The company's research, issued under the name Internet Security Report, looked at what was detected by installations of its software. It found that about 36% of the malware detected consisted of these Linux threats.
Many of these devices, which often use old versions of Linux, have a default username and password which users often do not bother to change. Logging in with these credentials — which are easy to find on the Web — gives root access to the device in question.
Corey Nachreiner, WatchGuard's chief technology officer, told iTWire that many of the Linux IoT infections started just as someone scanning the Internet for devices listening on telnet or SSH ports.
"In this scenario, that wget request would generate a Web request to download a file, and that¹s often how our gateway anti-virus would encounter those samples above and block them via HTTP."
Nachreiner (right) said there were remote Linux vulnerabilities that attackers could use to gain control of a Linux system, and then leverage that control to download malware.
"There are other simple attacks (brute-forcing weak SSH credentials) that could allow an attacker to gain local access to a Linux machine, and then try to download his malware. Then there are many Web and email phishing or social engineering techniques, that could try to get a user to unknowingly download malware.
"With our GAV statistics, we can¹t say which of these the attacker is doing, but we can say that these Linux threats attempted to get to a device over the Web, and were blocked."
WatchGuard said its report was based on anonymised Firebox Feed data from more than 26,500 active WatchGuard UTM appliances worldwide, representing a small portion of its overall install base.
Other findings in the report were that legacy anti-virus programs were missing the detection of new malware at a higher rate. AV solutions had missed 38% of the total threats which WatchGuard's products detected in Q1, compared to 30% in Q4 2016, the company claimed.
The report also said that the cyber security battleground was shifting toward Web servers, with drive-by downloads and browser-based attacks dominating in the first quarter of 2017.
It found that attackers were still exploiting the Android StageFright flaw which first gained notoriety in 2015.
Attackers were found to be taking a break from hacking during the holidays with the overall, threat volume decreasing 52% in Q1 2017 compared to Q4 2016.