Q1 2024 Internet Security Report

Episode 294 –

This week on the podcast we cover the WatchGuard Threat Lab's Internet Security Report from Q1. In this episode, we discuss the latest trends in malware detections at the network and the endpoint, network attack trends, and malicious domains that targeted WatchGuard customers around the world.

View Transcript

Marc Laliberte  0:00  

Hey everyone, welcome back to the 443 security simplified. I'm your host Marc Laliberte and joining me today is


Corey Nachreiner  0:07  

Corey click all the things Nachreiner.


Marc Laliberte  0:12  

Why the hell do you have a room?


Corey Nachreiner  0:14  

All the things


Marc Laliberte  0:16  

stay that is a man that is pure dedication to the meme. I'm actually both embarrassed and impressed. On today's episode, we will discuss our quarterly Internet Security Report from the WatchGuard threat lab for q1 of this year, which just came out, the report itself just came out actually, before. And so I guess without any further ado, or given Corey any chance for additional meaning, let's go ahead and sweep our way in.


Corey Nachreiner  0:57  

I technically had the broom in the wrong hand. He has it in the other fiscal, but that's okay. There is it looked like a broom to me. I don't know what is it?


Marc Laliberte  1:14  

So let's start this week with our main topic. And I guess our only topic. It is now the end of a quarter, which means it is time for another Internet Security Report review. So


Corey Nachreiner  1:27  

the quarter,


Marc Laliberte  1:30  

January, March, April.


Corey Nachreiner  1:31  

We're right in the middle of a quarter. It ended but we finally finished. I guess it is June. We're near the end. You're right.


Marc Laliberte  1:39  

I consider the last month of a quarter to be the end of the quarter. But that's a good maybe folks in more business positions have different definitions of NF quarter.


Corey Nachreiner  1:49  

So what is this thing we release every quarter? Yeah, of course, you won't actually go through that. Oh, I guess so. Well, if you see the screen, we release our internet security report every quarter. And the WatchGuard Internet Security Report is something we pull from our product telemetry. Basically, whether you're using our endpoint products or network products, either the firebox feed for our network security appliances, both software and and physical, and a lot of data from any of our endpoint services. If you opt in to certain things, they send us telemetry about the types of threats they're detecting online, and we round all that up and give you some information in this quarterly report. That's about


Marc Laliberte  2:35  

it. Right? Short, sweet, and to the point, I like it.


Corey Nachreiner  2:39  

We're sorry.


Marc Laliberte  2:42  

Exactly. That took way less time than I thought it would. So on this episode, we're gonna go through a few just the key findings, which are really trends of attacks, and both malware and network attacks targeting our customers around the world. And by nature of being at this report, it means it was detected. And I guess if you haven't configured blocked at the either the perimeter at the endpoint, but it gives us a good idea of exactly what the threat actors are doing targeting small and midsize companies all around the world. And to start with, we'll go over the firebox feed section, which like Corey mentioned, is a collection of threat intelligence we get from firebox appliances that have opted into sharing it with us around the world. And I guess let's start straight with the malware though. And there was actually a pretty interesting downward trend when it came to malware detections on the whole this quarter. So we actually saw an almost 50% decrease down to 1224 detections per firebox, which is still a lot, but it's down considerably from what we saw even just last quarter. But one important note on there is another stat we track as the percentage of malware that arrives over a encrypted connection, meaning typically HTTPS. And we found that around 69% of the malware that we saw last quarter came in over one of those encrypted channels. So Corey, you want to maybe chat about why the raw numbers may not actually reflect


Corey Nachreiner  4:15  

what would be out there? Well, first to add a little bit of about it. I'm jumping sections a little by doing this, but I feel like malware was a reverse of last quarter like q4, the last quarter we did in q4, just so you know, we also track malware from an endpoint perspective, which we'll get to a little later. So as Marc said, malware was down almost by half whereas in q4, network based malware was up in q4. However, endpoint based malware detection was down and in q1, this report endpoint based malware is up. So it almost is like the mirror the up and down of endpoint versus network from q4 to now has changed. And it is also interesting to see that when network detections go down endpoint detections for us go up, this is not always the case, because there's a lot of people that work in offices. But if you are in office, and you have both network and endpoint protection, you know, you might guess that if your network detections go up, you would expect your endpoint to go down, which was q4, and vice versa. And q1, if suddenly, you're not seeing as much as on the network, it may make sense that the endpoint catches stuff. But to your point, it was very interesting that we saw malware go down. And yet, when we search for malware that's going over TLS, you know, the the gateway anti virus, or AAPT, block connections over TLS. It was 69% was was zero day malware. And we saw a lot more now we're going over that TLS connection. As you guys know, TLS is the web encryption. And one of the reasons that might be is we've said this in many reports that we believe TLS encryption is where it is where it's happening, like 95, easily 95% of internet traffic is encrypted web traffic. There's no doubt. And yet, only 20% of our fireboxes are inspecting this traffic. And one of the trends we've repeated in the report over and over is, hey, here's our full trends. But you really should pay it more attention to what's happening in TLS. Because that probably better represents the reality of the internet. And if you're not scanning TLS traffic, you're you're missing things. So one hypothesis Marc might be that yeah, we see overall malware going down. But overall, you know, 80% of that is from fire boxes that aren't seeing encrypted connections. So really, maybe malware is not down as much, because when we are looking at encrypted connections, we still see a lot of action. We'll get into zero day malware later too. So maybe it's just the fact that more firebox users should actually pay attention to that encrypted traffic.


