New Research Highlights Importance of HTTPS Inspection to Detect Encrypted Malware

Two-thirds of malware in Q1 2020 was delivered via HTTPS traffic, Monero cryptominers are on the rise and more

By Marc Laliberte, Senior Security Analyst at WatchGuard Technologies

Today’s threat landscape is evolving rapidly. Attackers are constantly adjusting their tactics and finding new ways to infiltrate organizations to steal valuable data. As such, businesses must remain up to date on the industry’s latest threat intelligence in order to know their enemy and shore up defenses. That’s why each quarter, WatchGuard’s Threat Lab research team produces a report on the latest trends in malware and network attacks based on anonymized data from WatchGuard security appliances deployed around the world.

Our latest Internet Security Report included many key findings and best practices that midmarket organizations and the managed service providers that support them can use to ensure that their defenses are up to the task of fending off today’s most prevalent security attacks. Let’s dive in:

  1. Two-Thirds of Malware is Encrypted, Invisible Without HTTPS Inspection. An incredible 67% of malware is delivered via HTTPS traffic. This means that organizations without security tools that can decrypt and examine HTTPS traffic will miss a full two-thirds of security threats! We also found that 72% of the malware delivered via encrypted HTTPS was new or “zero day,” meaning no antivirus signature exists for it and it will not be blocked by legacy signature-based antimalware methods. Not only are two out of every three pieces of malware in the wild delivered through an encrypted channel, but that malware is also more difficult for traditional antivirus to detect!

This data clearly shows that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization. Many IT and security teams are unenthusiastic about setting up HTTPS inspection because it requires extra work with certificates on individual endpoints – it’s not just a feature within security tools that can be switched on and off. HTTPS inspection can also slow down the throughput of some network security tools, so some organizations aren’t able to maintain high network speeds while inspecting encrypted traffic. While I’m sympathetic to these concerns (especially for midmarket businesses with limited IT and security expertise), letting this traffic though a firewall without inspecting it is no longer a safe option and there are network security platforms that offer HTTPS inspection while maintaining good network speeds. Given the magnitude of the threat, the only reliable approach to defense is implementing a set of layered security services that include advanced threat detection methods and HTTPS inspection.

  1. COVID-19 Impacts Security in a BIG way. Q1 2020 was only the start of the massive changes to the cyber threat landscape brought on by the COVID-19 pandemic. Even in just these first three months of 2020, we saw a dramatic rise in remote workers and attacks targeting those individuals. Phishing attempts increased, and the greater number of employees operating outside the traditional network perimeter led to more attacks aimed at remote desktop technologies. We strongly recommend that all organizations follow phishing best practices and make sure to secure remote access technologies by requiring employees to use a mobile VPN and not exposing services to the internet that shouldn’t be. Additionally, companies should deploy secure MFA as an additional protection layer against password-based attacks.
  1. Cryptominers are on the rise. Five of the top ten domains (identified by our DNS filtering service) distributing malware either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility; adding a cryptomining module to malware is an easy way for online criminals to generate passive income.
  2. Flawed-Ammyy and Cryxos malware grow in popularity. The Cryxos trojan was third on WatchGuard’s top-five encrypted malware list and also third on its top-five most widespread malware detections list, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores. Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.
  3. Ancient Adobe vulnerability surfaces as top network attack. An Adobe Acrobat Reader exploit that was patched in Aug. 2017 has appeared in WatchGuard’s top network attacks list for the first time. This vulnerability reappearing several years after being discovered and resolved illustrates the critical importance of regularly patching and updating systems.
  4. Attackers use reputable domains to launch spear phishing attacks. Three new domains hosting phishing campaigns appeared as top attacks. These domains convincingly impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 and an AT&T login page (this campaign is no longer active at the time of the report’s publication).

In conclusion, our latest analysis on malware and network attack trends show a clear need for organizations to decrypt and inspect secure web traffic and to deploy modern anti-malware technologies that use behavior-based or machine learning techniques to detect malware that signature-based solutions will miss. As the wide variety of threats and techniques present in our other findings indicate, organizations should implement a layered security approach with multiple, overlapping security services including strong endpoint protection, mobile VPN, multi-factor authentication and more to better protect employees working from home during the current crisis and beyond.

About the Author

Marc Laliberte AuthorMarc Laliberte is a Sr. Security Analyst at WatchGuard Technologies. Marc joined the WatchGuard team in 2012. Specializing in networking security technologies, Marc’s responsibilities include researching and reporting on modern information security trends. With speaking appearances and regular contributions to online IT publications, Marc is a thought leader providing security guidance to all levels of IT personnel.

Marc can be reached on Twitter at @XORRO_ and at our company website https://www.watchguard.com.