According to WatchGuard, 74% of threats detected in the first quarter of 2021 were zero-day malware – or malware that a signature-based antivirus solution failed to detect at the time the malware was released – capable of bypassing conventional antivirus solutions.
The report also covers new threat intelligence on rising network attack rates, how attackers are trying to cover up and reuse old exploits, the top malware attacks of the quarter, and more.
“The first quarter of 2021 saw the highest level of zero-day malware detections we have ever recorded. Evasive malware rates have actually eclipsed those of traditional threats, which is another sign that companies need to evolve their defenses to stay ahead of increasingly sophisticated players, ”said Corey Nachreiner, CSO at WatchGuard.
“Traditional anti-malware solutions alone are simply insufficient for today’s threat environment. Every organization needs a proactive, layered security strategy that involves machine learning and behavioral analysis to detect and block new and advanced threats.
Fileless malware variant explodes in popularity
XML.JSLoader is a malicious payload that first appeared on the top and most popular malware detection lists. It was also the variant detected most often via HTTPS inspection in Q1.
The identified example uses an XML External Entity (XXE) attack to open a shell to run commands to bypass the PowerShell local execution policy and runs non-interactively, safe from the actual user or the victim. This is another example of the growing prevalence of fileless malware and the need for advanced endpoint detection and response capabilities.
Simple file name trick helps hackers pass off ransomware loader as legitimate PDF attachments
The Zmutzy ransomware loader emerged as one of the top two variants of volume-encrypted malware in the first quarter. Associated specifically with Nibiru ransomware, victims encounter this threat in the form of a zipped email attachment or download from a malicious website. Running the zip file downloads an executable which to the victim appears to be a legitimate PDF.
The attackers used a comma instead of a period in the file name and a manually adjusted icon to convert the malicious zip file to PDF format. This type of attack emphasizes the importance of phishing education and training, as well as implementing backup solutions in case a variant like this triggers a ransomware infection.
Threat actors continue to attack IoT devices
While not making the top 10 malware list for Q1, the Linux.Ngioweb.B variant has recently been used by adversaries to target IoT devices. The first version of this example targeted Linux servers running WordPress, initially arriving as an Extended Format Language (EFL) file. Another version of this malware turns IoT devices into a botnet with rotating command and control servers.
Network attacks increase by more than 20%
Over 4 million network attacks have been detected, an increase of 21% from the previous quarter and the highest volume since early 2018. Enterprise servers and on-premises assets remain high-value targets for businesses. attackers despite the shift to remote and hybrid work. organizations must maintain perimeter security alongside user-centric protections.
An old technique of attack by traversal of repertory returns
A new threat signature was detected in the first quarter involving a cabinet directory traversal attack (TAXI), an archival format designed by Microsoft for lossless data compression and embedded digital certificates.
New addition to the list of top 10 network attacks, this exploit trick users into opening a malicious CAB file using conventional techniques or by spoofing a network connected printer to trick users into installing a printer driver. via a compromised CAB file.
HAFNIUM zero days provides lessons on threat tactics and response best practices
Microsoft last quarter reported that adversaries were using the four HAFNIUM vulnerabilities in various versions of Exchange Server to gain full, unauthenticated remote system code execution and arbitrary file write access to any unpatched server exposed to Internet, as are most mail servers.
Attackers Co-Opt Legitimate Domains In Cryptomining Campaigns
In the first quarter, several compromised and downright malicious domains associated with cryptomining threats were blocked. Cryptominer malware has become increasingly popular due to recent price spikes in the cryptocurrency market and the ease with which malicious actors can siphon resources from unsuspecting victims.