Automation to shape cybersecurity activities in 2021

Automation will play a major role in shaping cybersecurity attack and defence activities in 2021, WatchGuard predicts.

automation 2021

Traditionally a high-investment, high-return targeted attack, in 2021 automation tools will replace manual techniques to help cybercriminals launch spear phishing campaigns at record volumes, by harvesting victim-specific data from social media sites and company web pages.

Automated spear phishing attacks to prey on fears

And as society continues to grapple with the impact of COVID-19, it is likely that these automated spear phishing attacks will prey on fears around the pandemic, politics and the economy.

Conversely, the research team believes that automation will also help cloud-hosting providers such as Amazon, Microsoft and Google to crack down on cybercriminal groups abusing their reputation and services to launch malicious attacks.

Threat actors commonly host website HTML files designed to mimic a legitimate website like Microsoft 365 or Google Drive to steal credentials submitted by unsuspecting victims. But in 2021, these companies will deploy automated tools and file validation technologies that will spot spoofed authentication portals.

In its annual look ahead to the next 12 months, the tumultuous events of 2020 will impact the threat landscape next year and for years to come. Other predictions include:

Attackers swarm VPNs and RDPs as the remote workforce grows

As more companies adopt VPNs and Remote Desktop Protocol (RDP) solutions to provide secure connections to employees working from home, attacks against them will double in 2021. If an attacker can compromise VPN, RDP or remote connection servers, they have an unobstructed path into the corporate network.

Security gaps in legacy endpoints targeted

Endpoints have become a high priority target for attackers during the global pandemic and many personal computers are still running legacy software that is difficult to patch or update.

With Microsoft just ending its extended support program for Windows 7, organizations are warned to expect at least one major new Windows 7 vulnerability to make headlines in 2021.

Services without MFA will suffer a breach

Authentication is the cornerstone of strong security; but with billions of usernames and passwords available on the dark web and the prevalence of automated authentication attacks, no Internet-exposed service is safe from cyber intrusion if it isn’t using multi-factor authentication (MFA). In fact, any service without MFA enabled is highly likely to be compromised in 2021.

“As we have learnt in 2020, it is very difficult to predict what is going to happen in the future,” says Corey Nachreiner, CTO at WatchGuard.

“But our Threat Lab team along with other researchers around the world have an increasing level of analytics and insight to make well-informed guesses. Cybercriminals always look for the weak links, so the growing ranks of home workers are an obvious target and when it comes to new technologies such as automation and AI, what can work for good, can also be exploited for malicious activity. It’s just a case of trying to stay one step ahead.”

The anatomy of an endpoint attack

Cyberattacks are becoming increasingly sophisticated as tools and services on the dark web – and even the surface web – enable low-skill threat actors to create highly evasive threats. Unfortunately, most of today’s modern malware evades traditional signature-based anti-malware services, arriving to endpoints with ease. As a result, organizations lacking a layered security approach often find themselves in a precarious situation. Furthermore, threat actors have also become extremely successful at phishing users out of their credentials or simply brute forcing credentials thanks to the widespread reuse of passwords.

A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).

Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. That was more than enough time for Norsk to detect the breach before the damage could done, but the reality is most organization simply don’t have a sophisticated layered security strategy in place.

In fact, the most recent IBM Cost of a Data Breach Report found it took organizations an average of 280 days to identify and contain a breach. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce.

So, what exactly are attackers doing with that time? How do they make their way onto the endpoint undetected?

It usually starts with a phish. No matter what report you choose to reference, most point out that around 90% of cyberattacks start with a phish. There are several different outcomes associated with a successful phish, ranging from compromised credentials to a remote access trojan running on the computer. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms.

anatomy endpoint attack

The above screenshot is from a recent phish WatchGuard Threat Lab encountered. The link within the email was customized to the individual recipient, allowing the attacker to populate the victim’s email address into the fake form to increase credibility. The phish was even hosted on a Microsoft-owned domain, albeit on a subdomain (servicemanager00) under the attacker’s control, so you can see how an untrained user might fall for something like this.

In the case of malware phishes, attackers (or at least the successful ones) have largely stopped attaching malware executables to emails. Most people these days recognize that launching an executable email attachment is a bad idea, and most email services and clients have technical protections in place to stop the few that still click. Instead, attackers leverage dropper files, usually in the form of a macro-laced Office document or a JavaScript file.

