Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.

WatchGuard Technologies recently analyzed threat data collected from customer networks during the first quarter of 2021 and found 74% of threats detected were zero-day malware for which no anti-virus signatures were available at time of malware release. As a result, the malware was capable of bypassing signature-based threat detection tools and breaching enterprise systems.

The level of zero-day malware detections in the first quarter was the highest WatchGuard has ever observed in a single quarter and completely eclipsed the volume of traditional threats, the security vendor said in a report this week.

"The main takeaway is enterprises — and organizations of all sizes really — need to get serious about proactive malware detection," says Corey Nachreiner, chief security officer at WatchGuard. Attackers have consistently gotten better at repackaging old malware in ways that its binary profile doesn't match previous fingerprints and patterns used to detect it. In the past, such "packing and crypting" required smart criminals. These days, tools are readily available in underground markets that make it easy for attackers to keep digitally altering the same malware so it can bypass signature-based systems, he says.

A few years ago, such zero-day malware represented about 30% of all detected malware samples. More recently, that number has hovered around the 50% range and occasionally hit 60%. Seeing that number reach 74% in the first quarter was a bit surprising, Nachreiner says. "Pattern-based malware detection is no longer sufficient with the volumes of new malware that we see today," he says. "Traditional antivirus products alone will miss many threats."

Exacerbating the issue is the continued use of fileless or living-off-the-land (LotL) techniques that are explicitly designed to evade traditional detection tools, which focus on inspecting files and registry entries.

One particularly egregious example of such a fileless threat in the first quarter was XML.JSLoader. "Ultimately it was JavaScript hidden in an XML file that spawned PowerShell, one of the most common LotL techniques out there," Nachreiner says. The malware was one of five new malware families that cracked WatchGuard's list of the top 10 malware by volume in the first quarter. The others were Ursu, Trojan.IFrame, Zmutzy, and Zum.Androm.  

"It's hard to say exactly why this threat hit such high volume and spread," he notes; however, it likely had to do with the fact that XML.JSLoader was fileless and attackers found success infecting systems with it.

Network Attack Volumes Rise

In other developments, network attack volumes reached a three-year high in the first quarter of this year. WatchGuard's analysis showed more than 4.2 million hits on its intrusion prevention systems at customer suites. On average, the company's Firebox appliances blocked 113 attacks per appliance — a 47% increase over the previous quarter. The overall increase in network attack volumes came amid a decline in network malware volumes.

"We believe this pattern speaks to the changes in remote work that followed the pandemic," Nachreiner notes.

Before the second quarter of 2020, network attacks and malware detection were both rising quarter after quarter at the network gateway. Since the pandemic began, attackers have focused more on remote employee endpoints. The trend has driven a decline in network malware detections. However, network attacks, such as those exploiting software vulnerabilities on enterprise servers and network services, have continued to grow. In fact, companies may have even exposed more network services to enable better remote access to corporate resources.

"In other words, some of these trends speak more to where we now catch certain threats due to remote work," Nachreiner says. "Malware detection today leans more on the endpoint since home employees don't have sophisticated network security, but you still need your network perimeter to protect your cloud and office servers."

Interestingly, and counter to a trend that at least a couple of other vendors have reported, WatchGuard says it observed a decline in malware using encrypted communications during the first quarter of 2021. According to the vendor, malware sent over encrypted communication declined to under 44% last quarter, marking a 10% drop from the third quarter of 2020 and 3% drop from the fourth quarter of 2020. WatchGuard says it observed the same pattern with zero-day malware as well. Other companies, such as Sophos, have reported just the opposite — a sharp increase in malware using encrypted communication between the last quarter and previous few quarters.

Nachreiner says one likely reason is that many WatchGuard customers have simply not enabled HTTPS inspection on their Firebox appliance because it involves some degree of work. Otherwise, WatchGuard too has generally observed a consistent increase in malware using TLS in recent years. "We expect more and more malware to leverage encryption as more and more of the legitimate web goes HTTPS only," he says.

The threat landscape in the first quarter of 2021 highlights the need for organizations to deploy protections that go beyond signature and pattern-based tools. Organizations increasingly need controls for both blocking threats before they execute and for detecting and responding to them after execution.

"In general, endpoint protection (EPP) solutions focus on preventing malware pre-execution, while endpoint detection and response (EDR) solutions focus on detecting malware that might have made it on your system and is running," Nachreiner says.