Marc Laliberte  7:06  

How about a I've got a stupid take for this one. So quarter four, you said we saw more like comparatively more endpoint versus less network our see more network versus less endpoint.


Corey Nachreiner  7:19  

Oh, use it flipped. Now we're seeing less network and more endpoint less than ever in last last quarters that more network and less than point.


Marc Laliberte  7:29  

Okay, that my stupid take gets even dumber because that would imply more people in the office at the end of the year last year, and less Yeah, in the office at the beginning of this year, which it would


Corey Nachreiner  7:39  

definitely make more sense the other way, because we are seeing more people return to the office. But you know, maybe it's malware sophistication, right? Maybe malware was better at detecting network evasion. And the reason we saw the endpoint blow up was because people were at the office. And if the network didn't catch it, the endpoint did. I don't know. It's the one irritating issue you listeners might find with all of these trends, we can see the trends, clearly we can see the most attacks. But when we see region explode, or if we suddenly see malware explosions, we don't always have the data to understand what is happening in either the threat actor community or in the world that causes the ups and downs, we see the trend, but we can always identify the reason why.


Marc Laliberte  8:25  

So one of the numbers that you also mentioned just a bit ago is our zero day malware number which is malware that gets passed signature based anti malware solutions, not necessarily exploiting a zero day vulnerability, like that type of attack. But specifically ones that don't have a signature or use evasion techniques to get past it. This quarter we saw we Every quarter we look at it both for unencrypted and encrypted connections. And this quarter was actually pretty interesting, where zero day malware overall was around 36%, which is pretty dang low, like very low considering what we typically see. But when you look at it over encrypted connections, it shoots up to 64%. Of course,


Corey Nachreiner  9:06  

I was just saying I mean I in the intro of this report, I talked about mere reflections of q4 versus q1. But look at the zero day. It's literally a mirror reflection 3664 versus it's the encrypted version flips the exact same numbers.


Marc Laliberte  9:25  

Yeah, pretty interesting. But even at 36%, that's still more than 1/3 of all threats that would evade signature based detection.


Corey Nachreiner  9:34  

And honestly, I would say I don't even give a crap about unencrypted. I mean, I'm being less political than I am in the report. But honestly, for the 80% of people that aren't scanning encrypted traffic you should be because I will say that the 64 Yes, 36% is still bad. But 95% or more of internet traffic is encrypted. So really that 64% Which by the way is the average like What's interesting about the 36 is on average, we've seen 50% or more of malware be zero day, almost every year for the past three or four years. So it just dropped a lot for an encrypted, but I would still argue I don't even care about unencrypted anymore, that's got to represent like four or 5% of what people are doing online. encrypted traffic is what you need to worry about, because it's the majority of what you're doing in the browser. So the 64% is more of the reality. And obviously, like we say, every quarter, if if more than half of malware evade signature based protection, you better be doing something beyond signature based protection.


Marc Laliberte  10:42  

As well said you should probably take the gloves off in the report and get a snarky as well and future ones.


Corey Nachreiner  10:47  

I mean, I don't even know why we pay attention to the unencrypted trends anymore if you pay attention to Google Analytics on on web traffic. Yeah, but the only reason by the way, why do we do that is because 80% of people aren't giving us unencrypted information. So if you don't hear me, what I'm saying is your firebox is missing a lot of threats and letting them to your network that you could block that you've you've paid for everything you need to to check encrypted traffic and any services you have could be scanning that traffic. But if you haven't configured it, you're, you're missing like 96% of the protection that can give you on the web.


Marc Laliberte  11:27  

Yep. So


Corey Nachreiner  11:29  

that was so so boxy Marc went out of focus for a second,


Marc Laliberte  11:32  

that's exactly event, you totally ticked off my camera with that one. There was an interesting trend geographically this quarter as well, too, when it came to malware. So we wait all of our geographic distributions based off of the number of devices we actually have deployed around the world. What I mean is, we have more devices in like Europe and the Americas than we do in the Asia Pacific region, for example. So when we don't just talk about the raw volume of threats for detecting, we waited based off the actual number of devices everywhere. And with those weighted averages, the Asia Pacific region accounted for 63% or so of all of the malware detections we had in the quarter, which is a pretty sizable portion and a bit of an outlier when compared to previous quarters as well, too.