The document method works best when recipients have not updated their Microsoft Office installations or haven’t been trained to avoid macro-enabled documents. The JavaScript method is a more recently popular method that leverages Windows’ built-in scripting engine to initiate the attack. In either case, the dropper file’s only job is to identify the operating system and then call home and grab a secondary payload.

That secondary payload is usually a remote-access trojan or botnet of some form that includes a suite of tools like keyloggers, shell script-injectors, and the ability to download additional modules. The infection isn’t usually limited to the single endpoint for long after this. Attackers can use their foothold to identify other targets on the victim’s network and rope them in as well.

It’s even easier if the attackers manage to get hold of a valid set of credentials and the organization hasn’t deployed multi-factor authentication. It allows the threat actor to essentially walk right in through the digital front door. They can then use the victim’s own services – like built-in Windows scripting engines and software deployment services – in a living-off-the-land attack to carry out malicious actions. We commonly see threat actors leverage PowerShell to deploy fileless malware in preparation to encrypt and/or exfiltrate critical data.

The WatchGuard Threat Lab recently identified an ongoing infection while onboarding a new customer. By the time we arrived, the threat actor had already been on the victim’s network for some time thanks to compromising at least one local account and one domain account with administrative permissions. Our team was not able to identify how exactly the threat actor obtained the credentials, or how long they had been present on the network, but as soon as our threat hunting services were turned on, indicators immediately lit up identifying the breach.

In this attack, the threat actors used a combination of Visual Basic Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt Strike – to map out the victim’s network and launch malware. One behavior we saw came from Cobalt Strike’s shell code decoder enabled the threat actors to download malicious commands, load them into memory, and execute them directly from there, without the code ever touching the victim’s hard drive. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats.

anatomy endpoint attack

Elsewhere on the network our team saw the threat actors using PsExec, a built in Windows tool, to launch a remote access trojan with SYSTEM-level privileges thanks to the compromised domain admin credentials. The team also identified the threat actors attempts to exfiltrate sensitive data to a DropBox account using a command-line based cloud storage management tool.

Fortunately, they were able to identify and clean up the malware quickly. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Had the victim deployed an advanced Endpoint Detection and Response (EDR) engine as part of their layered security strategy, they could have stopped or slowed the damage created from those stolen credentials.

Attackers are targeting businesses indiscriminately, even small organizations. Relying on a single layer of protection simply no longer works to keep a business secure. No matter the size of an organization, it’s important to adopt a layered security approach that can detect and stop modern endpoint attacks. This means protections from the perimeter down to the endpoint, including user training in the middle. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic.

Layered security becomes critical as malware attacks rise

Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.

malware detections Q2 2020

Malware detections during Q2 2020

Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.

Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.

“Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cyber criminals have too,” said Corey Nachreiner, CTO of WatchGuard.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.

“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

JavaScript-based attacks are on the rise

The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.

Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic.

To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

Attackers increasingly use encrypted Excel files to hide malware

XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.

Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.

The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

An old, highly exploitable DoS attack makes a comeback

A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.

Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Malware domains leverage command and control servers to wreak havoc

Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.

One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.

DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.

Facing gender bias in facial recognition technology

In the 1960s, Woodrow W. Bledsoe created a secret program that manually identified points on a person’s face and compared the distances between these coordinates with other images.

facial recognition bias

Facial recognition technology has come a long way since then. The field has evolved quickly and software can now automatically process staggering amounts of facial data in real time, dramatically improving the results (and reliability) of matching across a variety of use cases.

Despite all of the advancements we’ve seen, many organizations still rely on the same algorithm used by Bledsoe’s database – known as “k-nearest neighbors” or k-NN. Since each face has multiple coordinates, a comparison of these distances over millions of facial images requires significant data processing. The k-NN algorithm simplifies this process and makes matching these points easier by considerably reducing the data set. But that’s only part of the equation. Facial recognition also involves finding the location of a feature on a face before evaluating it. This requires a different algorithm such as HOG (we’ll get to it later).

The problem

The algorithms used for facial recognition today rely heavily on machine learning (ML) models, which require significant training. Unfortunately, the training process can result in biases in these technologies. If the training doesn’t contain a representative sample of the population, ML will fail to correctly identify the missed population.

While this may not be a significant problem when matching faces for social media platforms, it can be far more damaging when the facial recognition software from Amazon, Google, Clearview AI and others is used by government agencies and law enforcement.

