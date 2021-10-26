Cybercriminals are using more zero-day vulnerabilities, research says
HP released its latest global HP Wolf Security Threat Insights Report, where the company’s researchers conduct analysis of the top cybersecurity attacks in the world. In this issue, the key finding is that criminals are exploiting vulnerabilities before the responsible companies can fix them.
According to the HP report, criminals are using more zero-day vulnerabilities, critical holes that were not detected in the software and systems development process, as the main way to attack, taking advantage of the fact that fixes for these flaws, in many cases, may take time to be made available by the responsible companies.
The team responsible for the report cites as an example the CVE failure-2021-2021, from Microsoft Office, which uses a malicious file that deploys the malware through an Office document. Users do not have to open the file or allow any action, just previewing in File Explorer to compromise the device, and allowing attackers to install backdoors for free access to the systems, which are then sold to virtual hijacking groups (ransomware).
According to the HP report, researchers found evidence of use of this vulnerability up to a week before the release of the fix by Microsoft, including with fault automation scripts being made available on GitHub repositories.
For Alex Holland, senior malware analyst on the HP Wolf Security team, the use of these vulnerabilities occurs through the “vulnerability window” they present:
The average time for a company to apply, test and fully deploy duly checked patches is 89 days, giving cybercriminals an opportunity to exploit this ‘window of vulnerability’. Previously only highly skilled hackers could exploit this vulnerability, but automated scripts lowered the skill level needed, making this type of attack accessible to less educated and less prepared criminals. This substantially increases the risk to companies, as zero-day exploits are sold and made available to the mass market in underground forums and elsewhere.
In addition to the use of these zero-day faults, the HP report also detected the following new criminal behaviors:
Increased use of legitimate cloud and internet providers by cybercriminals to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on large platforms such as OneDrive in order to avoid intrusion detection systems and pass mailing lists testing. permissions. HP Wolf Security has also discovered multiple malware families hosted on social media gaming platforms such as Discord;
JavaScript malware escaping detection tools: This is a campaign that spreads multiple JavaScript RATs via malicious email attachments. JavaScript downloaders have a lower detection rate than Office or binary downloaders. RATs are increasingly common, with attackers looking to steal corporate account credentials or cryptocurrency wallets;
Attack campaign posing as Uganda’s National Social Security Fund
: criminals used it typosquatting– a fake address similar to the official domain – in order to attract targets to a website that downloads a document from Malicious Word. This document uses macros to run a PowerShell script that blocks security logs and bypasses the Windows Antimalware Scan Interface feature;
With HTA files, malware spreads in a single click
: Trickbot Trojan is now delivered via HTA file, an HTML application, that deploys malware as soon as the attachment or file containing it is opened. Since HTA is an unusual file type, it is less likely to be identified by detection tools.
Other data
The HP report, in addition to detecting the above threats, it also collected data on the main cyber attacks from 1024. In this process, the study made the following findings:
- 11% of isolated malware in email have gone through at least one gateway scanner, a security solution that analyzes all files entering a server;
