The fourth quarter of 2024 saw a significant increase in security threats, with 94% of network-based malware detections rising quarter-over-quarter, according to the WatchGuard Internet Security Report. This rise in threats highlights the ever-evolving nature of the cybersecurity landscape, where attackers are becoming increasingly sophisticated and evasive.
Malware Detections on the Rise
The report’s key findings include a 6% increase in Gateway AntiVirus (GAV) detections and a 74% increase in Advanced Persistent Threat (APT) Blocker detections. These figures demonstrate the growing importance of proactive machine learning detection offered by IntelligentAV (IAV), which has seen a 315% increase in detections.
- Zero-Day malware has rebounded to 53% in Q4, up significantly from its all-time low of 20% in Q3.
- Crypto miner detections have increased by 141% quarter-over-quarter, with malicious coin miners being used to acquire cryptocurrency on some blockchains.
- Total unique malware threats are significantly down for the quarter, at a historic 91% decrease, but this does not mean that threats will be simple if not addressed quickly and diligently.
Attackers Leaning Towards Obfuscation and Encryption
The significant upticks in evasive hits suggest that attackers are leaning harder into obfuscation and encryption, challenging traditional defenses. This is evident in the growing use of zero-day malware, which can be difficult to detect and mitigate.
| Threat Actor Behavior | Percentage of Threat Actor Avenues of Attack |
| PowerShell injection and scripts | 61% |
| Windows Management Instrumentation (WMI) | 27% |
| Office macros | 12% |
Phishing Domains Remain Persistent
The top phishing domains list remained unchanged from the previous quarter, highlighting the continued use of persistent and high-impact phishing infrastructure. The SharePoint-themed phishing domains, which often mimic legitimate login portals to harvest credentials, suggest that attackers still exploit business email compromise (BEC) tactics to target organizations relying on Office 365 services.
Living off-the-land Attacks Trending
Living off-the-land (LotL) attacks, which exploit legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), or Office macros instead of relying on external malware to load malware, are trending. This can be seen in 61% of endpoint attack techniques leveraging PowerShell injection and scripts, accounting for nearly 83% of all endpoint attack vectors.
Generic Signatures Catch Common Web App Flaws
Over half of the top 10 network detections are generic signatures, which catch common web app flaws. This trend underscores that attackers are going after the “bread and butter” style attacks in mass.
Unified Security Platform Approach
WatchGuard’s Unified Security Platform approach is uniquely designed for managed service providers to deliver world-class security that increases business scale and velocity while improving operational efficiency. The data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.
Key Takeaways
* Attackers are becoming increasingly sophisticated and evasive, using zero-day malware and obfuscation techniques to evade traditional defenses. * Living off-the-land attacks are trending, with PowerShell injection and scripts being used to launch attacks. * Phishing domains remain persistent, with SharePoint-themed phishing domains being used to exploit business email compromise tactics. * Generic signatures are catching common web app flaws, underscoring the importance of staying vigilant with security basics.
About WatchGuard Technologies
WatchGuard Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform approach is uniquely designed for managed service providers to deliver world-class security that increases business scale and velocity while improving operational efficiency. To learn more, visit WatchGuard.com.
Additional Resources
For a more in-depth view of WatchGuard’s research, download the complete Q4 2024 Internet Security Report here. Follow WatchGuard on Twitter (@WatchGuard), Facebook, or LinkedIn Company page for additional information, promotions, and updates. Visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them. Subscribe to The 443 – Security Simplified podcast wherever you find your favorite podcasts.
