WatchGuard Report Finds 94% Increase in Network Malware

Unified cybersecurity leader WatchGuard recently unveiled its latest Internet Security Report, which discovered a 94 percent increase in network-based malware detections, signaling an increase in threats.

This quarterly report details the top malware, network, and endpoint security threats observed by WatchGuard Threat Lab researchers during Q4 of 2024.

Research finds increases across malware types and proactive detection success

The data in the report also found an increase in all malware detections, with a six percent rise in Gateway AntiVirus (GAV) detections and a 74 percent increase in Advanced Persistent Threat (APT) Blocker detections. Additionally, there were significant rises in proactive machine learning detection offered by IntelligentAV (IAV), reaching 315 percent. This indicates that more proactive anti-malware services are catching sophisticated, evasive malware originating from encrypted channels.

“The findings from our Q4 2024 Internet Security Report reveal a cybersecurity landscape where attackers are both continuously relying on old habits and low-hanging fruit vulnerabilities and flaws that are easy to exploit while also leveraging evasive malware techniques to evade traditional defenses,” said Corey Nachreiner, chief security officer, WatchGuard Technologies. “The data illustrates the importance of staying vigilant with the basics: proactively keep systems updated, monitor for abnormal activity, and use layered defenses to catch the inevitable exploit attempts across networks and endpoints. By doing so, businesses can greatly mitigate the threats demonstrated this quarter and be prepared for what adversaries and the evolving threat landscape may bring.”

Additional key findings

Among further findings in the WatchGuard Q4 Internet Security Report are:

• Zero-Day malware reportedly rebounded to 53 percent in Q4, up from a low 20 percent in Q3. WatchGuard says this reinforces the report’s earlier observation that malware increasingly comes in encrypted connections, with those encrypted channels delivering more sophisticated and evasive threats.
• Total unique malware threats decreased by 91 percent for the quarter. WatchGuard states that it is likely due to a reduction in one-off targeted attacks and an increase in generic malware. “However, fewer threats do not mean that the threats that attempt to slip through defenses will be simple attacks if not addressed quickly and diligently,” the report says.
• Network attacks declined 27 percent from Q3, but findings revealed that many tried-and-true exploits persist as top attacks in Q4. 
• The list of top phishing domains remains unchanged from Q3, highlighting the ongoing use of persistent and high-impact phishing infrastructure. SharePoint-themed phishing domains indicate that attackers continue to exploit business email compromise (BEC) tactics to target organizations that rely on Office 365 services.
• Living off-the-land (LotL) attacks are trending, which exploit legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), or Office macros instead of using external malware to load malware. PowerShell injection and scripts have been leveraged in 61 percent of endpoint attack techniques, accounting for nearly 83 percent of all endpoint attack vectors.
• More than half of the top 10 network detections are generic signatures, which catch common web app flaws. This shows that attackers are still utilizing “bread and butter”-style attacks in mass.

“Consistent with WatchGuard’s Unified Security Platform approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts,” the organization said.

As a security solutions provider, threat detection is a core part of WatchGuard’s work. Learn more about WatchGuard’s recent acquisition of ActZero to strengthen managed detection and response (MDR) services.