By Emil Hozan, Threat Analyst at WatchGuard Technologies
Every quarter, WatchGuard’s Threat Lab research team releases an Internet Security Report (ISR) that covers the top cyber threats and statistics, including insights on malware, zero day malware, network attacks and DNS-level attacks. Based on anonymized data from WatchGuard Firebox owners located around the world, this threat intelligence feed captures information from more than 36,000 actively deployed devices. As a result, Threat Lab can provide analysis on the quarter’s top security incidents and explore key trends and takeaways for the reader. What did we learn in our most recent Q3’19 report? Let’s dive in.
At a high level, WatchGuard identified 29,255,063 malware variants (or 797 per device) across three anti-malware engines, and 2,398,986 network attacks (or 65 per device).
Expanding first on the malware attacks, the data showed that malware detections were up 4% from the previous quarter (Q2’19), but up 60% year-over-year (from Q3’18). Even more alarmingly, zero day malware (new or evasive malware that doesn’t match any existing antivirus signatures) accounted for just under 50% of all malware detected – which was the highest it’s ever been. Furthermore, two of the attacks in the Top 10 were Office exploits (and they were also the most widespread attacks). In the Americas region, malware accounted for 42% of all attacks detected, with EMEA in second place (30%) and APAC in third (28%). It’s worth noting that two new attacks debuted on the Top 10 list – both were penetration testing tools. And finally, while Mimikatz appearances plummeted nearly 50% over the previous quarter, one of the new attacks that emerged was Hacktool.JQ, also known as Windows Credentials Editor (WCE), which includes features for pass-the-hash attacks.
Finally, let’s look at one of the top security incidents in Q3’19. At the cost of individual privacy, the country of Kazakhstan forced its citizens to install an HTTPS certificate that effectively allowed the government to man-in-the-middle encrypted network connections. Official statements claimed it was just a test to ensure protective measures “would not inconvenience Kazakh Internet users.” But we’re not buying it. Kazakhstan’s forced certificate authority (CA) install continued from July 17, 2019 until the end of August when it was finally blocked by Google, Mozilla and Apple. As a side note, this wasn’t the first time that Kazakhstan violated its citizen’s privacy. Back in December 2015, the government tried to have Mozilla add a government CA to Firefox’s trusted list. Mozilla refused the request. During the same timeframe, Kazakhstan issued a declaration requiring users to install the government-issued certificate by January 1st, 2016 (this was eventually halted after being sued by multiple organization over security concerns).
What are some key lessons from the Q3’19 report? First, as we saw from the network attacks leveraged against Apache web servers, you shouldn’t skimp on patching. Make it a priority to stay apprised on the latest updates that vendors push out. To that end, Flash Player is obsolete at this point. If you don’t have a specific use case for it, remove it. Second, ensure you’re protected by more than just signature-based malware solutions. With so many zero day attacks, it’s evident that signature-based solutions simply won’t cut it today. Third, use multi-factor authentication (MFA). Yes, Mimikatz appearances dropped in Q3’19, but with another password-stealing tool on our malware Top 10 list, go the extra step and use an MFA solution and stop relying on just a password to protect critical systems and accounts. And finally, Kazakhstan has taught us to never blindly install any CA certificate without understanding why it’s required or what it’s doing. Stay safe!