Malware and Ransomware Attacks on Endpoints Continue to Grow

Data from a 2021 Q3 cybersecurity report indicates that even though total perimeter malware detection volume in endpoints has decreased from the highs reached in the previous quarter, endpoint malware detections surpassed the total volume observed in 2020. Additionally, a huge percentage of malware continues to arrive over encrypted connections, extending the trends from previous quarters.

Endpoints Targeted By Malware and Ransomware

Even though the total volume of network attacks on Endpoints slightly decreased in Q3, malware per device has increased for the first time since the pandemic started. As security environments continue to present challenges, it’s important for companies to focus on persistent and concerning trends that most heavily factor into companies’ security posture. The accelerated use of encrypted connections to deliver zero-days is an important example. Almost half of the zero-day malware is delivered through encrypted connections. Total zero-day malware has increased by 3% in Q3, and the malware percentage arriving through Transport Layer Security (TLS) significantly increased to 47%. A lower percentage of encrypted zero-days are considered advanced, however, it’s still concerning with data indicating that many companies are not decrypting the connections and have poor visibility of numerous malware hitting their networks.

As more users upgrade Microsoft Windows and Office within their systems, threat operators increasingly focus on newer vulnerabilities. Unpatched vulnerabilities in older software continue to be a hunting ground for threat operators looking to exploit weaknesses in the latest versions of Microsoft’s widely used products. Vulnerability CVE-2018-0802, which exploits a vulnerability in the Equation Editor in Microsoft Office, made the top 10 gateway antivirus malware by volume list as number 6 after appearing as the most widespread malware in the previous quarter. Additionally, two Windows code injectors (Win32/Heim.D and Win32/Heri) appeared as numbers 1 and 6 on the most detected list.

Overall network attack detections have returned to normal trajectory; however, they continue to pose significant risks. Roughly 4.1 million unique network exploits were detected which dropped to 21. The shift doesn’t mean adversaries are easing up but possibly shifting their focus to more targeted attacks. Of nearly 5 million hits detected, 81% were attributed to the top 10 signatures. Only one signature from the top 10, “WEB Remote File Inclusion/etc/passwd” (1054837), targets older Microsoft Internet Information Services (IIS) web servers. Another signature (1059160), a SQL injection, maintained the top position on the list.

Scripting attacks on endpoints continue at a record pace with 10% more attack scripts. With hybrid workforces looking like the rule rather than the exception, having strong perimeters is not enough to prevent threats. Even though there are several ways for cybercriminals to attack endpoints, including application exploits and script-based living-off-the-land attacks, operators with limited skills can fully execute a malware payload and evade basic endpoint detection with scripting tools like PowerSploit, PowerWare, and Cobalt Strike.

Safe domains can also be compromised. A protocol flaw in Microsoft’s Exchange Server Autodiscover system allows operators to collect domain credentials and compromise several trustworthy domains. 5.6 million malicious domains were blocked, including several new malware domains attempting to install software for crypto mining, key loggers and remote access trojans (RATs), and phishing domains disguised as SharePoint sites to acquire Office365 login credentials. The number of blocked domains is several times higher than normal, indicating that companies need to focus on updating their servers, databases, websites, and systems with the latest patches to prevent vulnerabilities for threat operators to exploit.

Ransomware attacks reached 105% of 2020 levels and are on pace to reach 150% once 2021 data is analyzed. Ransomware-as-a-service (RaaS) operations, including REvil and GrandCrap, lower the bar for cybercriminals with little or no coding skills and provide the infrastructure and malware payloads to launch global attacks in exchange for a ransom percentage. The Kaseya incident is a good example of the ongoing threat of digital supply chain attacks because dozens of United States companies reported ransomware attacks against their endpoints.

Threat operators working with the REvil RaaS operation exploited three zero-day vulnerabilities, including CVE-2021-30116 and CVE-2021-30118, in Kaseya VSA Remote Monitoring and Management (RMM) software to implement ransomware to 1,500 companies and millions of endpoints. Even though the FBI compromised REvil’s servers and obtained a decryption key, the attack is a reminder that companies need to proactively take steps including adopting zero-trust, employing the principle of least privilege for vendor access, and ensuring systems are patched and updated to reduce the impact of supply chain attacks.

With malware and ransomware groups being more brazen with their attacks in targeting companies’ endpoints, it’s critical for companies to remain alert on the current threat landscape and keep their security infrastructure updated to prevent potential breaches. At SpearTip, our certified engineers at our 24/7 Security Operations Centers work in a continuous investigative cycle monitoring the company’s network and are ready to respond to breaches at a moment’s notice. The best way for companies to protect their devices and their networks is to be proactive. SpearTip’s ShadowSpear, our endpoint detection and response platform, is a great proactive tool to prevent ransomware groups and malware from breaching companies’ endpoints.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.