9 out of 10 Malware Delivered via HTTPS Encrypted Connections

The latest Internet Security Report from WatchGuard Technologies has confirmed the majority of malware infections occur via HTTPS encrypted connections, which demonstrates the importance of implementing a web filtering solution capable of HTTPS inspection. If HTTPS inspection is not enabled, businesses will have no visibility into HTTPS encrypted traffic and 9 out of 10 malware downloads will not be identified and blocked. The Q2, 2021 report says 91.5% of malware arrived over an encrypted connection.

“With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” said Corey Nachreiner, chief security officer at WatchGuard. “While a strong perimeter defense is still an important part of a layered security approach, strong endpoint protection (EPP) and endpoint detection and response (EDR) is increasingly essential.”

The report shows there was a slight decline in malware attacks in Q2, 2021, falling 3.8% from the previous quarter. WatchGuard blocked more than 16.6 million malware variants and 5.2 million network threats in Q2, which is an average of 438 and 137 per device respectively. WatchGuard said in Q2 threat actors have been taking advantage of companies that have hybrid working models and have been targeting remote workers as well as office infrastructure.

The biggest malware threat in Q2 was AMSI.Disable.A, which was in position 2 in terms of overall volume and top spot for overall encrypted threats. WatchGuard says the malware uses PowerShell tools to exploit a number of vulnerabilities in Windows and is able to disable the Antimalware Scan Interface (AMSI) in PowerShell, which allows it to bypass script security checks and ensure its malware payload is not detected.

There has been a massive increase in fileless malware attacks in the first half of 2021. Attacks are at 80% of the level in all of 2020 in just the first 6 months of the year. Attacks look set to double year-over-year if they continue at the same high rate.

Cyber threat actors have been targeting Microsoft Exchange servers in Q2 with the goal of installing remote access Trojans (RATs) in highly sensitive locations. WatchGuard attributes the increase in attacks to workers returning to hybrid offices and the return of individuals to academic institutions. Microsoft Office was also a key target for malware in Q2.

2018 was a particularly bad year for ransomware attacks, but between 2018 and 2020 attacks have decreased, but there was a notable uptick in attacks in the first half of 2021. There have been almost the same number of attacks in the first 6 months of 2021 as occurred in all of 2020. WatchGuard predicts the volume of ransomware attacks in 2020 will most likely be at least 150% higher than 2020 by year end.

Many businesses are still operating with a remote or hybrid workforce, but WatchGuard said that network attacks have increased. 5.1 million network attacks were detected in Q2, 2021, which represents an increase of 22% from the previous quarter. Four new signatures made the top ten for network attacks in Q2, one of which was a 2020 vulnerability in PHP, with the others much older: One from 2011, one from 2013, and an RCE vulnerability in Microsoft Edge from 2017.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news