HP Inc. has released its latest global HP Wolf Security Threat Insights Report, providing analysis of real-world cybersecurity attacks. By isolating threats that have evaded detection tools and made it to user endpoints, HP Wolf Security has a unique insight into the latest techniques being used by cybercriminals.

The HP Wolf Security threat research team found evidence that cybercriminals are mobilizing quickly to weaponize new zero-day vulnerabilities. Exploits of the zero-day CVE-2021-404441 – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8, a week before the patch was issued on September 14.

By September 10 the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction. It uses a malicious archive file, which deploys malware via an Office document. Users don’t have to open the file or enable any macros, viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware group.

Other notable threats isolated by the HP Wolf Security threat insight team include

  • Rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass whitelisting tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord.
  • JavaScript malware slipping past detection tools: A campaign spreading various JavaScript RATs spread via malicious email attachments. JavaScript downloaders have a lower detection rate than Office downloaders or binaries. RATs are increasingly common as attackers aim to steal credentials for business accounts or crypto wallets.
  • Targeted campaign found posing as the Ugandan National Social Security fund: Attackers used “typosquatting” – using a spoofed web address similar to an official domain name – to lure targets to a site that downloads a malicious Word document. This uses macros to run a PowerShell script that blocks security logging and evades the Windows Antimalware Scan Interface feature.
  • Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or archive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.

The findings are based on data from the millions of endpoints running HP Wolf Security. HP Wolf Security tracks malware by opening risky tasks in isolated, micro Virtual Machines (micro VMs) to understand and capture the full infection chain, helping to mitigate threats that have slipped past other security tools. By better understanding the behaviour of malware in the wild, HP Wolf Security researchers and engineers can bolster endpoint security protection and overall system resilience.

Key findings in the report include:

  • 12% of email malware isolated had bypassed at least one gateway scanner 
  • 89% of malware detected was delivered via email, while web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%
  • The most common attachments used to deliver malware were archive files (38% – up from 17.26% last quarter), Word documents (23%), spreadsheets (17%), and executable files (16%)
  • The top five most common phishing lures were related to business transactions such as “order”, “payment”, “new”, “quotation” and “request”
  • The report found 12% of malware captured was previously unknown

“We can’t keep relying on detection alone. The threat landscape is too dynamic and, as we can see from the analysis of threats captured in our VMs, attackers are increasingly adept at evading detection,” comments Dr. Ian Pratt, global head of security for personal systems, HP Inc. “Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats, while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.”

Download the full report at the HP website. 

About the data

This data was gathered within HP Wolf Security customer virtual-machines from July – September 2021.

Source: HP