Dubai: Cybercriminals are now savvy enough to ‘weaponize’ zero-day vulnerabilities, according to the PC-maker HP.
A ‘zero-day’ vulnerability is a software glitch discovered by cyberattackers before a vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities – and which means targetted attacks are far more likely to succeed.
HP said in a report that exploits of the zero-day ‘CVE-2021-40444’ – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8 - a full week before the patch was issued on September 14. By September 10, the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction.
It uses a malicious archive file that deploys malware via an Office document. Users don’t have to open the file or enable any macros; viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.
Other notable threats isolated by the HP Wolf Security threat insight team include:
- Rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass ‘white-listing’ tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord.
- JavaScript malware slipping past detection tools: A campaign spreading various JavaScript RATs spread via malicious email attachments. JavaScript downloaders have a lower detection rate than Office downloaders or binaries. RATs are increasingly common as attackers aim to steal credentials for business accounts or crypto wallets.
- Targeted campaign found posing as the Ugandan National Social Security fund: Attackers used ‘typosquatting’ – using a spoofed web address similar to an official domain name – to lure targets to a site that downloads a malicious Word document. This uses macros to run a PowerShell script that blocks security logging and evades the Windows Antimalware Scan Interface feature.
- Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or archive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.
• 89 per cent of malware detected was delivered via email, while web downloads were responsible for 11 per cent, and other vectors like removable storage devices for less than 1 per cent.
• The most common attachments used to deliver malware were archive files (38 per cent – up from 17.26 per cent last quarter), Word documents (23 per cent), spreadsheets (17 per cent), and executable files (16 per cent).
• The Top 5 most common phishing lures were related to business transactions such as ‘order’, ‘payment’, ‘new’, ‘quotation’ and ‘request’.
• The report found 12 per cent of malware captured was previously unknown.
“The threat landscape is too dynamic and, as we can see from the analysis of threats captured in our VMs, attackers are increasingly adept at evading detection,” said Ian Pratt, Global Head of Security for Personal Systems, HP Inc. “Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads - this will eliminate the attack surface for whole classes of threats, while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.”