Corey Nachreiner  12:18  

And there was a long time that we didn't have the weighting, which was you know, as we started this report, we had to understand, you know, where statistics can go wrong. So we would just give the raw numbers. And for the longest time, a pack would have like 10%, and Americas, and Europe would be equal, equally shared around, I don't know 45%. When we waited to fireboxes, it did change, a pack went up. But I still recall, Americas and EMEA usually being where all the action was. So seeing this distinct change where a you know, a two thirds of the malware is that a pack is quite distinct and different


Marc Laliberte  13:02  

app, and we actually found there was a like single campaign that primarily affected networks based in China, which is pretty interesting. But that's actually not the only Chinese based threat that we saw in the quarter. And we'll get into that a bit more. When we get into some of the specific threats to do note that we do like statistical outlier detection and here and so at least based off the model we use, we do account for drastic outliers. And in this case, even with that model in place, there's still a pretty sizable amount of threads. We saw that one area, if


Corey Nachreiner  13:38  

there are any numbers of people that have followed our reports for a long time, you might have saw a I don't know what was it three or four reports ago Marc? When he says we did statistic outliers, what we do is we basically take the bell curve of sometimes a single IP or firebox are a single signature just blows up so much that it becomes such a huge outlier that it falls outside the bell curve. So we we basically take 95% of what's, what would be the bell curve. That didn't drop our numbers, though. So you know, three or four reports back if you saw things like IPS suddenly go down and malware go down. It's not because the numbers being reported from fireboxes are different. It's just there's such there's big outliers, which we think could either be false positives, configuration issues, something going on at a single site. So we decided to remove all that data.


Marc Laliberte  14:31  

Now, speaking of specific threats, though, there were I guess two and a half or three that really stood out to me. One of them the signature was Trojan dot Genki dot two, which we actually analyzed and found out it was the pixie rat Trojan. This one was kind of basic and how it was delivered, but a very common delivery method where it starts with a Office document. It's got that big yellow ribbon at the top that tells the user they need to enable content. Oh look, I


Corey Nachreiner  14:58  

want to click that button. Let me click it It's what you do every time you get off his document, click all the buttons Marc enable all the things,


Marc Laliberte  15:05  

man that we're on and we respond to a security incident on your laptop every week. But so the hook is in the Word document itself, they try and trick the user into clicking that button. Sometimes they pretend it's like an encrypted document and you have to hit enable content to do it. Sometimes it's pretty basic. In this case, I don't remember exactly what the hook was. But for this particular one, when you do hit enable content, it launches PowerShell and a encoded command in there and ultimately downloads. The pixie rat Trojan and in some cases, goes and grabs the cobalt strike beacon as well to pretty interesting threat there from multistage starting with just a tainted Office document. They're really interesting. Following


Corey Nachreiner  15:52  

along on YouTube, like the our actual report has all kinds of details about how the code was obfuscated, how it's, you know, decoded, and what it decodes to if you're really interested in some of the technical details that are harder to report on audio podcast.


Marc Laliberte  16:10  

So the one really interesting malware threat, though, was this combination of golden spy and golden helper. So golden spy is a Chinese tax program that actually had was found to have like, been tainted with spyware coming with it, as it gets installed on China based systems. Now there was a big report from another set of researchers can't remember exactly the the name that went into it earlier in the year. But we saw a lot of these threats pop up in our threat intelligence from firebox appliances to the interesting thing was so golden spy, it seems to be like a legitimate or somewhat nation state adjacent tax software from the Chinese government that has spyware in it. This golden helper tool was actually designed to go in and specifically remove that spyware, potentially from the same threat actor to try and clean up their tracks. Basically, it goes in and stops and deletes files that have similar names to like audio drivers and audio services and windows that they were using to try and hide their tracks. And it was signed by cryptographically signed by the China's state owned organization, I see no. So a lot of signs point to something sketchy potentially going on in that region that has at least some government backing and then going in to try and clean up their tracks afterwards. Two bad ones stood out to me is very interesting.


Corey Nachreiner  17:34  

And I believe the company was Trustwave that first talked about Golden spy.


Marc Laliberte  17:42  

And then the last one was a Moriah botnet variant popped up at number three and our most widespread malware threats. This one primarily targeting TP Link Archer devices. This one stood out to me because Mariah was what 2018 If I remember right 2016 has been quite a while now. But we've seen people take the original source code and just bolt on more and more. Not necessarily even sophisticated, just effective ways of accessing devices and infecting them and adding them to a botnet


Corey Nachreiner  18:15  

this variant the Midori me Are they even though it's based on the Moriah botnet they call it me or re botnet to but yeah, I like you say even though Mariah is old, I think whenever they find a vulnerability in a new, like consumer routing device, whether it be a wireless access point, or router or whatever, why not? Why not use the old code to to exploit the new vulnerable thing? So yeah, it does seem crazy. To me. Moray was so simple even back in its day. And yet, there's almost literally no protections on these little consumer gateway devices at all. So if you you misconfigure one and expose something to the internet, it's just so easy. So yeah, very weird. And I don't need more names like me or re to remember Mariah is enough. It's gonna


Marc Laliberte  19:06  

turn into like a Berenstain Bears kind of thing. 10 years. Yeah. Which was


Corey Nachreiner  19:10  

it? Was it Midori or who was at MRI, barons, etc. Berenstain.


