According to the HP Wolf Security Threat Insights Report, released on Thursday, cybercriminals have used several notable tactics during the first third of this year.
The report, based on the analysis of millions of endpoints that run the software of the company, found digital desperadoes who exploited a website vulnerability in order to cat-phish and direct users to malicious online locations. First, users are directed to a legit website and then redirected. This tactic makes it difficult to detect a switch.
Erich Kron from the Security Awareness Program at KnowBe4 Clearwater, Fla.-based, is a provider of security awareness training.
He told TechNewsWorld that “the power of them comes back to deception, the favorite tool of cybercriminals.” “The open redirect” allows bad actors use a legitimate website to redirect users to a malignant one. This is done by creating a link that includes a portion at the end of URL which is seldom checked by people.
He explained that while the URL will display the website to which the victim has been redirected, they are less likely to verify it after clicking a link they believe to be legitimate.
It is a standard practice to tell people to hover the mouse over links, to ensure they look legitimate. But they should also learn to check the URL before entering sensitive data such as credit card number, passwords, or PII.
Patrick Harr CEO of SlashNext The obfuscated names of the files are recognizable.
Exploiting BITS
A report identified another notable attack: the use of Windows Background Intelligent Transfer Service, or BITS, to conduct “living off-the-land” forays into an organization’s system. As BITS is used by IT staff for downloading and uploading files, attackers may use it to avoid detection.
Ashley Leonard is the CEO of Syxsense BITS is an integral part of Windows that transfers files in the background by using network bandwidth. It is commonly used for background updates, which ensures that a system remains up-to-date without interrupting work, or cloud synchronization. This allows cloud storage applications such as OneDrive to sync data between a local computer and the cloud service.
Leonard told TechNewsWorld that BITS is also used in malicious ways. This was highlighted in the Wolf HP report. “Malicious actors can use BITS for a number of activities — to exfiltrate data, for command-and-control communications or persistence activities, such as executing malicious code to entrench themselves more deeply into the enterprise.”
Microsoft does not recommend disabling BITS due to its legitimate uses, he said. “But enterprises can protect themselves from malicious actors who exploit it.” These include:
- Use network monitoring software to detect BITS traffic patterns that are unusual, such as data transfers to external servers and domains with suspicious names.
- Configure BITS so that only authorized services and applications can use it. Block any attempts made by unauthorised processes to access BITS.
- Separate critical systems and sensitive data from other areas of the network in order to limit attackers’ lateral movement in the event of a compromise.
- Ensure that all systems are up-to-date with the latest security patches to eliminate any known vulnerabilities.
- Use threat intelligence feeds in order to be informed of the latest cyberattack tactics, techniques and procedures. You can then adjust your security controls proactively.
RAT on the invoice
HP Wolf found that network marauders were also hiding malware in HTML files that looked like vendor invoices. When opened in a browser, these files trigger a series events that lead to the deployment of the open source malware AsyncRAT.
Nick Hyatt said that hiding malware in HTML files allows attackers to interact with their targets in the majority of cases. Blackpoint Cyber Ellicott City is home to a company that provides threat hunting technology.
He told TechNewsWorld that an attacker can get users to click on a fake bill to find out what it is about. This, in turn gets the user to interact and increases the chances of successful compromise.
Even though targeting companies using invoice lures may be an old trick, it is still very effective and lucrative.
“Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them,” HP Wolf Principal Threat Researcher Patrick Schläpfer said in a statement. If successful, attackers could quickly monetize access to their systems by selling them to cybercriminal agents or by using ransomware.
Patrick Tiquet added that the escalating threat of highly evasive, browser-based attacks was yet another reason why organizations should prioritize browser security. Keeper Security Chicago-based company, which provides online password storage and management, is a leader in the industry.
He told TechNewsWorld that the rapid increase in browser-based attacks, especially those using evasive methods, highlighted the urgent need for improved protection.
Gateway Scanners that are less than impervious
A second report found that HP Wolf’s email scanners missed 12% of the email threats.
“Email gateway scans can be helpful tools to eliminate common types of emails threats.” But they are much less effective for more targeted attacks like spearphishing or whaleing,” said Kron from KnowBe4.
He continued, “Email scanners – even those that use AI – are looking for keywords, patterns, or threats in URLs, attachments, or other parts of the email.” The filters could miss bad actors who employ non-typical tactics.
“There’s a fine line to walk between filtering out legitimate emails while also avoiding threats,” he explained. “In most cases the filters will have been set to be conservative so as to not cause any problems, such as stopping important communication.”
He said that email gateway scans are important security controls, despite their flaws. However, he also stressed that employees must be trained to identify and report any attacks that get through.
Krishna Vishnubhotla added that “Bad actors get creative in creating email campaigns which bypass traditional detection mechanisms.” Zimperium The company is based in Dallas.
He said that organizations must protect employees against phishing links and malicious QR codes in emails, as well as malicious attachments. This applies to both legacy and mobile devices.
