Guest Column | December 19, 2022

New WatchGuard Report Reveals Top Malware Trends And Network Security Threats

By Corey Nachreiner, WatchGuard Technologies


Cybersecurity threats continue to grow yearly, with the threat landscape constantly evolving and hackers’ methods becoming increasingly sophisticated and unpredictable. This complexity, coupled with a large cybersecurity skills gap, is leading many organizations to outsource their security. MSPs and MSSPs must keep up to date on the current state of threats to keep their clients safe. Each quarter WatchGuard Technologies publishes an Internet Security Report which provides insight into the top malware trends and network security threats over the previous three months.

The most striking statistic from the Q2 2022 Internet Security Report revealed that 81% of malware detections came via TLS-encrypted (specifically, HTTPS) connections. Despite an overall decrease in malware volume, the significant surge in encrypted malware continued a worrisome upward trend seen in previous quarters. In other words, attackers are reducing the volume of malware they’re attempting to deliver in favor of more elusive malware. As a result, organizations relying only on signature-based antivirus and not inspecting encrypted traffic at the network perimeter are simply not detecting the majority of malware hitting their networks.

Other important findings to keep in mind include:

  • Network-based malware detections dropped 15.7% quarter over quarter during Q2. This includes drops in both basic malwares detected by our Gateway AntiVirus (GAV) service (~11.7 million detections) and evasive or zero-day malware detected by advanced anti-malware services like APT Blocker (6.4 million detections).
  • Emotet’s resurgence continues. We continue to see high detections for the Emotet trojan or botnet, despite the FBI and global authorities’ takedown of one variant’s command and control (C2) infrastructure early last year. That said, we still see Emotet volume declining since Q1 2022.
  • Over 81% of malware hides behind encryption. We’ve previously warned about malware that’s hidden by the SSL/TLS encryption used by secured websites. That became even more apparent in Q2 when the overwhelming majority of malware arrived over TLS. Organizations that don’t enable HTTPS decryption (and, unfortunately, our data shows many still don’t) will have a much harder time blocking modern threats.
  • Yet again, over half of malware (53.1%) evades signature detection, though this has decreased about four points since Q1. Q2 is now the third quarter in a row we saw a decrease in zero-day malware (malware without a signature). While it’s great to see a reduction in this type of evasive malware, this number rises to over 80% when looking at malware that arrives over encrypted connections. In general, you can presume that any threat actor trying to deliver malware over encryption probably also does the work to evade signature detection.
  • Office exploits continue to spread more than any other category of malware. In fact, the quarter’s top incident was the Follina Office exploit (CVE-2022-30190), which was first reported in April and not patched until late May. Delivered via a malicious document, Follina was able to circumvent Windows Protected View and Windows Defender and has been actively exploited by threat actors, including nation states. Three other Office exploits (CVE-2018-0802, RTF-ObfsObjDat.Gen, and CVE-2017-11882) were widely detected in Germany and Greece.
  • Network attack volume dropped almost 10% (9.9%) quarter-over-quarter, continuing its downward trend after Q4’s four-year high. It also was down over 22% compared to Q2 2021.
  • In Q2 2022, scripts accounted for 87% of all malware detections. That is a meager one-point decrease from Q1 but still illustrates that most malware is delivered via malicious scripts, typically written in PowerShell or JavaScript. You should employ endpoint detection and response (EDR) solutions to protect against this living-off-the-land (LotL) attacks.

While overall malware attacks in Q2 fell off from the all-time highs seen in previous quarters, the jump in TLS-encrypted connection-based detections could potentially mean that threat actors are shifting their tactics to rely on more evasive malware. So, if there’s one key takeaway for MSPs, MSSPs, and their customers, it’s those traditional anti-malware solutions alone are just not enough when defending against today’s threats, and they should leverage TLS deep packet inspection (DPI) if network security products.

Organizations need a comprehensive, multi-layered cybersecurity strategy, with different types of security (such as network, endpoint, Wi-Fi, and identity protection) working together to speed up threat detection and response processes. By staying tuned in to today’s threat landscape, MSPs and MSSPs can protect their customers against the scariest bugs lurking in the corners of the internet.

About The Author

Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology vision and direction. Previously, he was the director of strategy and research at WatchGuard. Nachreiner has operated at the frontline of cyber security for 16 years and has been evaluating and making accurate predictions about information security trends for nearly a decade. As an authority on network security and internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, eWeek, Help Net Security, Information Week, and Infosecurity, and delivers WatchGuard's "Daily Security Byte" video on Facebook.