Network attacks hit two-year high during the pandemic

The report reveals how COVID-19 has impacted the cyber security threat landscape, with evidence that attackers continue to target corporate networks despite the shift to remote working.

The report also shows a steady rise in pandemic-related malicious domains and phishing campaigns. A COVID-19 adware campaign running on websites used for legitimate pandemic support purposes made WatchGuard’s list of the top ten compromised websites in Q3. WatchGuard also uncovered a phishing attack that leverages Microsoft SharePoint to host a pseudo-login page impersonating the United Nations (UN). The email hook contained messaging around small business relief from the UN due to COVID-19.

These findings highlight the fact that businesses must prioritise maintaining and strengthening protection for network-based assets and services, even as workforces become increasingly remote.

“As the impact of COVID-19 continues to unfold, our threat intelligence provides key insight into how attackers are adjusting their tactics,” said Corey Nachreiner, Chief Technology Officer at WatchGuard. “While there’s no such thing as ‘the new normal’ when it comes to security, businesses can be sure that increasing protection for both the endpoint and the network will be a priority in 2021 and beyond. It will also be important to establish a layered approach to information security, with services that can mitigate evasive and encrypted attacks, sophisticated phishing campaigns and more.”

Other findings in the WatchGuard Internet Security Report include:

Businesses click on hundreds of phishing attacks and bad links: In Q3, WatchGuard’s DNSWatch service blocked a combined 2,764,736 malicious domain connections, which translates to 499 blocked connections per organisation in total. Breaking it down further, each organisation would have reached 262 malware domains, 71 compromised websites, and 52 phishing campaigns.

Attackers probe for vulnerable SCADA systems: The one new addition to WatchGuard’s most-widespread network attacks list in Q3 exploits a previously patched authentication bypass vulnerability in a popular supervisory control and data acquisition (SCADA) control system. While this class of vulnerability isn’t as serious as a remote code execution flaw, it could still allow an attacker to take control of the SCADA software running on the server.

LokiBot look-a-like debuts as a top widespread malware variant: Farelt, a password stealer that resembles LokiBot, made its way into WatchGuard’s top five most-widespread malware detections list in Q3. Though it is unclear if the Farelt botnet uses the same command and control structure as LokiBot, there’s a high probability the same group, SilverTerrier, created both malware variants. This botnet takes many steps to bypass antivirus controls and fool users into installing the malware. While researching the threat, WatchGuard found strong evidence indicating the malware has likely targeted many more victims than the data suggests.

Emotet persists: Emotet, a prolific banking trojan and known password stealer, made its debut on WatchGuard’s top ten malware list for the first time and narrowly missed the top ten list of domains distributing malware. Despite coming in at #11 for the latter list, this appearance is particularly notable, as the WatchGuard Threat Lab and other research teams have seen current Emotet infections dropping additional payloads like Trickbot and even the Ryuk ransomware with no signs of slowing down.

WatchGuard’s quarterly research reports are based on anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. In Q3, nearly 48,000 WatchGuard appliances contributed data to the report (the most ever), blocking a total of more than 21.5 million malware variants (450 per device) and more than 3.3 million network threats (or roughly 70 detections per appliance).

Firebox appliances continued their upward trend of unique signature detections as well, collectively identifying and blocking 438 unique attack signatures – a 6.8% increase over Q2 and the most since Q4 2018.

The complete report includes in-depth research and key defensive best practices that businesses of all sizes can use to protect themselves against modern security threats. The report also features a detailed analysis of the historic Twitter hack that compromised 130 high-profile accounts to promote a Bitcoin scam in July 2020.