WatchGuard Threat Lab Reports 91.5% of Malware Arrived Through Encrypted Connections in Q2 2021


New research also shows a dramatic increase in fileless malware, per-device malware detections, and growing network and ransomware attacks.

SEATTLE, September 30, 2021 (GLOBE NEWSWIRE) – WatchGuard® Technologies, a global leader in network security and intelligence, advanced endpoint protection, multi-factor authentication (MFA) and secure Wi-Fi , today released its latest quarterly Internet Security Report. Report, detailing the top malware trends and network security threats analyzed by WatchGuard Threat Lab researchers during the second quarter of 2021. The report also includes new insights based on endpoint threat information detected during the year. first half of 2021. Key research findings revealed an astonishing 91.5% rate of malware arriving over HTTPS encrypted connections, alarming surges in fileless malware threats, dramatic growth in ransomware, sharp increase network attacks and much more.

“While much of the world still operates firmly in a mobile or hybrid workforce model, the traditional network perimeter is not always factored into the cybersecurity defense equation,” said Corey Nachreiner, director of security at WatchGuard. “While strong perimeter defense is always an important part of a layered security approach, enhanced Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) are increasingly becoming the norm. more essential. “

Among its most notable findings, WatchGuard’s Q2 2021 Internet Security Report reveals:

  • Massive amounts of malware arrive over encrypted connections In the second quarter, 91.5% of malware arrived over an encrypted connection, a dramatic increase from the previous quarter. Simply put, any organization that doesn’t examine perimeter encrypted HTTPS traffic is missing 9/10 of all malware.

  • Malware uses PowerShell tools to bypass powerful protections – AMSI.Disable.A first appeared in WatchGuard’s malware section in the first quarter and immediately skyrocketed for this quarter, reaching second overall in volume and first place for all encrypted threats . This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. But what makes him particularly interesting is his evasive technique. WatchGuard discovered that AMSI.Disable.A uses code capable of disabling the Antimalware Scanning Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its undetected malware payload.

  • Fileless threats are skyrocketing, becoming even more evasive – In the first six months of 2021 alone, malware detections from script engines like PowerShell have already reached 80% of the total volume of script-initiated attacks last year, which in itself was a substantial increase. compared to the previous year. At its current rate, 2021 fileless malware detections are set to double in volume over one year.

  • Network attacks are on the rise despite the shift to a predominantly remote workforce – WatchGuard appliances detected a substantial increase in network attacks, which increased 22% from the previous quarter and reached the highest volume since early 2018. The first quarter saw nearly 4.1 million attacks network. In the quarter that followed, that number jumped another million – setting an aggressive course that highlights the growing importance of maintaining perimeter security alongside user-centric protections.

  • Ransomware retaliates with vengeance – While the total number of ransomware detections on the device was on a downward trajectory from 2018 to 2020, this trend came to a halt in the first half of 2021, with the six-month total falling just below the full-year total. for 2020. If daily ransomware detections remain stable through 2021, this year’s volume will reach an increase of over 150% from 2020.

  • Big game ransomware eclipses shotgun blast attacks – The attack on the Colonial Pipeline on May 7, 2021 made it clear and terrifying that ransomware as a threat is here to stay. As the top security incident of the quarter, the breach underscores how cybercriminals don’t just put the most vital services – such as hospitals, industrial control, and infrastructure – in their sights, but appear to be stepping up attacks against these high-value targets as well. WatchGuard Incident Analysis examines the fallout, what the future of critical infrastructure security looks like, and the steps organizations in any industry can take to defend against these attacks and slow their spread.

  • Old services continue to be attractive targets – Deviating from the usual one to two new signatures seen in previous quarterly reports, there were four new signatures among WatchGuard’s top 10 network attacks for the second quarter. Notably, the most recent was a 2020 vulnerability in the popular PHP web scripting language, but the other three are not new at all. These include an Oracle GlassFish Server 20ll vulnerability, a SQL 2013 injection flaw in the OpenEMR medical records application, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge. Although dated, all still present risks if not corrected.

  • Microsoft Desktop-based threats persist in popularity – The second quarter saw a new addition to the list of the 10 most common network attacks, and it debuted at the top. The signature, 1133630, is the aforementioned RCE 2017 vulnerability that affects Microsoft browsers. While this is an old exploit and fixed in most systems (hopefully), the ones that haven’t been fixed yet are about to wake up abruptly if an attacker is able to do it. access before them. In fact, a very similar high-severity RCE security vulnerability identified as CVE-2021-40444 made headlines earlier this month when it was actively exploited in targeted attacks against Microsoft Office and Office. 365 on Windows 10 computers. Desktop-based threats continue to be popular when it comes to malware, which is why we always spot these proven attacks in the wild. Fortunately, they are still detected by proven IPS defenses.

  • Phishing domains masquerade as legitimate and widely recognized domains – WatchGuard recently observed an increase in the use of malware targeting Microsoft Exchange servers and generic email users to download Remote Access Trojans (RATs) to highly sensitive locations. This is most likely due to the second quarter in a row where workers and distance learners returned either to hybrid offices and academic environments or to previously normal on-site business behaviors. In any case – or location – a strong security awareness and monitoring of outgoing communications on devices that are not necessarily connected directly to the connected devices is advised.

WatchGuard Quarterly Research Reports are based on anonymized Firebox feed data from active WatchGuard Fireboxes whose owners have chosen to share data to directly support Threat Lab research efforts. In the second quarter, WatchGuard blocked a total of over 16.6 million malware variants (438 per device) and nearly 5.2 million network threats (137 per device). The full report includes details on additional malware and network trends from Q2 2021, even more in-depth analysis of endpoint threats detected in H1 2021, recommended security strategies, and advice from critical defense for businesses of all sizes and in all industries, and Suite.

For a detailed view of WatchGuard’s research, read the full Q2 2021 Internet Security Report here:

About WatchGuard Technologies, Inc.

WatchGuard® Technologies, Inc. is a global leader in network security, endpoint security, secure Wi-Fi, multi-factor authentication, and network intelligence. The company’s award-winning products and services are trusted by more than 18,000 resellers and security service providers around the world to protect more than 250,000 customers. WatchGuard’s mission is to make enterprise-grade security accessible to businesses of all types and sizes through simplicity, making WatchGuard an ideal solution for midsize and distributed enterprises. The company is headquartered in Seattle, Washington, and has offices in North America, Europe, Asia-Pacific and Latin America. To learn more, visit

For more information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also visit our InfoSec blog, Secplicity, for real-time information on the latest threats and how to deal with them at Subscribe to The 443 – Security Simplified podcast at, or wherever you find your favorite podcasts.

WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are the property of their respective owners.

CONTACT: Chris Warfield WatchGuard Technologies, Inc [email protected] Justin Hall Voxus PR [email protected]

Leave A Reply

Your email address will not be published.