top of page

Report: 2023 Brings Increased Browser-Based Social Engineering, Nation-State Malware

WatchGuard Technologies unveiled its latest Internet Security Report, presenting the significant malware trends and security threats observed by WatchGuard Threat Lab researchers in the first quarter of 2023. The report sheds light on the increasing utilization of browser-based social engineering tactics by phishers, the emergence of new malware linked to nation states, the prevalence of zero-day malware, the rise of living-off-the-land attacks, and more. This edition of the report also incorporates a dedicated section focusing on the quarterly ransomware tracking and analysis conducted by the Threat Lab team.

Corey Nachreiner, WatchGuard's Chief Security Officer, emphasized the need for organizations to remain actively vigilant and attentive to their existing security solutions and strategies in the face of ever-evolving and sophisticated threats. The report highlights the importance of employing layered malware defenses, particularly against living-off-the-land attacks, which can be effectively implemented through a unified security platform managed by dedicated service providers.

Some key findings from the Q1 2023 Internet Security Report include:

  1. New browser-based social engineering trends: With web browsers implementing stronger protections against pop-up abuse, attackers have shifted their focus to exploiting browser notification features to coerce similar interactions. Additionally, the report identifies a new domain engaging in SEO-poisoning activity.

  2. Threat actors from China and Russia behind 75% of new threats: Three out of four new threats listed in the top ten malware for the quarter exhibit strong connections to nation states, although it is not confirmed whether these actors are state-sponsored. For instance, the report highlights the Zusy malware family, which targets China's population with adware, compromising browsers and Windows settings.

  3. Persistence of attacks against Office products and EOL Microsoft ISA Firewall: Document-based threats aimed at Office products remain widespread, while the report also notes a significant number of exploits targeting Microsoft's discontinued firewall, the Internet Security and Acceleration (ISA) Server.

  4. Rise of living-off-the-land attacks: The analysis reveals the ViperSoftX malware, which leverages built-in tools within operating systems to accomplish its objectives. The report underscores the need for robust endpoint protection that can distinguish between legitimate and malicious usage of popular tools like PowerShell.

  5. Malware droppers targeting Linux-based systems: A notable detection in Q1 was a malware dropper designed to target Linux-based systems, emphasizing the importance of including non-Windows machines when implementing Endpoint Detection and Response (EDR) solutions.

  6. Majority of detections from zero-day malware: A staggering 70% of detections during the quarter resulted from zero-day malware over unencrypted web traffic, with an additional 93% stemming from zero-day malware over encrypted web traffic. This highlights the need for host-based defenses like WatchGuard EPDR to safeguard IoT devices and other vulnerable systems.

The report also provides fresh insights derived from ransomware tracking data. In Q1 2023, the Threat Lab identified 852 victims published on extortion sites and discovered 51 new ransomware variants. Notably, these victims encompassed prominent organizations and Fortune 500 companies. WatchGuard will continue to publish further ransomware tracking trends and analysis in their quarterly Threat Lab research reports.

With these findings, organizations are encouraged to proactively enhance their security measures and adopt comprehensive strategies to safeguard against the evolving threat landscape.


bottom of page