Marc Laliberte  19:18  

So moving on the next section in the report is our network attacks, and they were actually up about 16% quarter over quarter to just shy of 100 network attacks per device in the quarter. If you're familiar with our reports, or our reviews of the reports, you'll know, you'll remember that the network attack section doesn't tend to change a whole lot quarter after quarter, that top 10 is pretty solidified as the top 10 Just most commonly exploited vulnerabilities for any given point in time. Like I think the proxy log on vulnerabilities and all the other exchange ones have basically been in there for quite some time now since they first popped out.


Corey Nachreiner  19:58  

I wouldn't say that It is one of the newbies though like the top 10 has remained stagnant forever, what usually will like suddenly make it change is if there's a huge easy to exploit flaw in common software which Microsoft Exchange. So proxy, that's a relatively new addition, I say relatively because there's a lot of crap in the top 10. That's like 10 years old. So that's only a year and a half old, right? Something like that. But it is essentially been in the top 10. since it came out a year, a couple years ago, let's say, Yep.


Marc Laliberte  20:33  

But there was actually a new edition and a pretty new addition, this quarter two coming in at number five overall, it was CVE 2023 25725, which I'm sure everyone listening knows exactly which one that is. If you're not familiar with that, one, it's a vulnerability in the proxy slash load balancing library called H A proxy. So this flaw came out last year, like relatively early in the year. If you're not familiar with H A proxy, it's a library you can use on like a Linux based system that you would put in front of one or more web servers to act as a load balancer that will look at incoming web requests. And then based off like the request path, or headers or whatever, figure out which one to route it to. And this vulnerability was effectively just a, I'll call it like a header manipulation issue, where attackers found that if you use like certain characters, or certain ways you could bypass or you could have the the proxy, evaluate the headers in one way, and thus route traffic. That's different than what the web server would ultimately receive. So it could basically allow you to circumvent maybe access controls that this proxy would have, or any other routing rules that are in there. So like Corey just said, sometimes when it impacts a whole bunch of software, it'll pop up in there. And this is absolutely one that is probably pretty prolific, at least in terms of H A proxy use across the internet. And so I can understand why it's come up and do the number five overall detections. And just like a half a year or so since it came out. Yep. A couple other new detections in there, we had a signature that's just designed to catch generic command injection vulnerabilities that wouldn't showed up for the first time in the report, I think number seven or so. But there's another interesting one Shellshock, so CVE 2014 6271. That is a 10 year old vulnerability in that case, and I think this was the most widespread is where this one popped up. But we saw a whole bunch of attempts to exploit shellshock pop in. And the reason I wanted to talk about this is so we maintain a honeypot network or a honey net for the WatchGuard threat lab, where it's designed to look like firebox appliances, so we can get like an early warning of what threat actors are doing targeting our customers. But by nature of being a bunch of web services exposed to the internet, we get all types of different exploit attempts against these devices. And starting towards the end of last year, and moving into quarter one of this year, we actually saw a pretty big wave of exploit attempts for Shell Shock, specifically targeting a vulnerability that existed in Sonic walls VPN appliance, but showing up in this honey net from at least one threat actor. So that was interesting, seeing like actual evidence of attempts to exploit a now 10 year old vulnerability Bolson are Honeynet that we maintained separately from this threat lab report normally, and from the telemetry we're actually getting from customer devices out there. And


Corey Nachreiner  23:51  

we see a lot of interesting things on our Honeynet. Yep. threat actor exists. Keep refreshing guys, there is no Honeynet. Exactly. We don't notice.


Marc Laliberte  24:04  

We definitely don't notice and if you want to see the IOCs from those a brute force attempts, it's on the threat labs and or the threat lab GitHub account. We've got an IOC repository that is maintained, updated, checks for updates every hour, but updates a constant list of known threat actor IP addresses that are trying to brute force firebox appliances. Anyways, tangent done. Last couple of things we saw for the quarter, mostly in the top by volume for a bunch more Apache struts vulnerabilities. I guess there's one number five in the the new signatures in that or not five number 48. And that new top 50 signatures, basically threat actors going after common web application frameworks where if there's a vulnerability that can get them command injection, they can potentially leverage that to exploiting any application that uses that framework. So moving on A last part of the firebox feed is our DNS firewalling section, where we look at mainly three buckets of domain name malicious domain names that are detected by a DNS watch or DNS firewalling service. We look at malware, which are websites that either distribute or facilitate command and control for malware infections, compromised websites, which are previously legitimate websites that are compromised to do something malicious and phishing websites which are you can probably guess, for the


Corey Nachreiner  25:30  

good sea bass for dinner. Exactly.


