Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:50 PM
Connect Directly

74% of Q1 Malware Was Undetectable Via Signature-Based Tools

Attackers have improved on tweaking old malware to continue sneaking it past traditional threat detection controls, researchers report.

Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.

WatchGuard Technologies recently analyzed threat data collected from customer networks during the first quarter of 2021 and found 74% of threats detected were zero-day malware for which no anti-virus signatures were available at time of malware release. As a result, the malware was capable of bypassing signature-based threat detection tools and breaching enterprise systems.

Related Content:

Top 5 Attack Techniques May Be Easier to Detect Than You Think

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

The level of zero-day malware detections in the first quarter was the highest WatchGuard has ever observed in a single quarter and completely eclipsed the volume of traditional threats, the security vendor said in a report this week.

"The main takeaway is enterprises — and organizations of all sizes really — need to get serious about proactive malware detection," says Corey Nachreiner, chief security officer at WatchGuard. Attackers have consistently gotten better at repackaging old malware in ways that its binary profile doesn't match previous fingerprints and patterns used to detect it. In the past, such "packing and crypting" required smart criminals. These days, tools are readily available in underground markets that make it easy for attackers to keep digitally altering the same malware so it can bypass signature-based systems, he says.

A few years ago, such zero-day malware represented about 30% of all detected malware samples. More recently, that number has hovered around the 50% range and occasionally hit 60%. Seeing that number reach 74% in the first quarter was a bit surprising, Nachreiner says. "Pattern-based malware detection is no longer sufficient with the volumes of new malware that we see today," he says. "Traditional antivirus products alone will miss many threats."

Exacerbating the issue is the continued use of fileless or living-off-the-land (LotL) techniques that are explicitly designed to evade traditional detection tools, which focus on inspecting files and registry entries.

One particularly egregious example of such a fileless threat in the first quarter was XML.JSLoader. "Ultimately it was JavaScript hidden in an XML file that spawned PowerShell, one of the most common LotL techniques out there," Nachreiner says. The malware was one of five new malware families that cracked WatchGuard's list of the top 10 malware by volume in the first quarter. The others were Ursu, Trojan.IFrame, Zmutzy, and Zum.Androm.  

"It's hard to say exactly why this threat hit such high volume and spread," he notes; however, it likely had to do with the fact that XML.JSLoader was fileless and attackers found success infecting systems with it.

Network Attack Volumes Rise

In other developments, network attack volumes reached a three-year high in the first quarter of this year. WatchGuard's analysis showed more than 4.2 million hits on its intrusion prevention systems at customer suites. On average, the company's Firebox appliances blocked 113 attacks per appliance — a 47% increase over the previous quarter. The overall increase in network attack volumes came amid a decline in network malware volumes.

"We believe this pattern speaks to the changes in remote work that followed the pandemic," Nachreiner notes.

Before the second quarter of 2020, network attacks and malware detection were both rising quarter after quarter at the network gateway. Since the pandemic began, attackers have focused more on remote employee endpoints. The trend has driven a decline in network malware detections. However, network attacks, such as those exploiting software vulnerabilities on enterprise servers and network services, have continued to grow. In fact, companies may have even exposed more network services to enable better remote access to corporate resources.

"In other words, some of these trends speak more to where we now catch certain threats due to remote work," Nachreiner says. "Malware detection today leans more on the endpoint since home employees don't have sophisticated network security, but you still need your network perimeter to protect your cloud and office servers."

Interestingly, and counter to a trend that at least a couple of other vendors have reported, WatchGuard says it observed a decline in malware using encrypted communications during the first quarter of 2021. According to the vendor, malware sent over encrypted communication declined to under 44% last quarter, marking a 10% drop from the third quarter of 2020 and 3% drop from the fourth quarter of 2020. WatchGuard says it observed the same pattern with zero-day malware as well. Other companies, such as Sophos, have reported just the opposite — a sharp increase in malware using encrypted communication between the last quarter and previous few quarters.

Nachreiner says one likely reason is that many WatchGuard customers have simply not enabled HTTPS inspection on their Firebox appliance because it involves some degree of work. Otherwise, WatchGuard too has generally observed a consistent increase in malware using TLS in recent years. "We expect more and more malware to leverage encryption as more and more of the legitimate web goes HTTPS only," he says.

The threat landscape in the first quarter of 2021 highlights the need for organizations to deploy protections that go beyond signature and pattern-based tools. Organizations increasingly need controls for both blocking threats before they execute and for detecting and responding to them after execution.

"In general, endpoint protection (EPP) solutions focus on preventing malware pre-execution, while endpoint detection and response (EDR) solutions focus on detecting malware that might have made it on your system and is running," Nachreiner says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...