Previous studies on this topic found that facial recognition software suffers from racial biases, but overall, the research on bias has been thin. The consequences of such biases can be dire for both people and companies. Further complicating matters is the fact that even small changes to one’s face, hair or makeup can impact a model’s ability to accurately match faces. If not accounted for, this can create distinct challenges when trying to leverage facial recognition technology to identify women, who generally tend to use beauty and self-care products more than men.

Understanding sexism in facial recognition software

Just how bad are gender-based misidentifications? Our team at WatchGuard conducted some additional facial recognition research, looking solely at gender biases to find out. The results were eye-opening. The solutions we evaluated was misidentifying women 18% more often than men.

You can imagine the terrible consequences this type of bias could generate. For example, a smartphone relying on face recognition could block access, a police officer using facial recognition software could mistakenly identify an innocent bystander as a criminal, or a government agency might call in the wrong person for questioning based on a false match. The list goes on. The reality is that the culprit behind these issues is bias within model training that creates biases in the results.

Let’s explore how we uncovered these results.

Our team performed two separate tests – first using Amazon Rekognition and the second using Dlib. Unfortunately, with Amazon Rekognition we were unable to unpack just how their ML modeling and algorithm works due to transparency issues (although we assume it’s similar to Dlib). Dlib is a different story, and uses local resources to identify faces provided to it. It comes pretrained to identify the location of a face, and with face location finder HOG, a slower CPU-based algorithm, and CNN, a faster algorithm making use of specialized processors found in a graphics cards.

Both services provide match results with additional information. Besides the match found, a similarity score is given that shows how close a face must match to the known face. If the face on file doesn’t exist, a similarity score set to low may incorrectly match a face. However, a face can have a low similarity score and still match when the image doesn’t show the face clearly.

For the data set, we used a database of faces called Labeled Faces in the Wild, and we only investigated faces that matched another face in the database. This allowed us to test matching faces and similarity scores at the same time.

Amazon Rekognition correctly identified all pictures we provided. However, when we looked more closely at the data provided, our team saw a wider distribution of the similarities in female faces than in males. We saw more female faces with higher similarities then men and more female faces with less similarities than men (this actually matches a recent study performed around the same time).

What does this mean? Essentially it means a female face not found in the database is more likely to provide a false match. Also, because of the lower similarity in female faces, our team was confident that we’d see more errors in identifying female faces over male if given enough images with faces.

Amazon Rekognition gave accurate results but lacked in consistency and precision between male and female faces. Male faces on average were 99.06% similar, but female faces on average were 98.43% similar. This might not seem like a big variance, but the gap widened when we looked at the outliers – a standard deviation of 1.64 for males versus 2.83 for females. More female faces fall farther from the average then male faces, meaning female false match is far more likely than the 0.6% difference based on our data.

Dlib didn’t perform as well. On average, Dlib misidentified female faces more than male, leading to an average rate of 5% more misidentified females. When comparing faces using the slower HOG, the differences grew to 18%. Of interest, our team found that on average, female faces have higher similarity scores then male when using Dlib, but like Amazon Rekognition, also have a larger spectrum of similarity scores leading to the low results we found in accuracy.

Tackling facial recognition bias

Unfortunately, facial recognition software providers struggle to be transparent when it comes to the efficacy of their solutions. For example, our team didn’t find any place in Amazon’s documentation in which users could review the processing results before the software made a positive or negative match.

Unfortunately, this assumption of accuracy (and lack of context from providers) will likely lead to more and more instances of unwarranted arrests, like this one. It’s highly unlikely that facial recognition models will reach 100% accuracy anytime soon, but industry participants must focus on improving their effectiveness nonetheless. Knowing that these programs contain biases today, law enforcement and other organizations should use them as one of many tools – not as a definitive resource.

But there is hope. If the industry can honestly acknowledge and address the biases in facial recognition software, we can work together to improve model training and outcomes, which can help reduce misidentifications not only based on gender, but race and other variables, too.

Most malware in Q1 2020 was delivered via encrypted HTTPS connections

67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard.

encrypted malware

These findings show that without HTTPS inspection of encrypted traffic and advanced behavior-based threat detection and response, organizations are missing up to two-thirds of incoming threats. The report also highlights that the UK was a top target for cyber criminals in Q1, earning a spot in the top three countries for the five most widespread network attacks.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, CTO at WatchGuard.