Marc Laliberte  25:33  

It's actually Bass Pro shop.com is typically in there. From the malware threats, I


Corey Nachreiner  25:39  

hope our listeners get sarcasm otherwise, like writing this down, avoid the top Bass Pro Shop, we


Marc Laliberte  25:47  

can have a writing down, it should go without saying do not visit any of these domains unless you're in the sandboxed environment because they are malicious by nature of being in this report. So there were a couple in here that were associated with the dark gate malware family, there was one leveraging AWS infrastructure, it was literally just a AWS EC two instance, they spun up in their own environment to act as command and control. But then another one right above that akamai.la, which at first glance, you might suspect is a legitimate Akamai CDN domain. But it is not. It's actually exactly malicious one they spun up to try and hide some of their tracks after as they go after potential victims. There were also a couple of domains in here associated with the Pandora spear malware, which was really interesting. So I had somehow missed this new story when it came out earlier in the year. But Pandora spear is a malware variant that specifically targets smart TVs. And so that goes after vulnerabilities and people that have exposed these TVs to the internet now why you would forward internet traffic to your Smart TV. That doesn't make a whole lot of sense to me. But if you did have your like LG or when I


Corey Nachreiner  27:04  

shouldn't be doing that. Exactly.


Marc Laliberte  27:06  

If you had it exposed to the internet, someone could potentially exploit a vulnerability on it and use that to install this malware payload on the TV. And compromise you I'm sorry, I this is funny as hell watching Corey accept a bunch of security warnings straight out. I'm literally


Corey Nachreiner  27:26  

trying to get the link so that I can show the show the research from Andorra sphere. But yeah, fun stuff.


Marc Laliberte  27:36  

The original research came out of China. But anyways, seeing specific threats targeting IoT is always interesting and going after smart TVs like didn't have a prediction around hacking smart TVs, probably three or four years ago now.


Corey Nachreiner  27:55  

Yeah, suddenly a little wasn't there. There was a another quote unquote Smart TV botnet that blew up in the news as being huge. But then other researchers said it was fake news, essentially. But I'm not I'm I'm honestly not surprised. And I don't know why they don't do it more. Because these TVs have a lot of plug and play networking features. They all come with. Like they're all crappy unhardened versions of Android I feel like are coming from some AIPAC vendor that's quick to Marcet. And smart TV makes excellent malicious bastion host on a network because who's going to think that that Smart TV is a Linux system and mapping your internal network and lateral moving all over the place? If I were a bad guy, I would target smart TVs at homes.


Marc Laliberte  28:45  

And if you want to know just how prolific this campaign was, the researchers claimed that at its peak, there were 170,000 active bots during this campaign, all mine at the same time. That's absolutely insane. The number of exposed smart TVs that were out there oopsie Yeah, oopsie indeed. And it's having it should go without saying that being able to compromise a smart device like that is like the golden goose for a threat actor because there's no way that you are going to catch their activity unless you're using something like a DNS firewall here because it's not like you've got EPD on your TV.


Corey Nachreiner  29:26  

And how many so Newser users have network, you know, types of security controls that is doing anomaly detection on their TV, you know, exactly, it's that's why it makes the ultimate malicious bastion host. People will not suspect it, at least in home environments.


Marc Laliberte  29:44  

At least in the home and hopefully everyone's monitoring their office environments for their smart TVs and


Corey Nachreiner  29:50  

when you need something like WatchGuard NVR network detection and response, which will definitely tell you if your TV's doing some weird things on the network. Make that happen. Honey Korea.


Marc Laliberte  30:04  

Last bit from the DNS watch section, we went through and reviewed a specific fishing example that we saw that was pretty interesting. The hook seems pretty dumb. But it seemed to at least catch a few people out where basically, they claimed that you could be receiving, like 10% of your car's value annually. And oh, by the way, you can get all of your Mr years as one lump sum payment, just click this link. If you click the link to download the instructions for it, you get a.js file, so a JavaScript file that if you then run locally on your machine, goes and downloads a another obfuscated JavaScript file, ultimately downloads a PowerShell file, which then goes and grabs other remote access Trojans, or a cobalt strike beacon to retain support and in some cases, even dropped legitimate copies of the net support remote access tool that was pre configured with the attackers account. Basically give them straight remote access into your machine using a quote unquote, legitimate tool. Some of the obfuscation in there was interesting. They basically had a, like a 65 kilobyte text file with really only five or six lines of actual code in it, the rest of it just being comments, to try and get past potentially, like scan size limits, or just researchers that don't want to scroll too far, I guess.


