Business /

Watch out: Businesses have only days to patch up cyber threats, warns HP

‘Zero day’ software vulnerabilities are more frequent – and vendors may not have answers

Last updated: October 17, 2021 | 11:55

Gulf News Report

3 MIN READ

Those few days when a software vulnerability remains unknown to vendors are proving costly.

Pixabay

Also In This Package

UAE hits 95% vaccination, know the countries now open

UAE hits 95.78% vaccination rate: Know the countries now open, or about to lift COVID-19 travel bans

Gitex 2021 offers a deep dive into tech at its best

In Pictures: Gitex 2021 in Dubai promises some serious technology and a whole lot of fun

Sharjah developer builds luxury homes - and a forest

In Pictures: Sharjah developer Arada is connecting with nature - building a 'forest' is the way to do it

Abu Dhabi showcases fashion, food in 'Collectors' Week'

In Pictures: Abu Dhabi is adding a 'Collectors' Week' to its already packed winter season

For Dubai CommerCity, speed of delivery is what matters

In Pictures: Dubai’s CommerCity is all geared for ecommerce – and speedy delivery

These UAE workplaces are just right for women

In Pictures: Check out the best workplaces in the UAE for women

Dubai: Cybercriminals are now savvy enough to ‘weaponize’ zero-day vulnerabilities, according to the PC-maker HP.

A ‘zero-day’ vulnerability is a software glitch discovered by cyberattackers before a vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities – and which means targetted attacks are far more likely to succeed.

HP said in a report that exploits of the zero-day ‘CVE-2021-40444’ – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8 - a full week before the patch was issued on September 14. By September 10, the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction.

It uses a malicious archive file that deploys malware via an Office document. Users don’t have to open the file or enable any macros; viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.

Other notable threats isolated by the HP Wolf Security threat insight team include:

Rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass ‘white-listing’ tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord.

JavaScript malware slipping past detection tools: A campaign spreading various JavaScript RATs spread via malicious email attachments. JavaScript downloaders have a lower detection rate than Office downloaders or binaries. RATs are increasingly common as attackers aim to steal credentials for business accounts or crypto wallets.

Targeted campaign found posing as the Ugandan National Social Security fund: Attackers used ‘typosquatting’ – using a spoofed web address similar to an official domain name – to lure targets to a site that downloads a malicious Word document. This uses macros to run a PowerShell script that blocks security logging and evades the Windows Antimalware Scan Interface feature.

Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or archive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.

Key findings from HP

• 12 per cent of email malware isolated had bypassed at least one gateway scanner. • 89 per cent of malware detected was delivered via email, while web downloads were responsible for 11 per cent, and other vectors like removable storage devices for less than 1 per cent. • The most common attachments used to deliver malware were archive files (38 per cent – up from 17.26 per cent last quarter), Word documents (23 per cent), spreadsheets (17 per cent), and executable files (16 per cent). • The Top 5 most common phishing lures were related to business transactions such as ‘order’, ‘payment’, ‘new’, ‘quotation’ and ‘request’. • The report found 12 per cent of malware captured was previously unknown.

“The threat landscape is too dynamic and, as we can see from the analysis of threats captured in our VMs, attackers are increasingly adept at evading detection,” said Ian Pratt, Global Head of Security for Personal Systems, HP Inc. “Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads - this will eliminate the attack surface for whole classes of threats, while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.”

Get the latest news and updates straight to your inbox

Up Next