“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Monero cryptominers surge in popularity

Five of the top ten domains distributing malware in Q1 either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility; adding a cryptomining module to malware is an easy way for online criminals to generate passive income.

Flawed-Ammyy and Cryxos malware variants join top lists

The Cryxos trojan was third on a top-five encrypted malware list and also third on its top-five most widespread malware detections list, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores.

Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.

Three-year-old Adobe vulnerability appears in top network attacks

An Adobe Acrobat Reader exploit that was patched in August 2017 appeared in a top network attacks list for the first time in Q1. This vulnerability resurfacing several years after being discovered and resolved illustrates the importance of regularly patching and updating systems.

Mapp Engage, AT&T and Bet365 targeted with spear phishing campaigns

Three new domains hosting phishing campaigns appeared on a top-ten list in Q1 2020. They impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese) and an AT&T login page (this campaign is no longer active at the time of the report’s publication).

COVID-19 impact

Q1 2020 was only the start of the massive changes to the cyber threat landscape brought on by the COVID-19 pandemic. Even in these first three months of 2020, we still saw a massive rise in remote workers and attacks targeting individuals.

Malware hits and network attacks decline. Overall, there were 6.9% fewer malware hits and 11.6% fewer network attacks in Q1, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the traditional network perimeter with worldwide work-from-home policies in full force during the pandemic.

New infosec products of the week: June 12, 2020

Qualys Remote Endpoint Protection gets malware detection, free for 60 days

Powered by the Qualys Platform and Cloud Agent, malware detection in Remote Endpoint Protection uses file reputation and threat classification to detect known malicious files on endpoints, servers, and cloud workloads. As a result, customers can respond more quickly to malware ultimately increasing their overall security posture.

infosec products June 2020

Nets Passport Reader: Bridging the gap between physical ID documents and digital identification

Demand for digital identification is growing rapidly and will likely only increase, given the current worldwide focus on social distancing. The Nets Passport Reader offers a simple, easy-to-use and secure way to authenticate a person remotely, even without an electronic ID.

infosec products June 2020

DFLabs IncMan SOAR’s novel capabilities help successfully transition the OT-IT convergence

By creating a common platform where IT and OT work together, IncMan SOAR acts as a connective tissue between these two departments which allows them to collect information about the nature of the cyber attack quickly, assign the right person to make appropriate decisions, generate accurate KPIs, and pursue common objectives in an all-in-one platform.

infosec products June 2020

Aruba ESP: Predicting and resolving problems at the network edge before they happen

Built on AIOps, Zero Trust network security, and a Unified Infrastructure for campus, data center, branch and remote worker locations, Aruba ESP delivers an automated, all-in-one platform that continuously analyzes data across domains, ensures SLAs, identifies anomalies and self-optimizes, while seeing and securing unknown devices on the network.

infosec products June 2020

WatchGuard Firebox T Series firewalls: Heightened HTTPS throughput, security services, SD-WAN

WatchGuard announced the release of new Firebox T Series tabletop firewall appliances. WatchGuard’s new T20, T40 and T80 Fireboxes equip small, home and midsize office environments with the advanced performance required to support business-critical internet speeds and a broad range of enterprise-grade security services delivered in a compact form factor.

infosec products June 2020

WatchGuard Firebox T Series firewalls: Heightened HTTPS throughput, security services, SD-WAN

WatchGuard announced the release of new Firebox T Series tabletop firewall appliances. WatchGuard’s new T20, T40 and T80 Fireboxes equip small, home and midsize office environments with the advanced performance required to support business-critical internet speeds and a broad range of enterprise-grade security services delivered in a compact form factor.

WatchGuard Firebox T Series

“As internet speeds continue to increase and threat actors leverage sophisticated tactics to compromise networks and users, businesses can’t afford to compromise on security or performance,” said Brendan Patterson, vice president of product management at WatchGuard.

“Small and midsize organizations without adequate security resources require the best of both worlds. With leading throughput levels, layered security services, zero-touch SD-WAN capabilities and many other benefits, our new line of tabletop security appliances provides just that.”

WatchGuard’s new tabletop security appliances are built to provide the advanced throughput and improved HTTPS traffic processing today’s organizations need to keep up with the ever-increasing velocity of business, along with a comprehensive set of security services.

