Massive increase in endpoint attacks, rising rate of encrypted malware and new exploits targeting IoT
Fileless malware and cryptominer attack rates grew by nearly 900% and 25% respectively, while unique ransomware payloads plummeted by 48% in 2020 compared to 2019, according to WatchGuard.
Q4 2020 also brought a 41% increase in encrypted malware detections over the previous quarter and network attacks hit their highest levels since 2018.
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections,” said Corey Nachreiner, CTO at WatchGuard.
“The attacks are coming on all fronts, as cybercriminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter. Effective security today means prioritising endpoint detection and response, network defences and foundational precautions such as security awareness training and strict patch management.”
Fileless malware attacks skyrocket
Fileless malware rates in 2020 increased by 888% over 2019. These threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or unknowingly visiting a compromised website.
Deploying endpoint detection and response solutions alongside preventative anti-malware can help identify these threats.
Cryptominers on the rise following 2019 lull
After virtually all cryptocurrency prices crashed in early 2018, cryptominer infections became far less prevalent and reached a low of 633 unique variant detections in 2019. That said, attackers continued adding cryptominer modules to existing botnet infections and extract passive income from victims while abusing their networks for other cybercrime.
As a result and with prices trending upward again in Q4 2020, the volume of cryptominer malware detections climbed more than 25% over 2019 levels to reach 850 unique variants last year.
Ransomware attack volumes continue to shrink
For the second year in a row, the number of unique ransomware payloads trended downward in 2020, falling to 2,152 unique payloads from 4,131 in 2019 and the all-time-high of 5,489 in 2018. These figures represent individual variants of ransomware that may have infected hundreds or thousands of endpoints worldwide.
The majority of these detections resulted from signatures originally implemented in 2017 to detect WannaCry and its related variants, showing that ransomworm tactics are still thriving over three years after WannaCry burst onto the scene.
The steady decline in ransomware volume indicates the attackers’ continued shift away from the unfocused, widespread campaigns of the past toward highly-targeted attacks against healthcare organisations, manufacturing firms and other victims for which downtime is unacceptable.
Encrypted, evasive malware attacks see double-digit growth
Despite being the fourth consecutive quarter of decreasing malware volumes overall, 47% of all attacks detected at the network perimeter in Q4 were encrypted.
Additionally, malware delivered via HTTPS connections increased by 41%, while encrypted zero day malware (variants that circumvent antivirus signatures) grew by 22% over Q3.
Botnet malware targeting IoT devices and routers becomes a top strain
In Q4, the Linux.Generic virus (also known as “The Moon”) made its debut on the list of top 10 malware detections. This malware is part of a network of servers that directly target IoT devices and consumer-grade network devices like routers to exploit any open vulnerabilities.
An investigation uncovered Linux-specific malware designed for ARM processors and another payload designed for MIPS processors within the attacker’s infrastructure, indicating a clear focus on evasive attacks against IoT devices.
SolarWinds breach illustrates the perils of supply chain attacks
The sophisticated, allegedly state-sponsored SolarWinds supply chain breach will have wide implications throughout the security industry for years to come. Its effects spread far beyond SolarWinds to almost 100 companies, including some major Fortune 500s, big security companies, and even the US government.
A detailed incident breakdown showcases the importance of defending against supply chain attacks in today’s interconnected digital ecosystem.
New trojan dupes email scanners with multi-payload approach
Trojan.Script.1026663 made its way onto the top five most widespread malware detections list in Q4. The attack begins with an email asking victims to review an order list attachment.
The document triggers a series of payloads and malicious code that ultimately lead the victim machine to load the final attack: the Agent Tesla remote access trojan (RAT) and keylogger.
Network attack volume approaches 2018 peak
Total network attack detections grew by 5% in Q4, reaching their highest level in over two years. Additionally, total unique network attack signatures showed steady growth as well with a 4% increase over Q3. This shows that even as the world continues to operate remotely, the corporate network perimeter is still very much in play as threat actors continue to target on-premises assets.
In Q4, more than 20.6 million malware variants (456 per device) and nearly 3.5 million network threats (77 detections per appliance) were blocked. Collectively 455 unique attack signatures were blocked in Q4 – a 4% increase over Q3 and the most since Q4 2018.
Additionally, the report’s new endpoint threat intelligence provides deeper insight into specific malware attacks and trends throughout the year 2020 based on over 2.5 million unique payload alerts gathered from 1.7 million endpoints across 92 countries.