BY KENNETH EZE
HP Wolf Security threat research team sees cybercriminals using legitimate cloud providers to host malware, and switching up file and script types to evade detection tools.
This is contained in HP Inc’s latest global ‘HP Wolf Security Threat Insights Report,’ which offered analysis of real-world cybersecurity attacks, issued on Friday.
The report stated that “By isolating threats that have evaded detection tools and made it to user endpoints, HP Wolf Security has a unique insight into the latest techniques being used by cybercriminals.”
The technology firm stated, “The HP Wolf Security threat research team found evidence that cybercriminals are mobilizing quickly to weaponize new zero-day vulnerabilities.”
It added that “Exploits of the zero-day CVE-2021-40444 – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8, a week before the patch was issued on September 14.
“By September 10 – just three days after the initial threat bulletin – the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction.
It uses a malicious archive file, which deploys malware via an Office document. Users don’t have to open the file or enable any macros, viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.”
It identified other notable threats isolated by the HP Wolf Security threat insight team include a rise in cybercriminals using legitimate Cloud and web providers to host malware, JavaScript malware slipping past detection tools, and targeted campaign found posing as the Ugandan National Social Security fund. The team also that switching to HTA files spreads malware in a single click.
Senior Malware Analyst, HP Wolf Security threat research team, HP Inc, Alex Holland, said, “The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cybercriminals an opportunity to exploit this ‘window of vulnerability’.
“While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less¬ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums.
“Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit changes. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor.
“We are also seeing major platforms like OneDrive allowing hackers to conduct ‘flash in the pan’ attacks. While malware hosted on such platforms are generally taken down quickly, this does not deter attackers because they can often achieve their objective of delivering malware in the few hours the links are live.”
According to Holland, “Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives.”