The new T Series firewalls allow small and midmarket organizations and the managed service providers (MSPs) that support them to deploy gateway antivirus, content and URL filtering, antispam, intrusion prevention, application control, cloud sandboxing, endpoint protections and more – all in a simple, cost-effective and easy-to-manage package.

The Firebox T20

Designed specifically for organizations and managed service providers that need to extend protection to home and small office locations, the Firebox T20 can operate as either a stand-alone solution or be centrally managed from corporate headquarters.

Coupled with the Total Security Suite, the T20 blocks outsiders from entering networks, monitors traffic to stop malicious email attachments, phishing attempts, ransomware and other attacks. The appliance is also available in a T20-W Wi-Fi-enabled model, which features 802.11ac wireless capabilities.

The Firebox T40

An economical security powerhouse in a small form factor, the T40 brings critical enterprise-level security to distributed environments such as small offices, branch locations and small retail shops.

Enabled with the full Total Security Suite from WatchGuard, this appliance provides every feature present in more advanced firewalls, including key security protections like ransomware defense, AI-powered threat prevention and more.

Also available in a Wi-Fi-enabled version, the T40-W offers 802.11ac wireless capabilities that deliver superior download and upload speeds.

The Firebox T80

Perfect for a wide array of midsize office environments, the Firebox T80 delivers exceptionally high throughput with full UTM protection when compared to alternative tabletop firewalls.

The T80 includes an expansion module option for custom port configurations that provides integrated fiber connectivity right from the appliance. This SFP+ module offers an additional 1Gb or 10Gb fiber port and allows midsize organizations and their MSPs to adapt as connectivity needs evolve over time.

Additionally, it is one of the only tabletop appliances available on the market today that features two Power-over-Ethernet (PoE+) ports.

When installed with RapidDeploy, WatchGuard’s cloud-based configuration solution, and managed via the WatchGuard Cloud platform, these new T Series appliance make it simple to bring enterprise-grade security to small, home and midsize office environments. Additional features include:

  • SD-WAN with zero-touch deployment – T Series Fireboxes offer integrated SD-WAN capabilities, making network resiliency and optimization easy. With built-in, zero-touch SD-WAN functionality, these appliances enable organizations to reduce the need for expensive MPLS or 4G/LTE connections, avoid sending traffic from remote sites back through a central data center and support hybrid WAN architectures.
  • PoE+ – The Firebox T40 and T80 feature integrated PoE+, with one port and two ports, respectively. This enables organizations to power peripheral devices such as security cameras, VoIP phones and wireless access points. This removes the cost and inconvenience of running separate power cables to each individual device.
  • IntelligentAV – Now available on the T40 and T80, IntelligentAV leverages a machine-learning engine to better defend against continuously evolving zero day malware. While signature-based AV solutions are only able to detect known threats, IntelligentAV makes it possible to predict threats months before they are released, providing powerful predictive protection previously unavailable to small and midsize businesses.
  • Automation – WatchGuard’s new tabletop appliances are built with automation at their core to enable IT departments, security teams and MSPs to do more with less. Users can deploy T Series appliances from the cloud, update threat signatures, detect and eliminate malware and more – all through automation-enabled processes.

“WatchGuard Firebox T Series firewalls offer a versatile security appliance that’s well-suited to deployments in homes, and small to medium-size office environments,” said Dean Calvert, CEO of Calvert Technologies. “They offer a remarkable range of security features, intuitive management, and throughput your users need to keep up with the pace of business.”

Why building backdoors into encryption won’t make us safer

For much of the last decade, technology companies have been in an uphill battle to save encryption, a battle that has seen an increasing number of skirmishes that tech companies often lose. Throughout this ongoing clash, governments across the world have been pushing to backdoor encryption in the name of combating child abuse and terrorism.

backdoor encryption

The battle has come to a head several times in recent years, including when the FBI demanded Apple assist in unlocking the encrypted work phone of one of the San Bernardino shooters in Dec. 2015, as well as after a shooting in Pensacola Florida in Dec. 2019. I don’t think you’d find a single person that is against helping law enforcement put actual criminals behind bars, but the collateral damage of these “anti-encryption” measures is simply too devastating to justify.

End-to-end encryption

Tech companies focused heavily on privacy and security in the 2010s and many rolled out products with improved encryption. Messaging platforms WhatsApp and Signal both added end-to-end encryption to their users’ communications in 2014. That same year, Apple enabled encryption by default in iPhones with the release of iOS 8.

