize multiple living-off-the-land techniques , likely in response to more protections around PowerShell and other scripting . Living-off-the-land attacks make up the most endpoint attacks .
• Malware arriving over encrypted connections declined to 48 %. Just under half of all malware detected came via encrypted traffic . This figure is notable because it is down considerably from previous quarters . Overall , total malware detections increased by 14 %.
• An email-based Dropper family that delivers malicious payloads comprised four of the Top 5 encrypted malware detections in Q3 . All but one of the variants in the Top 5 contained the Dropper family named Stacked , which arrives as an attachment in an email spear phishing attempt . Threat actors will send emails with malicious attachments that appear to come from a known sender and claim to include an invoice or important document for review , aiming to trick end users into downloading malware . Two of the Stacked variants – Stacked . 1.12 and Stacked . 1.7 – also appeared in the Top 10 malware detections .
• Commoditized malware emerges . Among the top malware threats , a new malware family , Lazy . 360502 , made the Top 10 list . It delivers the adware variant 2345explorer as well as the Vidar password stealer . This malware threat connected to a Chinese website that provided a credential stealer and appeared to operate like a ‘ password stealer as a service ’ where threat actors could pay for stolen credentials , illustrating how commoditized malware is being used .
• Network attacks saw a 16 % increase in Q3 . ProxyLogon was the number-one vulnerability targeted in network attacks , comprising 10 % of all network detections in total .
• Three new signatures appeared in the Top 50 network attacks . These included a PHP Common Gateway Interface Apache vulnerability from 2012 that would result in a buffer overflow . Another was a Microsoft . NET Framework 2.0 vulnerability from 2016 that could result in a denial-of-service attack . There was also a SQL injection vulnerability in Drupal , the open-source CMS , from 2014 . This vulnerability allowed attackers to remotely exploit Drupal without any need for authentication .
Consistent with WatchGuard ’ s Unified Security Platform approach and the WatchGuard Threat Lab ’ s previous quarterly research updates , the data analyzed in this quarterly report is based on anonymized , aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard ’ s research efforts . p
26 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com