Fileless Malware, Endpoint Attacks on the Rise

Cybercriminals are increasingly leveraging fileless malware, cryptominers and encrypted attacks, targeting users both at remote locations as well as corporate assets behind the traditional network perimeter.

These were among the findings of WatchGuard Technologies’ Internet Security Report for Q4 2020, which found fileless malware and cryptominer attack rates grew by nearly 900% and 25%, respectively, while unique ransomware payloads plummeted by 48% in 2020 compared to 2019.

The report also found botnet malware targeting IoT devices and routers became a top strain, among them the Linux.Generic virus (also known as “The Moon”), malware which is part of a network of servers that directly targets IoT devices and consumer-grade network devices, like routers, to exploit any open vulnerabilities.

Total network attack detections grew by 5% in Q4, reaching their highest level in more than two years, while total unique network attack signatures showed steady growth as well, with a 4% increase compared with the third quarter of 2020.

“We believe the increase in endpoint attacks between 2019 and 2020 is largely due to the widespread rise of remote work in response to the global pandemic,” Corey Nachreiner, WatchGuard CTO, explained. “As more employees work from home, beyond the traditional corporate protections provided within the network perimeter, endpoints become a more enticing and lucrative target for attackers.”

He said organizations should deploy a strong endpoint protection (EPP) suite to protect home-based machines and/or adopt a managed detection and response (MDR) service from their managed service provider (MSP) of choice to monitor off-network endpoints at scale.

“Remote work is here to stay, and that means endpoint security should be a top priority for businesses of all types and sizes,” Nachreiner said.

Additional best practices include keeping browsers updated, guarding against common malicious script delivery methods, and keeping alert on ransomware, despite the steep drop in the ransomware payload volume last year.

“Attackers are simply taking a more targeted, strategic approach, which means fewer attacks that are dramatically more damaging,” he explained. “Keep in mind that any organization with valuable data is still at risk, and that a strong, layered anti-malware defense paired with regular data backups is the key to keeping the lights on after an attempted attack.”

Nachreiner noted cybercriminals are leaning into fileless malware because these threats are exceptional at avoiding detection by traditional defenses, which tend to focus mostly on scanning files.

“You can’t scan a file that doesn’t exist,” he said, but noted deploying endpoint detection and response (EDR) solutions alongside preventative anti-malware solutions can help identify and mitigate these threats.

Nachreiner said the increase in cryptominer attack detections in 2020 is likely the result of the recent resurgence in cryptocurrency prices late last year after the lows of 2018 and 2019, and the ease with which attackers can generate passive income by adding cryptominer modules to existing botnet infections.

When it comes to defending against encrypted malware and network attacks, he said encrypted malware is designed to evade traditional network-based anti-malware engines, warning these attacks are essentially invisible in the absence of security services with HTTPS inspection capabilities.

“The best way to mitigate encrypted threats on the network is to deploy HTTPS inspections and behavior-based threat detection and response solutions capable of identifying advanced persistent threats delivered through encrypted connections,” Nachreiner said.

He pointed out the good news – endpoint protections can scan encrypted and clear text threats equally.

“Since endpoint protection resides on the host receiving any network traffic, it naturally sees the unencrypted result,” he said. “If you can’t decrypt network traffic, endpoint security solutions can help out.”

By adopting a layered defense posture with these types of advanced security services for both the network perimeter and the endpoints themselves, organizations will be more likely to catch these threats.

Nachreiner noted the SolarWinds breach continues the major, ongoing trend of supply chains exposing us to threats that are much harder to stop.

“We’ve seen this in the past, with the Ccleaner infection a few years ago, as well. It has even happened recently with the PHP Group’s code repository,” he said. “In short, threat actors realize how digitally connected the world is today, and will try to booby trap the tools and technologies we use, as a way to break in.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 292 posts and counting.See all posts by nathan-eddy