Legacy Tools Missed Nearly 74% Malware Strikes in Q1 This Year: WatchGuard


It’s a no-brainer that legacy security tools are ill-equipped to prevent zero-day threats. Threat actors know this and have been continuously evolving attack vectors to compromise organizations, especially in the current perilous times beset by the COVID-19 pandemic. As a result, WatchGuard, the enterprise-grade security solutions provider to companies globally discovered a rise in zero-day threats — the highest ever for a given quarter — in Q1 2021.

If an organization relies on traditional security tools to catch threats to its networks, servers, or internal systems over the first quarter of this calendar year, chances are that it missed approximately three out of four malware samples. Cybersecurity company WatchGuard found through their Internet Security Report Q1 2021Opens a new window , that an astounding 74% of malware the company detected from Q1 2021 were zero-day threats.

A zero-day threat refers to malware that remained undetected by signature-based antivirus solutions at the time of the malware release. Such threats, which were commonplace throughout the COVID-19 pandemic, peaking in Q1 2021, are able to bypass in-place protections.

The chief security officer at WatchGuard Corey NachreinerOpens a new window , saidOpens a new window , “Last quarter saw the highest level of zero-day malware detections we’ve ever recorded. Evasive malware rates have actually eclipsed those of traditional threats, which is yet another sign that organizations need to evolve their defenses to stay ahead of increasingly sophisticated threat actors.”

Threat actors nowadays are creating advanced malware that traditional detection methods can’t immediately detect. So, unless organizations have deployed a proactive preventative approach for malware intrusions, they should expect a lot of threats from existing malware families, as well as the five new ones,  to evade legacy defenses.

See Also: Survived the Pandemic? Don’t Risk Your Business to a Cyberattack Now

Malware Trends

WatchGuard provided a breakdown of the zero-day vs known threats over all connections as well as sent over an HTTPS connection.

Opens a new window

Data Source: WatchGuard

WatchGuard’s analysis also includes threats propagating over unencrypted as well as encrypted channels since an increasing number of attackers are using encrypted connections to carry out attacks.

XML.JSLoader is a malicious payload detected most often over HTTPS connections in Q1 2021. It is a fileless malware that uses an XML external entity (XXE) attack to open a shell to run commands to bypass the local PowerShell execution policy and runs in a non-interactive way, hidden from the actual user or victim.Going by the count of the five malware, it is clear that XML.JSLoader and Zmutzy posed the biggest threats.

On the other hand, Zmutzy is a ransomware loader used to initiate the infection chain by payload distribution. Loaders deploy and execute a backdoor from the command and control (C2) server and install it on the victim’s machine. It is usually used to deliver the Nibiru ransomwareOpens a new window within a seemingly legitimate zipped file attachment in an email or as a download from a malicious website.

GenericKDZ, GenericKD, and Razy are all trojans capable of blocking the system’s security application and launching man-in-the-browser attacks.

Attacks Against Networks

Besides ransomware loaders, and trojans that target individual machines, attacks against entire networks were also prevalent. WatchGuard noted a 21% rise year-on-year in network attacks with over 4.2 million attack instances. This is the first time the total network attack volume has crossed the four million mark since Q1 2018.

The 21% increase in network attacks was recorded, despite a 17.43% decrease in Fireboxes reporting in this quarter. Fireboxes are threat management appliances that also provide telemetry data for WatchGuard. They are deployed to manage all traffic between the external network and the trusted network. Additionally, detections per Firebox rose by 46.75%, to 113 per appliance, up from 77 in Q4 2020.

WatchGuard attributed the reason for this growth to the shift in the working environments of employees due to the pandemic. Since the outbreak, a majority of professionals have shifted to working remotely and while in-office work may become the norm again, it is important to look out for any gaps left behind. For instance, WatchGuard noted how hackers of Colonial Pipeline gained entry into the network via old VPN credentials that had not been revoked, leading to the ransomware attack.


WatchGuard’s analysis sheds light on the ProxyLogon vulnerabilities that led to the Microsoft Exchange Server hack earlier this year. All four vulnerabilities were zero-day and were patched by the start of March itself. However, the Seattle-based company noted an increase in attacks against organizations with Exchange servers through the ProxyLogon flaws, mainly to steal email content and download LSASS (Active Directory) data from memory.

IoT Attack Trends

Internet of things or IoT devices have significantly increased the attack surface, thanks to the rapid growth of the number of devices. TechJury estimated that the number of IoT devices will touch 64 billionOpens a new window by 2024. The issue here is that updates to IoT devices are often left out. This includes the hardware, the software, and even the firmware.

While none of the top 10 malware discovered by WatchGuard were used to target IoT devices, the company did find Linux.Ngioweb.B. “The first version of this sample targeted Linux servers running WordPress, arriving initially as an extended format language (EFL) file. Another version of this malware turns the IoT devices into a botnet with rotating command and control servers,” WatchGuard explained.

See Also: Lessons From the Pandemic: Cyber Risk Management Gains Critical Importance

Malicious Domains

DNSWatch blocked over five million domains in Q1 2021. WatchGuard categorized them as compromised, malicious, and phishing ones.

Compromised Domains

These domains were legitimate which suffered a breach of some kind, which may now host malicious content planted by the attackers.

These domains necessarily host malware distribution sites, the command, and control (C2), or any other infrastructure required for malware management.

Malware Domains

Phishing Domains

Designed to trick people into revealing credentials, personal and/or financial information. May appear legitimate.

Wrapping Up

With no signs of a normalized security outlook for the near future, it is essential that organizations stay ahead of the malicious curve by pulling the plug on legacy security solutions. Nachreiner estimates that the recovery from the pandemic-induced disruptions will take a few quarters.

“Even then, don’t expect the world to go completely back to normal either. We expect to see a new normal develop. Hybrid work, with employees spending part time in the office and part time remote, seems like a new standard among tech companies,” Nachreiner said. “This new work habit will greatly change how attacks evolve and where you see those attacks.”

The solution? Think as a cybercriminal would!

Note: Internet Security Report Q1 2021 was made using the anonymized data collected from globally deployed Fireboxes, whose administrators opted-in to provide WatchGuard the threat intelligence metrics and device feedback.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!