A WatchGuard report reveals how COVID-19 has impacted the security threat landscape, with evidence that attackers continue to target corporate networks despite the shift to remote work, and a rise in pandemic-related malicious domains and phishing campaigns.
“While there’s no such thing as ‘the new normal’ when it comes to security, businesses can be sure that increasing protection for both the endpoint and the network will be a priority in 2021 and beyond. It will also be important to establish a layered approach to information security, with services that can mitigate evasive and encrypted attacks, sophisticated phishing campaigns and more.”
Network attacks and unique detections both hit two-year highs
Network attacks swelled to more than 3.3 million in Q3, representing a 90% increase over the previous quarter and the highest level in two years. Unique network attack signatures also continued on an upward trajectory, reaching a two-year high in Q3 as well.
These findings highlight the fact that businesses must prioritize maintaining and strengthening protections for network-based assets and services, even as workforces become increasingly remote.
COVID-19 threat landscape
In Q3, a COVID-19 adware campaign running on websites used for legitimate pandemic support purposes made the list of the top 10 compromised websites.
A phishing attack that leverages Microsoft SharePoint to host a pseudo-login page impersonating the United Nations was uncovered, and the email hook contained messaging around small business relief from the UN due to the pandemic.
These findings further emphasize that attackers will continue to leverage the fear, uncertainty, and doubt surrounding the global health crisis to entice and fool their victims.
Businesses click on hundreds of phishing attacks and bad links
In Q3, a combined 2,764,736 malicious domain connections were blocked, which translates to 499 blocked connections per organization in total. Breaking it down further, each organization would have reached 262 malware domains, 71 compromised websites, and 52 phishing campaigns.
Combined with the aforementioned rise in convincing COVID-19 scams, these findings illustrate the importance of deploying DNS filtering services and user security awareness training.
Attackers probe for vulnerable SCADA systems in the U.S.
The one new addition to the most-widespread network attacks list in Q3 exploits a previously-patched authentication bypass vulnerability in a popular SCADA control system.
While this class of vulnerability isn’t as serious as a remote code execution flaw, it could still allow an attacker to take control of the SCADA software running on the server. Attackers targeted nearly 50% of U.S. networks with this threat in Q3, highlighting that industrial control systems could be a major focus area for bad actors in the coming year.
LokiBot look-a-like debuts as a top widespread malware variant
Farelt, a password stealer that resembles LokiBot, made its way into the top five most-widespread malware detections list in Q3. Though it is unclear if the Farelt botnet uses the same command and control structure as LokiBot, there’s a high probability the same group, SilverTerrier, created both malware variants.
This botnet takes many steps to bypass antivirus controls and fool users into installing the malware. While researching the threat, strong evidence was found that indicates the malware has likely targeted many more victims than the data suggests.
Emotet, a prolific banking trojan and known password stealer, made its debut on the top ten malware list for the first time in Q3 and narrowly missed the top ten list of domains distributing malware (by only a few connections).
Despite coming in at #11 for the latter list, this appearance is particularly notable, as research teams have seen current Emotet infections dropping additional payloads like Trickbot and even the Ryuk ransomware with no signs of slowing down.