Zero-day vulnerabilities are no longer exclusively for elite hackers. There are now automated scripts available on GitHub so even novice hackers can explore these previously unknown security flaws.
That was one of the insights in the HP Wolf Security Threat Insights Report released today.
The report noted that the average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, creating a large window for newly discovered vulnerabilities to be exploited.
Anatomy of a Zero-day Exploit
The HP Wolf report noted that exploits of a Windows zero-day vulnerability (CVE-2021-40444) were automated and shared on GitHub just three days after the first exploit last month.
The vulnerability allowed for remote code execution through the MSHTML browser engine (Internet Explorer is based on this engine) using Microsoft Office documents. If the user didn’t open a document in read-only mode (the safe mode), macros were enabled, releasing malware.
While the read-only mode was a way to mitigate the attack, the exploit could also compromise a device through the File Explorer’s preview pane, taking the threat to the next level.
These attacks are generally used to install backdoors on infected devices and sell access to ransomware groups and other threat actors. Along with the ransomware as a service (RaaS) trend, the barrier to entry is becoming very low for hackers, and that’s bad news for those charged with defending corporate networks.
Legitimate Cloud Providers Used as Hosts
Microsoft OneDrive is a file hosting service and synchronization service. Microsoft includes the service by default in most of its products, making it easier for files hosted on the platform to pass whitelisting and intrusion detection tests.
Researchers found the Remcos Remote Access Trojan (RAT) used in a recent GuLoader campaign on OneDrive. They also discovered various malware families being hosted on the Discord social media platform.
The RAT is particularly insidious as it doesn’t appear in the list of active programs and processes. It does not slow down the computer or delete files. The goal is to remain undetected to exfiltrate data, which is helpful for advanced threat actors, for example.
Normally, the best security advice, in this case, would be to avoid downloading files from untrustworthy sources, but OneDrive and Discord are legitimate platforms. Cloud platforms take down those accounts quickly, but the hackers don’t care. They only need a few hours to conduct their operations.
Email Attachments the Primary Vector
In its report, the Wolf team revealed that 89% of malware detected was delivered via email. As soon as the victims open the email attachments, it deploys the malware. Attackers use that entry to steal credentials for business accounts or crypto wallets.
Other noteworthy stats include:
- The most common attachments used to deliver malware are archive files (38% – up from 17.26% last quarter), Word documents (23%), spreadsheets (17%), and executable files (16%)
- The most common phishing lures are “order”, “payment”, “new”, “quotation” and “request”
- 12% of email malware isolated had bypassed at least one gateway scanner, a common email defense tool
The objective is not to use cutting-edge technologies but to fool detection tools and land in employee inboxes to maximize the chances to compromise the system and potentially spread to other systems.
Also read: How DMARC Can Protect Against Ransomware
Detection Alone Not Sufficient
According to Ian Pratt, HP’s Global Head of Security for Personal Systems, the threat landscape is too dynamic to rely on detection alone.
“Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads,” Pratt said. “This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.”
Zero trust is the opposite of implicit trust. Instead of assuming that everything is safe in the network, it assumes breaches and explicitly verifies potential vectors and endpoints. It ensures the least privileged access to minimize hackers’ opportunities.
A false impression of safety can contribute to attacks. Having detection and monitoring tools is reassuring, but they’re hardly bulletproof.
The speed of threat actors and the willingness to hide undetected are troubling long-term trends. Threat actors want to outpace the response of automated tools and forensic teams. They make further efforts to cover their tracks and destroy evidence, making their attacks even harder to detect and trace.