Ransomware attacks on end devices increase by 89 percent

The decline in malware transmitted via encrypted connections is also striking. In addition, the data shows that the misuse of remote access software is enjoying renewed popularity and cyber attackers are increasingly relying on password and info stealers to obtain valuable login data. Last but not least, the current report emphasizes that endpoint attacks are less often based on the misuse of scripts, with other living-off-the-land techniques being used instead.

The key findings of the latest Internet Security Report with data from the third quarter of 2023 include

Remote management tools and software are gaining favor with hackers - As confirmed by both the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), cybercriminals are increasingly using remote access software to evade detection by anti-malware scans. For example, when investigating the most important phishing domains, the Threat Lab identified a deception attempt in the technical support environment that was designed to get the victim to download a preconfigured, unauthorized version of TeamViewer, which gives the attacker full remote access to the computer.

Spread of the Medusa ransomware variant leads to an 89 percent increase in endpoint-focused ransomware attacks - At first glance, it initially looked like ransomware would decline in the months of July to September 2023. However, this picture changed with the Medusa ransomware variant, which appeared in the top 10 malware threats for the first time and was identified by the Threat Lab using a generic signature. As a result, the number of ransomware attacks increased by 89% compared to the previous quarter.

Threat actors are moving away from scripted attacks and increasingly using other living-off-the-land techniques - Malicious scripts as an attack vector recorded a decline of 11% in the third quarter; in the second quarter, corresponding scenarios had already fallen by 41%. Nevertheless, script-based attacks still account for the lion's share of all recorded incidents at 56%. Scripting languages such as PowerShell are still frequently used for "living off the land" attacks. At the same time, the number of misused Windows binaries increased significantly by 32 percent. These results show the Threat Lab researchers that threat actors continue to use a wide variety of living-off-the-land techniques - probably not least as a reaction to the increased protective measures against PowerShell and other scripting languages. 

Malware that reaches its target via encrypted connections is reduced by half - Only just under half of the malware identified in the third quarter was transmitted via encrypted connections. This figure is remarkable as it has fallen significantly compared to the previous quarters. Overall, the number of malware programs detected rose by 14 percent.  
 
Email-based dropper family dominates top 5 encrypted malware variants - Four out of five malware variants in the aforementioned top 5 can be assigned to a dropper family called Stacked. In spear phishing, threat actors send emails with malicious attachments that appear to come from a known sender and purport to contain an invoice or important document for review in order to trick end users into downloading malware.

 Stealer malware is on the rise - In terms of top malware threats, a new malware family has made the top list: Lazy.360502, which delivers the 2345explorer adware variant as well as the Vidar Password Stealer and is linked to a Chinese website that apparently supports a "Password Stealer as a Service" offering. This allows cybercriminals to easily purchase stolen credentials. 

Network attacks record an increase of 16 percent - ProxyLogon was the most frequently addressed vulnerability in network attacks. A total of 10 percent of all network-specific detections can be traced back to this.

Three new signatures make it into the top 50 network attacks - This includes a PHP Common Gateway Interface Apache vulnerability from 2012, which can be used to trigger a buffer overflow. There is also a Microsoft .NET Framework 2.0 vulnerability from 2016, which serves as a springboard for denial-of-service attacks. The trio is completed by an SQL injection vulnerability in the open source CMS Drupal from 2014, which allows attackers to access Drupal from outside without any authentication barriers.
 
Source: www.watchguard.com