Corey Nachreiner  31:25  

But yeah, either. Or, if that section, whoever did it has pretty good detail about what's going on? I wonder who wrote that? Haha,


Marc Laliberte  31:34  

I think it was good detail. Thank you. So definitely check out the section if you want to see the entire analysis of that threat. It's in my humble opinion, pretty interesting. It is. So moving on then to the last section for the report where we go over endpoint threats, which typically differ pretty drastically from what we see at the perimeter at the network. I think you've mentioned before Corey, at the network perimeter, we tend to see like the droppers and the stagers. And because we're blocking them there, we don't typically see the end payload unless we go pull it down ourselves in the sandbox and review it. Whereas at the endpoint, we more commonly or at least more often than at the perimeter, get to see those final payloads and the actual threats that are ending up on the device. Yep. So a couple of standouts from the endpoint section. So first off the number of unique attacks, we blocked per 100,000 machines went up 75%, quarter over quarter, to around 173,000.


Corey Nachreiner  32:36  

And there's a 50% network lost endpoint got going?


Marc Laliberte  32:41  

Yep. That basically means around 1.75 detections per device, unique detections per device in the quarter. Interestingly, so we also track the number of like brand new detections, meaning like literally brand new MD, fives, new hashes, that was only around 88 per 100,000 for the quarter. So the bulk of the threats we saw are ones that have existed for at least a quarter.


Corey Nachreiner  33:07  

This is a funny turnaround for us, because you you're probably used to us in sightings, zero day malware in the network section and saying how signature AV is good for catching noise. But for encrypted traffic, what was it 60 64% Evade signature protection. So you better have something that can catch unique malware like behavioral analysis or machine learning which the endpoint has versions of too. But in this case, signatures were where it's at. I mean, the fact that there were so few unique threats, but a huge bump in malware means that our GA aren't it's not JV on endpoint, by the way, but the signature based portion of our endpoint was very active in catching most of that big bumper threats. If we're just guessing I mean, who knows why that is, it may be some new threat actors just spamming out variants that existed going straight to GitHub, and using async rat without trying to pack it. Which by the way, if you're a malware person, if you're not a researcher, you would in trying to do malware that stupid async rat is easily detectable unless you add something like packing your crypting are always within your ways. Pack your rats. That's right. compress those little figures. But yeah, we're waiting for me to say the word because you know, I would. Our producers finger was on the beep button. Yeah, but yeah, I just find it strange that we typically see a lot of new threats and endpoint too. So it's interesting that signatures actually really did a lot of the work this quarter. It seems like yep.


Marc Laliberte  34:48  

So in other trends from the endpoint ransomware attacks were down 25% quarter over quarter, and that was continuing a downward trend from previous quarters to So good news we've solved ransomware not a problem.


Corey Nachreiner  35:02  

Don't worry about it ever again, it's never going to be a problem.


Marc Laliberte  35:08  

One of the other things we track is the attack vector. So like for a endpoints read what was kind of the initial way it gained a foothold on the endpoint, like exploiting a specific application or using different methods. quarter over quarter, we historically saw scripts as the number one method, and it still is the number one, but it started to shrink a little bit. Like previously, it was around like 90% of all the endpoint threats we saw originated with a script, that's actually down to 48% of detections with Windows binaries, moving up to around 36%. And so they're still using a lot of living off the land techniques, just less scripting engines, and now potentially more windows utilities, like W PS exec, or why exactly come built into our machines.


Corey Nachreiner  35:58  

The one thing I found funny is this trend of Windows starting to show up which could still be living off the land attacks or other has been going on for the last two quarters before this. But the one thing I didn't notice as much as we one of our attack vectors is other, which is a catch all for all kinds of things that has been growing to, and I don't know, but that could be almost anything. So I need more detail the sandy thing about it, but I do think it's funny that other they're they're finding new ways. I mean, all of you are used to if you're you know files are typically unless it's living off the land the way to get malware. So you know that Acrobat and Office files can be dangerous, you know that browsers have vulnerabilities that bad guys target, you know that scripts are what bad guys use to start living off the land techniques. And sometimes the exploits living off the land binaries that exist in Windows, which can account for some of the windows growth. But what are the other techniques if it's growing, maybe they're finding new ways than the normal ways to get in. So maybe we should spend a report going into other it by the way, other does include things like if your are a pirate that goes to pirate bay, in download those auto kms tools that are supposed to give you like a crack from Microsoft products, they might have bad stuff, remote services, VNC and stuff like that. And other third party applications are the types of things that are in other.


Marc Laliberte  37:33  

Yep. One of the other categories we track are web browsers. And as a percentage overall, they only make up a pretty small percentage and things like six or 7% of total detections, or total threats. But within browsers, we also track specific web browsers. And historically, we've seen things like Internet Explorer or Firefox be the kind of the bigger ones in here despite Chrome's and Chromium is larger Marcet share. But this quarter finally kicks that trend. And now Chrome or chromium based browsers, which includes edge edge, and whatever else uses chrome brave, were around 78% of the threats that started with a web browser, which I think is starting to actually reflect their Marcet share reality. That exactly map


Corey Nachreiner  38:23  

honestly, once once Microsoft went edge, this should be chrome every time the fact that was Firefox in q4 was kind of a unusual thing. I didn't dig into that. But I wonder that the only time I would expect it not to be Chrome is if another browser had something like a a big zero day that had come out the quarter before or something like that.


