30% of malware attacks are zero day exploits – report finds

Research published today in WatchGuard’s first Quarterly Internet Security Report has explored the latest computer and network security threats affecting SMEs and distributed enterprises.

The results from Q4 2016, confirm that cyber criminals’ capability to automatically repack or morph their malware has outpaced the AV industry’s ability to keep up with new signatures. This means that without advanced threat prevention, companies could be missing up to a third of malware.

The report also shows that old threats are reappearing and macro-based malware is still prevalent. Spear-phishing attempts still rely on malicious macros hidden in files including Microsoft’s new document format, while attackers also still use malicious web shells to hijack web servers. It appears that PHP shells are alive and well, as nation-state attackers have been evolving this old attack technique with new obfuscation methods.

>See also: Is it time to supplement your sandbox strategy?

Other results of the survey showed that JavaScript is a popular malware delivery and obfuscation mechanism with a rise in malicious JavaScript, both in email and over the web.

Most network attacks, also, were aimed at web services and browsers, with 73% of the top attacks targeting web browsers in drive-by download attacks, while all of the top ten exploits were web-based attacks.

The top network attack was Wscript.shell Remote Code Execution that targets Internet Explorer (IE). But strangely, this attack almost entirely affected Germany alone. Breaking it down country by country, it targeted Germany 99% of the time.

“We’re incredibly excited to introduce WatchGuard’s Internet Security Report,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies. “Our Threat Lab has been monitoring the most prevalent security industry threats and trends for years and now with the addition of the Firebox Feed—anonymised threat analytics from Fireboxes deployed around the world—we have firsthand, acute insight into the evolution of cyberattacks and how threat actors are behaving. Each quarter, our report will marry new Firebox Feed data with original research and analysis of major information security events to reveal key threat trends and provide defence best practices.”

“With ransomware attempts and malicious websites dominating the headlines along with cyber attacks such as the Mirai Botnet, the SWIFT banking attacks and alleged Russian interference in the US presidential election, it was a busy quarter for cybercriminals,” said Jonathan Whitley, sales director for Northern Europe at WatchGuard. “The insight trends, research and security tips in our Quarterly Internet Security Reports are designed to help companies stay educated and vigilant in such a dynamic threat landscape.”

>See also: Get ready for the cyber war in 2017: know your enemy

The 24,000 active WatchGuard UTM appliances worldwide used to build the report blocked more than 18.7 million malware variants in Q4, which averages to 758 variants per participating device. They also blocked more than 3 million network attacks, which averages 123 attacks per participating device. The report includes a detailed breakdown of the quarter’s top malware and attack trends, the top security incidents and web and email attack trends.

In response to the rapid spread of the Mirai botnet, the Threat Lab has also launched an ongoing research project that analyses IoT devices for security flaws. The research highlighted in this report evaluated Wi-Fi cameras, fitness accessories and network-enabled novelty devices. This includes a deeper look at vulnerabilities the Threat Lab found in a relatively popular wireless IP camera and steps consumers should take to secure IoT devices they purchase.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...