HP released its latest global HP Wolf Security Threat Insights Report, where the company’s researchers conduct analysis of the world’s top cybersecurity attacks. In this issue, the key finding is that criminals are exploiting vulnerabilities before the responsible companies can fix them.
According to the HP report, criminals are using more zero-day vulnerabilities, critical gaps that were not detected in the software and systems development process, as the main form of attack, taking advantage of fixes for these flaws, in many cases, may take time to be made available by the responsible companies.
The team responsible for the report cites as an example the flaw CVE-2021-40444, Microsoft Office, which uses a malicious file that deploys malware through an Office document. Users don’t have to open the file or allow any action, just preview in File Explorer to compromise the device, and allow attackers to install backdoors for free access to the systems, which are then sold to virtual hijacking groups (ransomware).
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Everyday a summary of the main news from the tech world for you!
According to the HP report, researchers found evidence of use of this vulnerability up to a week before the release of the fix by Microsoft, including with automation scripts for the flaw being made available on GitHub repositories.
For Alex Holland, senior malware analyst on the HP Wolf Security team, the use of these vulnerabilities is due to the “window of vulnerability” they present:
The average time for a company to fully apply, test and deploy duly checked patches is 97 days, giving cybercriminals an opportunity to exploit this ‘window of vulnerability’. Previously only highly skilled hackers could exploit this vulnerability, but automated scripts lowered the skill level needed, making this type of attack accessible to less educated and less prepared criminals. This substantially increases the risk to companies as zero-day exploits are sold and made available to the mass market in underground forums and elsewhere.
In addition to using these zero-day flaws, the HP report also detected the following new criminal behaviors:
- Increased use of legitimate cloud and internet providers by cybercriminals to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on large platforms such as OneDrive in order to bypass intrusion detection systems and pass whitelist testing. HP Wolf Security also discovered multiple malware families hosted on social media gaming platforms such as Discord;
- Attack Campaign posing as Uganda’s National Social Security Fund: criminals used typosquatting – a fake address similar to the official domain – in order to attract targets to a website that downloads a malicious Word document. This document uses macros to run a PowerShell script that blocks security logs and bypasses the Windows Antimalware Scan Interface feature;
- With HTA files, malware spreads in a single click: Trickbot Trojan is now delivered via HTA file, an HTML application, which deploys malware as soon as the attachment or file containing it is opened. Since HTA is an unusual file type, it is less likely to be identified by detection tools.
too much data
The HP report, in addition to detecting the above threats, also collected data on the top 2021 cyber attacks. In the process, the study made the following findings:
- 12% of isolated malware in email has gone through at least one gateway scanner, a security solution that analyzes every file entering a server;
- 89% of detected malware was delivered via email, while internet downloads accounted for 11% and other vectors such as removable storage devices for less than 1%;
- Attachments used to deliver malware were mainly miscellaneous files (38%), Word documents (23%), spreadsheets (17%) and executable files (16%);
- The five lures of phishing most common were those relating to business transactions, such as order (request, in free translation), payment (payment), new (new), quotation (budget) and request (request);
- The report reveals that 12% of the malware captured were previously unknown.