While encryption can come in many forms, it always comes with the same goal: protecting data confidentiality. End-to-end encryption achieves that goal by setting up an encrypted channel where only the client applications themselves have access to the decryption keys. In the case of WhatsApp, this means that even though users’ messages might traverse or be stored on WhatsApp’s servers, the company doesn’t have access to the encryption keys that would allow it to decrypt and read those messages. The messages stay private to all but the sender and the receiver.

In the case of encryption-at-rest (like on the iPhone), the user’s password or PIN acts as the encryption key. When the phone boots up, the user has to enter their password or PIN to unlock the phone’s data. Any new data the phone receives or creates – like images or chat messages – are encrypted using that key. If the phone powers off or is put in a “lockdown mode,” the decrypted data is flushed from the phone’s memory and the user must enter their password again to unlock it.

The FBI and other law enforcement agencies around the world are asking Apple and other manufacturers to create a “golden key” (so to speak) with the ability to decrypt all messages on all devices. Australia even managed to pass legislation in 2018 that allows them to force companies to create backdoors in their encryption. While it is technically possible to accomplish that goal, the security and privacy ramifications would be massive.

The problem with driving to backdoor encryption

There’s simply no such thing as a “good guys only” backdoor. Eventually, a cyber-criminal will get their hands on the “golden key” or exploit the intentional chink in the armor to break their way in. The NSA losing its stockpile of Windows zero-day vulnerabilities in 2016 should be clear proof that we shouldn’t be so quick to trust government agencies to act responsibly with security.

Organizations rely on encryption to protect their intellectual property. Journalists rely on encryption to protect themselves and their sources from oppressive governments. You can probably imagine the amount of resources a hostile nation state would pour into finding such a backdoor if it existed.

What if we took a step back and examined the encryption debate using a physical safe as an analogy? People use safes to store important documents and items that they want to keep out of the hands of criminals. At the same time, people can also use them to store evidence of crimes. Should safe manufactures be required to intentionally add a weak point to every safe or create a master key? Or should law enforcement be required to go through legal channels to compel owners to give up their keys?

The former is exactly what governments are asking the Apple, WhatsApp and others to do. Law enforcement, at least in the US, already has the power to obtain massive amounts of data through the court system. In the case of the Pensacola shooter for example, Apple handed over iCloud backups, account information and transactional data for multiple accounts. The FBI eventually gained access to the phone in question without Apple’s help, calling into question why they need a backdoor at all.

Pushback against anti-encryption regulations has become strong enough that many governments are becoming much more covert about their attempts. Take the EARN IT Act for example. It was introduced to the US Senate earlier this year and while it doesn’t explicitly outlaw encryption, it sets up a government agency under the US Department of Justice that can define a checklist of “best practices” organizations must follow to remain under the protection from civil and criminal liability for its users under Section 230 of the Communication Decency Act. That list of best practices could easily include weakened encryption requirements, and likely will be based heavily on the desires of the current Attorney General.

Even if most governments managed to pass anti-encryption laws, criminals would simply move to different apps instead of the ones that maintain compliance. Giving up the security and privacy of the masses is simply too big of a price to pay for something that is very unlikely prevent crime and incredibly likely to result in abuse.

Evasive malware increasing, evading signature-based antivirus solutions

Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions.

evasive malware increasing

This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception. Companies of all sizes need to deploy advanced anti-malware solutions that can detect and block these attacks.

In addition, widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017 have been detected. This ‘dropper’ exploit was number seven on WatchGuard’s top ten malware list and heavily targeted the UK, Germany and New Zealand. It downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was used in phishing attacks in February 2020 that preyed on early fears of the coronavirus outbreak.

Businesses of all sizes need to invest in multiple layers of security

“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, CTO at WatchGuard.

“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”

Other key findings from the Q4 2019 report include:

  • Mac adware jumps in popularity in Q4 – One of the top compromised websites detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a MalwareBytes report from February 2020 that showed a rise in Mac malware, particularly adware.
  • SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.
  • Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.

What the government infosec landscape will look this year

The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact.

government infosec landscape

Following the worldwide controversy over hacking that influenced the 2016 presidential election and the many widely publicized privacy and security incidents that have taken place since, we believe the government information security sphere is the stage upon which we’ll see two major security developments play out in 2020.

