Researchers Find Attackers Are Successfully Evading Detection By Blending in with Normal Network Traffic Via HTTP and HTTP
Netskope new research confirming that attackers are finding new ways to evade detection and blend in with normal network traffic using HTTP and HTTPS to deliver malware. In its latest Cloud & Threat Report: Global Cloud and Web Malware Trends, Netskope identified that on average, five out of every 1,000 enterprise users attempted to download malware in Q1 2023, and new malware families and variants represented 72% of those malware downloads.
Social Engineering and Search Engine Data Voids on the Rise
In the research, Netskope uncovered that nearly 10% of all malware downloads in Q1 were referred from search engines. These downloads mostly resulted from weaponized data voids, or combinations of search terms that have very few results, which means that any content matching those terms is likely to appear very high in the search results. This represents just one of many social engineering techniques that attackers are accelerating.
Social engineering as a whole continues to dominate as a leading malware infiltration technique with attackers abusing not only search engines, but email, collaboration apps, and chat apps to trick their victims. As the top two malware types, Trojans accounted for 60% of malware downloads in Q1 and phishing downloads accounted for 13%.
Evaluation of Primary Communication Channels for Attackers
For the first time in its quarterly cloud and threat reporting, Netskope analyzed attacker communication channels. Researchers found that attackers, in order to consistently evade detection, have used HTTP and HTTPS over ports 80 and 443 as their primary communication channel. In fact, of the new malware executables analyzed by Netskope that communicated with external hosts, 85% did so over port 80 (HTTP) and 67% did so over port 443 (HTTPS). This approach enables attackers to easily go unnoticed and blend in with the abundance of HTTP and HTTPS traffic already on the network.
Additionally, to evade DNS-based security controls, some malware samples sidestep DNS lookups, instead reaching out directly to remote hosts using their IP addresses. In Q1 2023, most malware samples that initiated external communications did so using a combination of IP addresses and hostnames, with 61% communicating directly with at least one IP address and 91% communicating with at least one host via a DNS lookup.
“Job number one for attackers is finding new ways to cover their tracks as enterprises put more resources into threat detection, but these findings indicate just how easy it still is for attackers to do so in plain sight,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “As attackers gravitate towards cloud services that are widely used in the enterprise and leverage popular channels to communicate, cross-functional risk mitigation is more necessary than ever.”
Extended Look into Global Cloud and Web Malware Trends
Other notable findings uncovered by Netskope’s research team include:
- 55% of HTTP/HTTPS malware downloads came from cloud apps, up from 35% for the same period one year earlier. The primary driver of the increase is an increase in malware downloads from the most popular enterprise cloud applications, with Microsoft OneDrive tracked as the most popular enterprise app by a wide margin.
- The number of applications with malware downloads also continued to increase, reaching a high of 261 distinct apps in Q1 2023.
- Only a small fraction of total web malware downloads were delivered over web categories traditionally considered risky. Instead, downloads are spread out among a wide variety of sites, with content servers (CDNs) responsible for the largest slice, at 7.7%.