Marc Laliberte  38:46  

Yep. Or at least the popular plugin for that specific browser could be gobbled up into this too. I'll say this quarter was probably just me as the lone Firefox user left in the world, clicking a bunch of malware links over and over and over


Corey Nachreiner  39:00  

doing your research. Exactly.


Marc Laliberte  39:03  

So I guess let's end Corey with going through our conclusions that we had for the overall report. And do you want to take the first one?


Corey Nachreiner  39:12  

Yeah, just a big one takeaway you saw on this is there were a couple IoT Internet of Things based attacks the Pandora sphere, Smart TV thing we just got talking to him talking about that Marc wrote about in our DNS watch section, but also the fact that Moriah Moray, I already forgot the other way that they you saved them arrived variants Newari Midori, thank you. That you know, there's still Mariah code out there going after the latest weird consumer device. By the way I happen to have it wasn't one of the affected but I do have I'm bad OpSec I'm telling every attacker that I have a TP Link Archer type wireless access point. So one of the types that might be targeted that attack so The point is, like, we just talked about it IoT hardware, things that are really Linux computers, but don't look like them. They're perfect for threat actors. Because one, as IoT device, you can't install security software on it. So you're already limited in how you can protect it, you can only protect it from network means. And a lot of these consumer devices are in places, whether their homes or really small offices, or Starbucks guest networks, that, that they don't have the sophisticated network security to really analyze what's going on there. So how do you go about protecting hardware to you have to protect hardware too? So the answer is definitely patch your hardware, like how luckily, a lot of things like consumer smart TVs and consoles have a concept of auto patching, they'll force you to it. But I could tell you that before they had auto patching is a default, how many smart TV users would ever go in and go and update their their Smart TV or their Apple OS, it just doesn't happen. Doing that alone can fix a lot of vulnerabilities that might have been the reason that someone wrote me or re for a TP links or whatever it is, then we talked about other network security controls you can do, we highly recommend you segment IoT stuff, if you have, if you're at least on a network where you have like or even at home, maybe you should have two, two networks. You know, you do online banking, have any computers that have private data on a separate network, and then have all your toys, your consoles, your TVs and your other crap on another thing, even a basic NetGear router, or even the one your ISP gives you at home can have a concept of two private networks. So take advantage of that segment your IoT from the trusted devices at the office. By the way, that translates obviously to you know, you don't want a smart TV sitting on the same network as your domain controller. And that's another way to protect it. And finally, the paying the bills part Marc said is we are in a soon to release, I feel like it might even be in by the end of this month. Network detection and response a WatchGuard service that can monitor unusual traffic happening at your network. It's literally designed that if you have you know, besides the firebox already blocking stuff coming in and out of your network, this can integrate with any switches you have, and actually pay attention to all the traffic happening on your network. And if your Smart TV or TP Link wireless access point your conferencing system in a meeting room, if it starts to do things that are weird NDR network detection and response will notice it. So consider those types of things to protect those IoT devices.


Marc Laliberte  42:48  

Quick personal aside, I have to admit that with my old TV, I was the worst about keeping updates installed on it, it was a Samsung one. And it was one where to install the update, when you hit the update button, you would be unable to use the TV for the next day. And so I kept putting off because the only time I turned on the TV is when you know my wife and I wanted to watch a show or something. No, I didn't want to delay for 15 minutes. So hats off to TV manufacturers or maybe just LG specifically, where the new one you didn't queue or update it, it will install it and then it will wait until you turn off the TV or the next time you restart it to actually do like the the disruption part of the update. So it's fantastic. And that has made it way easier. Just Yep. update every time.


Corey Nachreiner  43:32  

I think the consumer people realize especially maybe if governments are going to start making them a liable for vulnerabilities that they can't rely on the user. So they have to just make the over the air in this case, not literally over the air. But you know what I mean, the automatic corporate for stuff to happen, but do it in a frictionless environment. Because I agree with you like when you turn on a TV, it's to watch something immediately because you're finally off work. And if your first pop up is hey, there's an update. Do you want to do it? It's like, Ah, no.


Marc Laliberte  44:04  

Exactly. So the second takeaway we had was not a new one. This is one I feel like we've repeated at least once a year in the report. But really, make sure you're training your users on on spotting unsolicited Office documents and treating them suspiciously like at the end of the day. Office documents are not a inherently safe attachment. And in fact, especially if you're getting them unsolicited from external folks. It's a pretty unsafe attachment. And while Microsoft has done a good job of adding protections to help protect our users from shooting themselves in the foot, there are still ways to circumvent some of those protections. And there's a


