Cyber attacks today are becoming more rampant. In the past, when vulnerabilities at discovered, organizations may have some time to patch them up once. However, this is now changing as attackers are exploiting new zero-day exploits even before enterprises can patch them up.
In Southeast Asia, cyber attacks are continuing to increase with zero-day exploits targeting more businesses in the region. Earlier this year, telecom carrier Singtel was impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of the multiple organizations affected by the bug, including an Australian medical research institution. The point of entry for the attack was software company Accellion, maker of a legacy large file transfer product called File Transfer Appliance (FTA).
Accellion noted that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.
The zero-day vulnerability is just one of the many zero-day exploits that have been causing havoc to organizations not just in Southeast Asia, but globally as well.
According to HP Wolf Security Threat Insights Report, cybercriminals are mobilizing quickly to weaponize new zero-day vulnerabilities. For example, exploits of the zero-day CVE-2021-40444 – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents, were first captured by HP on September 8, a week before the patch was issued on September 14.
The HP threat research team saw that cyber attacks today are sharing scripts designed to automate the creation of this exploit just three days after the initial threat bulletin. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction.
Using a malicious archive file, the threat deploys malware via an Office document. Users don’t have to open the file or enable any macros, viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.
The report also showed that 12% of email malware isolated had bypassed at least one gateway scanner while 89% of malware detected was delivered via email, while web downloads were responsible for11%, and other vectors like removable storage devices for less than 1%.
As expected, the most common attachments used to deliver malware were archive files, Word documents, spreadsheets, and executable files and the top five most common phishing lures were related to business transactions such as “order”, “payment”, “new”, “quotation” and “request”. The report also found 12% of malware captured was previously unknown.
Increasing global cyber attacks today
For Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, at HP Inc, this is concerning as the average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, allowing cybercriminals to exploit this window of vulnerability.
“While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums,” said Holland.
It wasn’t just Microsoft that had threats. Other Notable threats HP Wolf Security isolated include:
- Rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass whitelisting tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord.
- Targeted campaign found posing as the Ugandan National Social Security fund: Attackers used “typosquatting” – using a spoofed web address similar to an official domain name – to lure targets to a site that downloads a malicious Word document. This uses macros to run a PowerShell script that blocks security logging and evades the Windows Antimalware Scan Interface feature.
- Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or archive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.
“Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit change. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor,” added Holland.
More concerning is that platforms like OneDrive are allowing hackers to conduct ‘flash in the pan’ attacks. Holland explained that while malware hosted on such platforms is generally taken down quickly, this does not deter attackers because they can often achieve their objective of delivering malware in the few hours the links are live.
With cyber attacks today increasing, Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc feels that businesses can’t keep relying on detection alone. He believes the threat landscape is too dynamic and, as highlighted in the analysis of threats captured, attackers are increasingly adept at evading detection.
“Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services,” said Dr. Pratt.