WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

WatchGuard Technologies, Inc
·8 min read

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties

SEATTLE, Dec. 15, 2022 (GLOBE NEWSWIRE) -- WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.

“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.”

Other key findings from the Q3 Internet Security Report include:

  • The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

  • ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.

  • Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, most does not equate to all. Therefore, risks remain.

  • Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

  • LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

  • JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

  • Anatomy of commoditized adversary-in-the-middle attacks While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.

  • A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.

  • New ransomware and extortion groups in the wild – Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.

WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.

For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.

About WatchGuard Technologies, Inc.
WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.orgSubscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners.

CONTACT: Chris Warfield WatchGuard Technologies, Inc. +1.206.876.8380 chris.warfield@watchguard.com Robyn Posey Voxus PR watchguard@voxuspr.com


Latest Stories

  • Karlsson, Meier lead Sharks past Ducks 6-1 to snap skid

    ANAHEIM, Calif. (AP) — Erik Karlsson and Nico Sturm scored eight seconds apart in the Sharks’ three-goal second period, and Eetu Makiniemi won his first NHL start with 23 saves in San Jose's 6-1 victory over the Anaheim Ducks on Friday night. Timo Meier and Karlsson had a goal and an assist apiece for the Sharks, who snapped a four-game losing streak with just their second win in nine games. After Makiniemi made his NHL debut in relief of Kaapo Kahkonen on Wednesday, the 23-year-old Finnish goal

  • Pirates sign RHP Velasquez in hopes of bolstering rotation

    PITTSBURGH (AP) — The Pittsburgh Pirates signed right-handed pitcher Vince Velasquez to a one-year, $3.15 million contract on Tuesday in an attempt to give their young starting rotation a veteran presence. The 30-year-old Velasquez spent last season working primarily as a reliever with the Chicago White Sox. Velasquez went 3-3 with a 4.78 ERA in 27 appearances for Chicago, with nine starts. He pitched well down the stretch for the White Sox, posting a 2.92 ERA with 24 strikeouts in his final 11

  • Stars win in OT again, 3-2 over Detroit on Lundkvist winner

    DALLAS (AP) — The Dallas Stars got another late overtime goal, this one from rookie defenseman Nils Lundkvist to beat the Detroit Red Wings. After losing their first five games this season that went past regulation, the Stars have won in the final half-minute of overtime in back-to-back games that were played in less than 48 hours. Lundkvist scored with 30.6 seconds left Saturday for a 3-2 win. “We lost the opening draw and didn’t touch the puck for the first three minutes again. But I just thin

  • LeVert scores 22 points, Cavaliers beat Thunder 110-102

    CLEVELAND (AP) — Caris LeVert scored 22 points, Evan Mobley had 21 points and 12 rebounds and the Cleveland Cavaliers never trailed in a 110-102 victory over the Oklahoma City Thunder on Saturday night. Jarrett Allen had 21 points and 11 rebounds, and Darius Garland added 13 points and eight assists for Cleveland, which is an NBA-best 12-2 at home. All-Star guard Donovan Mitchell missed his second straight game with a sore right lower leg. Shai Gilgeous-Alexander, the third-leading scorer in the

  • Predators forward Michael McCarron enters assistance program

    NASHVILLE, Tenn. (AP) — Nashville Predators forward Michael McCarron has entered the player assistance program of the NHL and NHL Players’ Association. The league and the union announced the move Sunday without specifying why McCarron entered the program. The NHL and NHLPA started the player assistance program in 1996, giving players access to a confidential phone line and counselors in each city in the league. The jointly funded group assists players and their families with mental health, subst

  • Capitals defeat Jets 5-2 behind four-goal second period

    WINNIPEG — Charlie Lindgren really appreciated it when the Washington Capitals mounted a four-goal lead in Sunday’s second period against the Winnipeg Jets. The netminder showed his thanks by foiling Winnipeg’s comeback attempt for a 5-2 Washington victory. “To score four goals, as a goalie you love it,” Lindgren said. “It’s just a credit to our guys again for competing tonight, working hard, putting the puck in the net. “Winnipeg obviously pushed back towards the end of the second. They pushed

  • Nationals announce 2-year deal with RHP Trevor Williams

    WASHINGTON (AP) — Trevor Williams and the Washington Nationals finalized a two-year contract Saturday, giving the rebuilding club a right-handed pitcher with experience as a starter and reliever. Williams, who turns 31 in April, was a free agent after pitching for the New York Mets last season, going 3-5 with a 3.21 ERA and one save in 30 appearances — nine as a starter and 21 out of the bullpen. On Nov. 25, the day after Thanksgiving, Williams tweeted: “BLACK FRIDAY FREE AGENT SALE! TODAY ONLY!

  • Rantanen scores 3rd in OT, Avalanche rally past Blues 3-2

    ST. LOUIS (AP) — Mikko Rantanen scored in the final seconds of regulation and the first minute of overtime to complete his fifth career hat trick and give the Colorado Avalanche a 3-2 win over the St. Louis Blues on Sunday. “We’re missing a lot of guys, a lot of veteran guys, especially up front,” Rantanen said. “I try to do my best, and even little bit more, in this situation. We need a lot to win games, and tonight was one of those.” Rantanen's second goal of the game came with nine seconds le

  • Veteran midfielder Jonathan Osorio signs new three-year contract to stay in Toronto

    TORONTO — Veteran midfielder Jonathan Osorio has elected to stay in Toronto, rather than test the waters abroad. Osorio, whose contract with Toronto FC had expired, has signed a new three-year contract plus a 2026 option with Toronto, using targeted allocation money. The 30-year-old will be entering his 11th season in TFC colours next year. The targeted allocation money allows the club to buy down the salary cap charge for an existing player providing he earns more than the maximum salary budget

