74% of threats detected in Q1 2021 were zero day malware – or those for which a signature-based antivirus solution did not detect at the time of the malware release – capable of circumventing conventional antivirus solutions, according to WatchGuard.
The report also covers new threat intelligence on rising network attack rates, how attackers are trying to disguise and repurpose old exploits, the quarter’s top malware attacks, and more.
“Q1 2021 saw the highest level of zero day malware detections we’ve ever recorded. Evasive malware rates have actually eclipsed those of traditional threats, which is yet another sign that organizations need to evolve their defenses to stay ahead of increasingly sophisticated threat actors,” said Corey Nachreiner, CSO at WatchGuard.
“Traditional anti-malware solutions alone are simply insufficient for today’s threat environment. Every organization needs a layered, proactive security strategy that involves machine learning and behavioral analysis to detect and block new and advanced threats.”
Fileless malware variant explodes in popularity
XML.JSLoader is a malicious payload that appeared for the first time in both top malware by volume and most widespread malware detections lists. It was also the variant detected most often via HTTPS inspection in Q1.
The sample identified uses an XML external entity (XXE) attack to open a shell to run commands to bypass the local PowerShell execution policy and runs in a non-interactive way, hidden from the actual user or victim. This is another example of the rising prevalence of fileless malware and the need for advanced endpoint detection and response capabilities.
Simple file name trick helps hackers pass off ransomware loader as legitimate PDF attachments
Ransomware loader Zmutzy surfaced as a top-two encrypted malware variant by volume in Q1. Associated with Nibiru ransomware specifically, victims encounter this threat as a zipped file attachment to an email or a download from a malicious website. Running the zip file downloads an executable, which to the victim appears to be a legitimate PDF.
Attackers used a comma instead of a period in the file name and a manually adjusted icon to pass the malicious zip file off as a PDF. This type of attack highlights the importance of phishing education and training, as well as implementing back-up solutions in the event that a variant like this unleashes a ransomware infection.
Threat actors continue to attack IoT devices
While it didn’t make top 10 malware list for Q1, the Linux.Ngioweb.B variant has been used by adversaries recently to target IoT devices. The first version of this sample targeted Linux servers running WordPress, arriving initially as an extended format language (EFL) file. Another version of this malware turns the IoT devices into a botnet with rotating command and control servers.
Network attacks surge more than 20%
More than 4 million network attacks were detected, a 21% increase compared to the previous quarter and the highest volume since early 2018. Corporate servers and assets on site are still high-value targets for attackers despite the shift to remote and hybrid work, so organizations must maintain perimeter security alongside user-focused protections.
An old directory traversal attack technique makes a comeback
A new threat signature was detected in Q1 that involves a directory traversal attack via cabinet (CAB) files, a Microsoft-designed archival format intended for lossless data compression and embedded digital certificates.
A new addition to the top 10 network attacks list, this exploit either tricks users into opening a malicious CAB file using conventional techniques, or by spoofing a network-connected printer to fool users into installing a printer driver via a compromised CAB file.
HAFNIUM zero days provide lessons on threat tactics and response best practices
Last quarter, Microsoft reported that adversaries used the four HAFNIUM vulnerabilities in various Exchange Server versions to gain full, unauthenticated system remote code execution and arbitrary file-write access to any unpatched server exposed to the Internet, as most email servers are.
Attackers co-opt legitimate domains in cryptomining campaigns
In Q1, several compromised and outright malicious domains associated with cryptomining threats were blocked. Cryptominer malware has become increasingly popular due to recent price spikes in the cryptocurrency market and the ease with which threat actors can siphon resources from unsuspecting victims.