Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
05:50 PM
Connect Directly

74% of Q1 Malware Was Undetectable Via Signature-Based Tools

Attackers have improved on tweaking old malware to continue sneaking it past traditional threat detection controls, researchers report.

Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.

WatchGuard Technologies recently analyzed threat data collected from customer networks during the first quarter of 2021 and found 74% of threats detected were zero-day malware for which no anti-virus signatures were available at time of malware release. As a result, the malware was capable of bypassing signature-based threat detection tools and breaching enterprise systems.

Related Content:

Top 5 Attack Techniques May Be Easier to Detect Than You Think

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

The level of zero-day malware detections in the first quarter was the highest WatchGuard has ever observed in a single quarter and completely eclipsed the volume of traditional threats, the security vendor said in a report this week.

"The main takeaway is enterprises — and organizations of all sizes really — need to get serious about proactive malware detection," says Corey Nachreiner, chief security officer at WatchGuard. Attackers have consistently gotten better at repackaging old malware in ways that its binary profile doesn't match previous fingerprints and patterns used to detect it. In the past, such "packing and crypting" required smart criminals. These days, tools are readily available in underground markets that make it easy for attackers to keep digitally altering the same malware so it can bypass signature-based systems, he says.

A few years ago, such zero-day malware represented about 30% of all detected malware samples. More recently, that number has hovered around the 50% range and occasionally hit 60%. Seeing that number reach 74% in the first quarter was a bit surprising, Nachreiner says. "Pattern-based malware detection is no longer sufficient with the volumes of new malware that we see today," he says. "Traditional antivirus products alone will miss many threats."

Exacerbating the issue is the continued use of fileless or living-off-the-land (LotL) techniques that are explicitly designed to evade traditional detection tools, which focus on inspecting files and registry entries.

One particularly egregious example of such a fileless threat in the first quarter was XML.JSLoader. "Ultimately it was JavaScript hidden in an XML file that spawned PowerShell, one of the most common LotL techniques out there," Nachreiner says. The malware was one of five new malware families that cracked WatchGuard's list of the top 10 malware by volume in the first quarter. The others were Ursu, Trojan.IFrame, Zmutzy, and Zum.Androm.  

"It's hard to say exactly why this threat hit such high volume and spread," he notes; however, it likely had to do with the fact that XML.JSLoader was fileless and attackers found success infecting systems with it.

Network Attack Volumes Rise

In other developments, network attack volumes reached a three-year high in the first quarter of this year. WatchGuard's analysis showed more than 4.2 million hits on its intrusion prevention systems at customer suites. On average, the company's Firebox appliances blocked 113 attacks per appliance — a 47% increase over the previous quarter. The overall increase in network attack volumes came amid a decline in network malware volumes.

"We believe this pattern speaks to the changes in remote work that followed the pandemic," Nachreiner notes.

Before the second quarter of 2020, network attacks and malware detection were both rising quarter after quarter at the network gateway. Since the pandemic began, attackers have focused more on remote employee endpoints. The trend has driven a decline in network malware detections. However, network attacks, such as those exploiting software vulnerabilities on enterprise servers and network services, have continued to grow. In fact, companies may have even exposed more network services to enable better remote access to corporate resources.

"In other words, some of these trends speak more to where we now catch certain threats due to remote work," Nachreiner says. "Malware detection today leans more on the endpoint since home employees don't have sophisticated network security, but you still need your network perimeter to protect your cloud and office servers."

Interestingly, and counter to a trend that at least a couple of other vendors have reported, WatchGuard says it observed a decline in malware using encrypted communications during the first quarter of 2021. According to the vendor, malware sent over encrypted communication declined to under 44% last quarter, marking a 10% drop from the third quarter of 2020 and 3% drop from the fourth quarter of 2020. WatchGuard says it observed the same pattern with zero-day malware as well. Other companies, such as Sophos, have reported just the opposite — a sharp increase in malware using encrypted communication between the last quarter and previous few quarters.

Nachreiner says one likely reason is that many WatchGuard customers have simply not enabled HTTPS inspection on their Firebox appliance because it involves some degree of work. Otherwise, WatchGuard too has generally observed a consistent increase in malware using TLS in recent years. "We expect more and more malware to leverage encryption as more and more of the legitimate web goes HTTPS only," he says.

The threat landscape in the first quarter of 2021 highlights the need for organizations to deploy protections that go beyond signature and pattern-based tools. Organizations increasingly need controls for both blocking threats before they execute and for detecting and responding to them after execution.

"In general, endpoint protection (EPP) solutions focus on preventing malware pre-execution, while endpoint detection and response (EDR) solutions focus on detecting malware that might have made it on your system and is running," Nachreiner says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file