WatchGuard Blog

ISR Q3 2021: 6 steps to reduce threat risk

The latest Internet Security Report, produced by the WatchGuard Threat Lab team, compiles analysis detailing malware evolution and trends based on data collected from 35,180 Firebox devices worldwide. Its key findings are as follows:  

  • By the end of September, ransomware attacks had already reached 105% of the full volume for 2020 and were heading towards 150%. In addition, ransomware-as-a-service (RaaS) attacks such as REvil and GandCrab continued to make things easier for less skilled cyber threat actors.  

  • Kaseya was the big cybersecurity incident during this quarter and again highlighted the risks to organizations from supply chain cyberattacks.  

  • Zero day (unknown) malware accounted for 67.2% of malware detected by devices. In addition, nearly half of malware (47%) arrived over encrypted (TLS) connections. Although most of this is not advanced malware, it is a cause for concern.  

  • Vulnerabilities in both older and newer versions of Microsoft Windows and Office continue to be a major entry vector for hackers to exploit. 

  • The vast majority of cyberattacks (81%) out of the 4,095,320 incidents detected contained one of the top 10 malware signatures. In fact, there was only one new signature since the previous report and the top position (an SQL injection) has remained the same since Q2 2019.  

  • Script attacks continue at record pace: with 10% more in this quarter than in the whole of 2020. It should be noted that even cyber threat actors with more limited knowledge can easily employ scripting tools such as PowerSploit, PowerWare and Cobalt Strike, which can evade detection solutions at the endpoint if they are not very advanced.  

  • Firebox devices blocked 5.6 million malicious domains, including several that attempted to install cryptocurrency software on systems. The focus is usually put on malware that uses ad hoc-created malicious domains as a vector, but even legitimate domains can be compromised: this happened because of a protocol flaw in Microsoft Exchange Server that allowed cyber attackers to collect credentials from many domains that were assumed secure. 

This rate of incidents that the report has outlined for Q3 2021 does not seem to have decreased in severity in recent months. For these reasons, organizations should adopt several measures in order to be better prepared for upcoming threats:  

  • Zero-Trust Approach - Kaseya demonstrates that any software, no matter how legitimate and trustworthy it may seem, can be an entry vector for cyber threat actors. Therefore, it is imperative that all cybersecurity tools and measures start from a zero-trust premise so that binaries are analyzed before being executed on the organization's systems. 

  • Advanced Endpoint Protection, Detection and Response (EPDR) tools: Basic endpoint detection tools can miss scripting and more sophisticated living-off- the-land attacks that may use fileless malware. In these cases, it is advisable to deploy next generation cyberattack solutions. 

  • Up-to-date software and systems: maintaining adequate update and patch management processes for all the organization's software is essential to minimize the number of vulnerabilities that can be exploited by attackers. 

  • Protecting access to Microsoft Exchange Servers and Microsoft Office software: both are among the main entry vectors for attacks on corporate networks.  In the case of Exchange, it is advisable to have a DNS filtering tool to detect and block potentially dangerous connections. With regard to Office, it is important not to allow the execution of Macros unless they have been checked with their sender through a channel that is independent from e-mail. 

  • Perform network segmentations: cyber threat actors use tools to move laterally within the organization. Hence, it is not only important to have firewall tools to filter external access, but also to segment the network. As a result, even if there is a vulnerability in the server, the cyber attacker's tool will not be able to move freely within the systems.  

  • Regulate and audit access and administration permissions: when certain permissions are granted to vendors (e.g. to perform local network deployments in the organization), there is a risk that malicious actors could escalate and obtain higher privileges for the server and all systems in the organization. To avoid this, it is important to grant as few privileges as possible to allow operations to run.