The first is that bad actors will target voter registration systems with the intent to generate voting havoc and trigger voter fraud alerts. The second is that we’ll see multiple states enact privacy regulations inspired by GDPR and the CCPA. Let’s take a look at how these two issues will unfold in 2020 and what you need to know to be prepared.

Impending voter registration systems hacks

Security researchers have proven many times over that voting machines are hackable, but most of them don’t expect threat actors to expend the vast amount of time and resources needed to successfully hack the 2020 presidential election voting results directly. Instead, these online adversaries will use subtler tactics in the coming months to tamper with the voting process at the state and local level.

The culprits behind previous election-related attacks are state-sponsored actors that are happy to execute highly effective, politically motivated misinformation campaigns across social media platforms, but appear to draw the line at actually altering the voting results themselves. In 2020, they’ll seek to build on the success they achieved in 2016. We believe they will target US voter registration systems to make it more difficult for legitimate voters to cast their ballot and attempt to cause widespread mistrust in the validity of vote counts. Indirectly influencing the election by creating confusion, fear, uncertainty and doubt will be their MO.

What can we do about it? For state and local government departments managing voter registration systems it will be important to perform security audits and find and fix potential vulnerabilities before the bad guys have a chance to exploit them.

While there’s not a tremendous amount the average voter can do to ward off election hacking attempts by state-sponsored cyber criminals, there are some basic things you should keep in mind to make sure your voice is heard on election day. First, double-check the status of your voter registration at least a week before the election. Monitor the news for any updates about voter registration database hacks leading up to the election and be sure to contact your local state voter authority if you’re concerned. Lastly, bring a printed confirmation of your completed voter registration and multiple forms of ID on election day (just in case).

An upsurge in state-level privacy legislation

The European Union made a global splash when it implemented the GDPR. Designed to provide better privacy for its citizens’ data (regardless of the location of the organizations with access to it), the historic law was initially met with cynicism and uncertainty (and even panic in some cases) due to its stringent criteria and heavy penalties for noncompliance.

That said, since its inception, the level of privacy the law provides for individuals has been well-received. People welcome the comfort of knowing that organizations are finally being incentivized to protect their privacy and held accountable for mishandling their data. It goes a long way to inspire confidence in the public when organizations like Google and Marriott are fined millions of euros for GDPR violations.

Massive organizations like Facebook continue to neglect their obligation to safeguard user data and America’s appetite for privacy seems to be growing with each passing data breach and scandal involving the sale of user data. That’s why in 2020 you should expect to see 10 or more states to enact privacy laws similar to GDPR.

In fact, California has already passed its own CCPA and will begin rolling out fines for violations by mid-year. Given that most states passed mandatory data breach disclosure laws in the mid-2000s and lawmakers still haven’t been able to pass a federal version to date, it’s unlikely that the movement to enact a federal privacy law will gain enough steam to pass in the near term. That said, the rising public outcry for data privacy makes it highly likely that individual states will take it upon themselves to follow in California’s footsteps and pass privacy acts of their own.

This momentum will grow in 2020, so it will be critical for businesses across the country to carefully study the CCPA requirements and prepare to make adjustments. Other states will use the CCPA as a reference point for developing similar regulations of their own. If you’re concerned with your own personal data privacy, contact your local representatives to push for state-level legislation and federal action as well.

The road ahead

The changing conditions within the government information security landscape impact every American business and individual in one way or another. We simply can’t afford to be ignorant or apathetic when it comes to matters of public privacy and security.

Whether it be state-sponsored attempts to interfere with the next election, emerging security and privacy regulations, or some other development, we should all strive to become more informed about and engaged in these issues.

As malware and network attacks increase in 2019, zero day malware accounts for 50% of detections

Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.

network attacks 2019

Massive fallout from the Equifax breach

The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.

Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.

The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.

“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.

“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”

Attackers continue to favor Microsoft Office exploits

Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.

Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.

Zero day malware instances spike to 50%, as overall malware detections rise

After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.

The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.

Cybercriminals may be leveraging legitimate pentesting tools for attacks

Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.

The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.

It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.

Malware attacks targeting the Americas increase drastically

More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.

Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.