Corey Nachreiner  44:42  

reason we repeated this tip Marc and it's kind of we didn't they read the report, but we do this mostly so you can read all the other stuff we haven't covered in the report. But there was a new section in the endpoint section of the report which actually you know, just like we talked about malware, it's the attack vectors and grow browser's the most common browser. That wasn't new information. But the new information is we added the most common malicious Office document and excel one by far. So while PowerPoint Word documents, even all the weird template documents and other Office documents can be, you know, if there's vulnerabilities booby trapped, it appears according to our endpoint data that Excel is the most commonly booby trapped document or, you know, malicious, potentially malicious document. So while it's repeated advice, the little extra thing is to train your users that Office documents can be bad, but be especially careful of Excel documents, which I think is easy to like. The issue with training your users to be aware of Office documents, is just by their name alone, Office documents are like the most common thing you're doing in workplace, your office has to use these documents. But I would say other than, like, I would say 90% of normal employees probably use word a lot, maybe a small percentage use that have 2% use PowerPoint, Excel at least is limited to like accounting roles, that none I mean, not completely, but it's the lesser used document for an average employee. So if you're not an accountant, and you're not a I don't know, an engineer or project manager, just leave Excel documents that you have no clue what they are alone, don't even go near them. And if you are one of those people, I think we we joked about it as being sarcastic about clicking all the things but the advice is, don't be a Corey. Don't click all the things when you open an office document and enable macros, enable content, enable any pop up that it says do not do that. Do not do that. Even if it comes from someone you know, until you validate that hey, did you really send me this document and be did you make the macro that's in this document? Can Is it safe for me to use it?


Marc Laliberte  46:59  

Don't be a Corey? What's that's pretty sage advice of


Corey Nachreiner  47:02  

saying, I don't know why I helped you roast me by continuing your theme of me clicking everything.


Marc Laliberte  47:10  

Which is not a truth, by the way. Anyways, you want to take the last defensive tip, or


Corey Nachreiner  47:18  

tonight and tonight kind of take yours to go ahead. botnet botnets you know, besides Midori being and Panda Sphere Being IoT attacks, they are also botnets. They're they're the type of attack that infect multiple devices and go back to command and control. And then of course, a dark gate you mentioned what section as was said in Word dark eight popped up as well. All of these are botnets I think you guys know what that is. But botnets still exist. Obviously, you should make sure you're not part of a botnet, the commons, you know all the ways to get you don't want to get the malware in the first place. But I think we've talked about how not to get malware used the endpoint protection use network protection. For botnets. It's mostly about having services that monitor for network activity, malicious network activity, one, c two channels, there's a lot of services and products out there, including our botnet protection that we'll have a list of known see to IPs. In some cases with things like web blocker and DNS watch, see two domains. And if you do somehow get infected with a botnet, remember that turn those services on, we can at least prevent you from getting back to the main master controller, and maybe present vent vent the bad stuff from happening if he can't control the botnet egress filtering is something we also heavily recommend. Everyone uses firewalls, whether they're next generation or not to prevent people from coming in. But a lot of people leave the doors wide open out, do not leave the doors wide open out. I mean, why do you need to allow every port and every type of network traffic necessary like in the world only allow what's necessary things like DNS web browsing email, obviously, maybe the remote services, there are things each department will need to go out and do through the internet. And you should allow all that stuff. But rather than the easy button of allowing everything forcefully allow each protocol and by doing that you're not allowing the majority of ports and the sometimes not always, but sometimes botnets may not use the the normal HTTPS port and might use something else and you can inadvertently block botnets by just the fact that you don't have everything out policy. And finally again, just keeping the lights on for our podcast and Dr could help here too. Because again, the C two traffic and you know if you have malware in your network, that's not the end of the story. It's not too late. You still can detect it before it does more damage and actually exfiltrate stuff goes back to the C two. And the art could help detect some of the internal, you know, the going out C to traffic that might happen from a botnet if things like DNS watch and everything else doesn't catch it. So check out our new network detection and response service. This ad brought for you by WatchGuard. The proud sponsors of the horror four three security podcast.


Marc Laliberte  50:21  

I think if you're gonna do that, you got to say the actual name, which is what thread sync plus NDR There you go. Yeah, get it right. Are our sponsors are going to pull their funding? Dammit.


Corey Nachreiner  50:33  

Oh, does that need to be the right?


Marc Laliberte  50:35  

I don't think so. Is that now? I'm gonna say no. But I also have no idea what I'm talking about. So either way, interesting trends from this quarter in the report. And we're always looking to try and find new trends or new slices of the data as well. So if you have any feedback, please do shoot us a message or what is it WatchGuard underscore technologies on Instagram. I would love to see someone talking about Internet Security report data on Instagram that feels like a interesting forum for something that nerdy but anyways, hopefully you found it interesting. And I guess next week, we will be back with the latest news and hot takes on whatever's hacking in the hacking verse. Hey, everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, please reach out to us on Instagram. We're at WatchGuard underscore technologies. And if you find a better social media platform than that, please also let us know on Instagram. Thanks again for listening though, and you will hear from us next week.


Corey Nachreiner  51:52  

But if it's x you're fired, no more feedback from you.