  • Williamson scores 35 again, Pelicans top Suns 129-124 in OT

    NEW ORLEANS (AP) — Zion Williamson scored 35 points and the New Orleans Pelicans beat the short-handed Phoenix Suns 129-124 in overtime Sunday for their seventh straight victory. CJ McCollum added 29 for the Pelicans, who beat the Suns — playing without star guard Devin Booker because of tightness in his left hamstring — for the second time in three days and won for the 12th time in their last 14 games as they've surged to the Western Conference lead. Deandre Ayton had 28 points and 12 rebounds

  • Thompson scores 34, Warriors beat Celtics in Finals rematch

    SAN FRANCISCO (AP) — Klay Thompson scored 34 points, Splash Brother Stephen Curry added 32 with six 3-pointers and Golden State beat the Boston Celtics 123-107 on Saturday night in a rematch of this year’s NBA Finals won by the Warriors in six games. Jordan Poole had 20 points starting in place of injured Andrew Wiggins despite shooting 1 for 9 from long range. Thompson scored 12 of his points in the opening quarter shooting 5 of 9 and had 24 by halftime. Curry shot 12 for 21 and had seven assis

  • Canadian speedskating team strikes double gold at Calgary World Cup

    CALGARY — Laurent Dubreuil can think of a few reasons he's had one of the best starts to a season in his speedskating career. The 30-year-old from Lévis, Que., claimed his second straight men's 500 metres Saturday at the Olympic Oval. Dubreuil is the defending World Cup champion in the sprint, and ranks first after three races this season. "It's almost a dream start," Dubreuil said. The host Canadians struck double gold Saturday with reigning Olympic champions Isabelle Weidemann and Ivanie Blond

  • Steelers' Pickett exits, returns, then placed in protocol

    PITTSBURGH (AP) — Pittsburgh Steelers coach Mike Tomlin said he didn't know “the details regarding the sequence” that led to rookie quarterback Kenny Picket initially being cleared to play before being put into concussion protocol during a 16-14 loss to Baltimore on Sunday. Pickett was shaken up after getting sacked by Baltimore linebacker Roquan Smith at the end of Pittsburgh's first drive. He was evaluated by medical personnel and cleared to return, playing one more series before being ruled o

  • Suns scratch Booker in New Orleans with hamstring tightness

    NEW ORLEANS (AP) — The Phoenix Suns scratched guard and leading scorer Devin Booker from Sunday's game against the New Orleans Pelicans because of tightness in his left hamstring. Booker played 36 minutes during Friday night's 128-117 loss in New Orleans, scoring 14 points, or about half of his per-game average of 27.4 points this season. Normally an elite perimeter shooter, Booker was 2 of 8 from 3-point range in the loss. "I didn't see the normal ‘Book’ look,” Suns coach Monty Williams said be

  • Rangers sign LHP Andrew Heaney to $25 million, 2-year deal

    ARLINGTON, Texas (AP) — Andrew Heaney and the Rangers finalized their $25 million, two-year contract Friday, the latest move by Texas to upgrade its pitching staff. Heaney went 4-4 with a 3.10 ERA in 16 games (14 starts) for the NL West champion Los Angeles Dodgers last season. He threw only 72 2/3 innings, missing much of the first four months with a pair of shoulder injuries, but finished with 110 strikeouts and just 19 walks. His career-best rate of 13.62 strikeouts per nine innings ranked se

  • At 41, Craig Anderson is doing what few goalies have done in NHL history

    At 41-years-old, Craig Anderson is defying Father Time with strong play for the Buffalo Sabres. But how does he stack up with other goalies that starred over the age of 40 in NHL history?

  • Is Maple Leafs' Nick Robertson injury-prone?

    Forward Nick Robertson will be out of the Maple Leafs lineup for six-to-eight weeks after suffering a shoulder injury but is the latest setback for the 21-year-old part of a more worrying trend?

  • Jets move Wilson up to No. 2 QB, still expect White to start

    FLORHAM PARK, N.J. (AP) — Zach Wilson is moving up on the New York Jets' quarterback depth chart this week. Coach Robert Saleh announced Wednesday the benched former starter is being promoted from No. 3 to the backup behind current starter Mike White, who is dealing with a rib injury but is expected to make his fourth straight start Sunday against the Detroit Lions. “Zach's been doing a great job,” Saleh said. “He has been deliberate in his approach over the last three weeks. He's been holding h

  • Braathen wins 1st World Cup slalom of the season

    VAL d'ISÈRE, France (AP) — A flawless second run helped Lucas Braathen win the first World Cup slalom of the season on Sunday for the third victory of his career. The Norwegian skier let out a yell and thumped his chest after seeing his time on the board and then he just had to wait for his compatriot and defending World Cup slalom champion Henrik Kristoffersen, who had a slender lead of 0.07 seconds from the first run. However, an error-strewn run from Kristoffersen on the Face de Bellevarde co

  • Women's hockey league plans to double salary cap to $1.5M US

    The Premier Hockey Federation is doubling down on women's hockey by announcing plans to increase its salary cap to $1.5 million US per team for the 2023-24 season in an aggressive bid to deepen its talent pool by offering players an opportunity to earn a living wage. The increase, announced Wednesday morning, will double each team's current cap of $750,000 this season, and is part of an overall $25 million, three-year commitment approved by the league's board of governors 11 months ago. The PHF