How DNS filtering works and why businesses need it

The Domain Name System (DNS) is a cornerstone of the internet. DNS servers connect URL names that humans can read to unique Internet Protocol (IP) addresses that web browsers can understand. Without DNS, we’d all be typing in long, seemingly random combinations of characters and numbers in order to get anywhere online! However, this dependency opens up the possibility for misuse. From domain hijacking and cache poisoning to Denial of Service attacks, DNS is no stranger to being attacked or even scarier, being an attack vector!

how DNS filtering works

It’s not difficult to see why attackers would use DNS as an attack vector. Any application that uses the internet uses it, even though a majority of internet traffic is web content. This includes email, peer-to-peer sharing, RDP, SSH, etc. Fortunately, this crucial component of the internet can be used defensively as well. DNS filtering can prevent users from downloading malware without also blocking legitimate files by accident. Let’s explore how this process works and why it’s a useful tool for IT and security teams.

Methods for filtering malware

Malware is one of the major plagues of modern computing and many security providers spend ample time trying to prevent users from accessing malicious files on the internet. One of the easiest ways to keep users from downloading malware is to simply block access to servers hosting malicious files. There are companies whose entire purpose is to sell services that identify malicious actors. This is typically referred to as “Threat Intelligence.” Once you know which servers and sites are bad, the next step is to prevent users from connecting to them. There are multiple ways to do this, and they each have advantages and drawbacks.

It would be easy to simply block malicious sites based on IP address, but this usually isn’t practical. Unfortunately, modern server configurations allow a single IP address to host many different services. Also, many different domain names can map to the same IP address, which generally makes blocking bad sites by IP address too broad. In practice, this means IT ends up blocking legitimate websites and services along with the malicious ones, which frustrates users and makes it harder for them to accomplish their work.

On the other hand, filtering based on full URLs achieves greater fidelity against individual files served by web servers. This approach avoids the problem of blocking too many legitimate sites, but requires a lot of extra work from IT. Since URLs are application protocol-specific, this level of protection ends up requiring a unique filtering implementation per application protocol (HTTP vs FTP). Many businesses don’t have the resources to implement this successfully.

Not too broad, not too granular

DNS sits smack dab in the middle of the two methods described above. Filtering by DNS is more precise than IP address filtering, but not as work- intensive as URL filtering. For example, if malicious files are served up by only one domain name out of four that map to an individual IP address, blocking by domain name will not interrupt the other three domains (whereas blocking by IP address would interrupt all four domains). The level of precision that DNS filtering offers keeps organizations safe from malware without making IT departments seem “heavy-handed” and frustrating employees by unnecessarily blocking important sites and services.

DNS is also application protocol agnostic, so blocking by domain name will block connections to malicious links no matter which application initiates the connection. There are very few applications today that don’t connect to the Internet, and they all resolve human readable names into IP address. For example, regardless of whether you read your email using a thick client like Outlook or use a web UI like Gmail, clicking on a malicious link will result in the same resolution of the same name. The same goes for documents.

Clicking on a malicious link in Acrobat Reader or Microsoft Word results in the same resolution of the same name regardless of document type or application. That means DNS-level filtering will block malicious links in all of these scenarios without needing to be customized to the specific application or protocol in use. With workers accessing corporate data from multiple devices, checking email on their phones and using applications that IT might not even know about, the flexibility provided by DNS filtering is extremely useful.

DNS filtering considerations

In security, it’s important to remember that no single solution is foolproof and DNS filtering is no exception. Servers using custom application protocols on odd ports to perform malicious activity like botnet attacks usually require IP address blocking. Malicious activity on non-Web protocols like SMTP require full domain name blocking.

Lastly, malicious content hosted on a file sharing or content delivery network requires full URL blocking because most of the content on the CDN is legitimate. No one level of network blocking is foolproof either. As every seasoned security professional knows, the best security is layered security. Therefore, the best network blocking solutions will allow filtering at all three network levels: IP, Domain and URL.

One of the other advantages of DNS filtering is that many solutions available on the market integrate seamlessly into your current infrastructure. Instead of pointing your internal DNS server to your ISPs upstream DNS server, you point it to DNS servers from these solutions that provide protection.

Putting it all together

DNS is incredibly important to everything we do on the internet in our daily lives. The old method of blocking by IP address is inadequate, as many individual servers can serve up many different, mostly legitimate services. And even though we do just about everything in our web browser, blocking by URLs can be too narrow. The gap left over can be filled by blocking by domain names.

Remember, because of our heavy reliance on the internet, DNS-based filtering is essential for businesses today since it removes an avenue of attack that you couldn’t close down otherwise.