By Emil Hozan, Security Analyst, WatchGuard Technologies

As the security landscape continues to grow and shift, WatchGuard’s Threat Lab research team continues to offer insights into the latest malware and network attacks with its quarterly Internet Security Report (ISR). This edition of the report covers the top cyber-threats affecting midmarket businesses in the second quarter of 2019 and is based on anonymized network telemetry data from tens of thousands of WatchGuard appliances deployed around the world. It includes both bulk data from Q2 2019 – for example, showing there was a slight decrease in malware variants (to approximately 22.6 million total) and a more than doubling of network attacks (to approximately 2.2 million total) – and a variety of other critical security insights and trends for the midmarket.

From new types of malware to a spike in SQL injection attacks, to malware campaigns hiding malicious content on legitimate Content Delivery Networks like CloudFront and SharePoint, let’s dig into some of the key insights and trends from the latest report.

Quarterly Malware Decreases, Year Over Year Increases, and New Malware Variants Emerge

Overall, malware detections decreased by 5% in Q2 from Q1 but were still up 64% over the previous year. In addition, zero-day malware attacks – unique malware attacks where a signature does not already exist – accounted for 38% of all malware detections, which was within a few percentage points of the previous two quarters. There was also an increasing overlap between the most-widespread malware detections affecting individual networks and the most prolific malware by volume, with three threats found in both lists. Finally, multiple popular backdoor shell scripts (including both the Backdoor.Small.DT and Trojan.GenericKD tools from the Kali Linux penetration testing/ethical hacking suite) appeared for the first time in the list of top malware attacks, possibly showing that hackers are leveraging Kali Linux more often.

Network Attacks Explode

Network attacks more than doubled from Q1 to Q2 2019. This was the largest percent increase we’ve seen since 2017. Two attacks debuted on the top 10 list: EXPLOIT Nodejs js-yaml load() and WEB Directory Traversal -4. The former accounted for 2.9% of all network attacks by volume and exploits a vulnerability in the YAML markup language package JS-YAML for Node.js. Specifically, it exploits how the library parses a custom data type, which results in remote code execution. The latter network attack, WEB Directory Traversal -4, allows web users to escape a web server’s root directory and potentially gain access to any file on the computer system. The most common target is the “/etc/passwd” file, which is the file storing user login credentials. Granted the passwords are normally hashed, but attackers can still attempt to crack the hashes and obtain legitimate user login credentials. A final startling discovery was the 1,288.39% increase in WEB SQL injection attempt -33 attacks from Q1. A yearly comparison to Q2 2018 shows that the same attack at an enormous 29,149.23% increase!

DNS-Level Attacks Leverage Legitimate Content Delivery Networks

The Threat Lab’s research found multiple malware campaigns using popular content delivery networks (CDNs) like CloudFront and Cloudflare to prevent detection by anti-malware services that only look at the root domain of a questionable URL. These fell into three categories: malware domains, which are web sites outright hosting malware; compromised domains, which are web sites that threat actors exploited to host their own malicious JavaScript code; and phishing domains, where threat actors direct users to spoofed login screens to harvest their credentials. Our research found malware domains at dc44qjwal3p07[.]cloudfront[.]net and d3i1asoswufp5k[.]cloudfront[.]net. Phishing domains were identified at ec2-18-224-214-207[.]us-east-2[.] compute[.]amazonaws[.]com and usd383org-my[.]sharepoint[.]com.

Security Incidents Making Headlines in Q2 2019

On May 7, 2019, the Baltimore Department of Public Works suffered a major ransomware attack. Adding to the agony, five days into the city’s downtime the alleged threat actor started openly mocking the city on Twitter! Researchers identified the malware as RobbinHood and the perpetrator set the ransom at around $75,000. In the end, the City of Baltimore needed to rebuild many critical systems, which had a major impact on worker productivity. Total estimated damages reached $17 million. This is a prime example of the importance of deploying and testing backup solutions!

The Threat Lab team also analyzed an MSP attack that targeted a specific piece of IT management software. In this attack, the perpetrator leveraged weak, stolen or leaked credentials to gain administrative access to the MSP’s copy of this management tool. From there, the attackers targeted exposed remote management services. Once in, they exploited the MSPs’ own tools to infect their customer base. Based on this and other MSP attacks from Q2 and Q1 2019, it is clear attackers are specifically targeting MSPs to reach their customer bases. This attack could have been prevented with better password security (since the attacker leveraged a legitimate admin password), user training or use of multi-factor authentication.

What Are Some Key Lessons From Q2’19?

In summary, no target is too small. It’s no longer a matter of “if,” but “when” a target will get hacked. Remember, many attacks can be thwarted simply by deploying authentication and MFA solutions (specifically, MSPs should be hardening their management tools with MFA). Furthermore, due to the increased sophistication of ransomware attacks, backup solutions should be mandatory. And don’t simply create backups – test and verify them. As an extra precaution, use URL and domain filtering services to help defang malicious links. Above all, implement effective user training to help employees recognize and respond to phishing and ransomware attacks. The stakes are higher than ever before, and user training should be at the forefront of any organization’s standard operating procedure.

About the Author

Emil Hozan is a Security Analyst at WatchGuard Technologies, focused on network security. Emil’s responsibilities include quantifying threat data for WatchGuard’s quarterly Internet Security Report, contributing to WatchGuard’s security blog Secplicity, analyzing trends in network and malware attacks, sandboxing and testing new products and exploits, and reverse engineering malware samples

Emil can be reached online at and at our company website