A cybersecurity services firm’s user base also heavy malware use of PowerShell scripts last quarter.

Some malware and cyber threat landscape trends from the user base of a cybersecurity services provider have been released for Q2 2021.

The data is based on anonymized data from active users of WatchGuard Technologies services who have opted to share data for research purposes.

Here are the most notable findings:

  • In Q2, 91.5% of malware arrived over an encrypted connection, an increase over that of the previous quarter.
  • The top malware in the user base for Q2 was AMSI.Disable.A which showed snagged the #1 spot for overall encrypted threats and hit #2 overall by volume. This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. AMSI.Disable.A wields code capable of disabling the Antimalware Scan Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its malware payload undetected. 
  • By Q2, malware detections originating from scripting engines like PowerShell have reached 80% of last year’s total script-initiated attack volume, which itself represented a substantial increase over the year prior. At its current rate, 2021 fileless malware detections in the WatchGuard user base are on track to double in volume year on year. 
  • WatchGuard appliances detected a 22% increase in network attacks compared to Q1 in the user base, and reached the highest volume since early 2018. Q1 saw nearly 4.1m network attacks. In Q2 that number jumped by another million, indicating a growing need to maintain perimeter security alongside user-focused protections.
  • Total ransomware detections on the endpoint were on a downward trajectory from 2018 through 2020, that trend broke in Q1 2021. The six-month total finished just shy of the full-year total for 2020. If daily ransomware detections remain flat through the rest of 2021, this year’s volume will reach an increase of over 150% compared to 2020.
  • The Colonial Pipeline attack on May 7, 2021 was the quarter’s top security incident in the user base, and highlights how cybercriminals are not only putting the most vital services in their cross hairs, but appear to be ramping up attacks against high-value targets as well.
  • Compared to the usual one or two new signatures per quarter, Q2 saw four new signatures in the top 10 network attacks. The most recent was a 2020 vulnerability in popular web scripting language PHP; the other three include a 2011 Oracle GlassFish Server vulnerability, a 2013 SQL injection flaw in medical records application OpenEMR, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. While dated, all still pose risks if left unpatched. Q2 saw one new addition to the user base’s 10 most-widespread network attacks list, making its debut at the very top. The signature, 1133630, is the 2017 RCE vulnerability mentioned here that affects Microsoft browsers. Users that have yet to patch are vulnerable. In fact, a very similar high-severity RCE security flaw, tracked as CVE-2021-40444, made headlines recently when it was actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. Microsoft Office-based threats continue to be common, but are still being detected by intrusion prevention system defenses.
  • Recently, there was an increase in the use of malware targeting Microsoft Exchange servers and generic email users to download remote access trojans (RATs) in highly sensitive locations. This was most likely due to Q2 being the second consecutive quarter that remote workers and learners returned to either hybrid work arrangements or resuming some on-site work in offices. In any case, strong security awareness and monitoring of connected devices is advised.

Said Corey Nachreiner, Chief Security Officer, WatchGuard: “With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation. While a strong perimeter defense is still an important part of a layered security approach, strong endpoint protection and endpoint detection and response are increasingly essential.”