New WatchGuard Threat Lab Report Finds Threat Actors Attempting to Turn Blockchains Into Hosts of Malicious Content
New WatchGuard Threat Lab Report Finds Threat Actors Attempting to Turn Blockchains Into Hosts of Malicious Content
WatchGuard Technologies has released the findings of its latest Internet Security Report, a quarterly analysis detailing the top malware, network and endpoint security threats observed by WatchGuard Threat Lab researchers during the second quarter of 2024.
Among the report's key findings was that seven of the top 10 malware threats by volume were new this quarter, indicating that threat actors are pivoting toward these techniques. The new top threats included Lumma Stealer, an advanced malware that's designed to steal sensitive data from compromised systems; a Mirai Botnet variant, which infects smart devices and enables threat actors to turn them into remotely controlled bots; and LokiBot malware, which targets Windows and Android devices and aims to steal credential information.
The Threat Lab also observed new instances of threat actors employing "EtherHiding," a method of embedding malicious PowerShell scripts in blockchains such as Binance Smart Contracts. In these instances, a fake error message linking to the malicious script appears on compromised websites, prompting victims to "update your browser." Malicious code in blockchains poses a long-term threat, as blockchains are not meant to be changed and, theoretically, a blockchain could become an immutable host of malicious content.
"The latest findings in the Q2 2024 Internet Security Report reflect how threat actors tend to fall into patterns of behavior, with certain attack techniques becoming trendy and dominant in waves," said Corey Nachreiner, chief security officer, WatchGuard Technologies. "Our latest findings also illustrate the importance of routinely updating and patching software and systems to address security gaps and ensure threat actors cannot exploit older vulnerabilities. Adopting a defense-in-depth approach, which can be executed effectively by a dedicated managed service provider, is a vital step toward combating these security challenges successfully."
Additional key findings from WatchGuard's Q2 2024 Internet Security Report include:
- Malware detections were down 24% overall. This drop was caused by a 35% decrease in signature-based detections. However, threat actors were simply shifting focus to more evasive malware. In Q2 2024, the Threat Lab's advanced behavioral engine that identifies ransomware, zero-day threats and evolving malware threats, found a 168% increase in evasive malware detections quarter-over-quarter.
- Network attacks increased 33% from Q1 2024. Across regions, the Asia Pacific accounted for 56% of all network attack detections, more than doubling since the previous quarter.
- An NGINX vulnerability, originally detected in 2019, was the top network attack by volume in Q2 2024, though it had not appeared in the Threat Lab's Top 50 network attacks in previous quarters. The vulnerability accounted for 29% of total network attack detection volume, or approximately 724,000 detections across the US, EMEA and APAC.
- The Fuzzbunch hacking toolkit emerged as the second-highest endpoint malware threat detected by volume. The toolkit, which serves as an open-source framework that can be used to attack Windows operating systems, was stolen during The Shadow Brokers' attack of the Equation Group, an NSA contractor, in 2016.
- Seventy-four percent of all browser-initiated endpoint malware attacks targeted Chromium-based browsers, which include Google Chrome, Microsoft Edge and Brave.
- A signature that detects malicious web content, trojan.html.hidden.1.gen, came in as the fourth most-widespread malware variant. The most common threat category caught by this signature involved phishing campaigns that gather credentials from a user's browser and deliver this information to an attacker-controlled server. Curiously, the Threat Lab observed a sample of this signature targeting students and faculty at Valdosta State University in Georgia.
Consistent with WatchGuard's Unified Security Platform approach and the WatchGuard Threat Lab's previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard's research efforts.
For a more in-depth view of WatchGuard's research, download the complete Q2 2024 Internet Security Report here: https://www.watchguard.com/wgrd-resource-center/security-report-q2-2024