Gartner says 89% of board directors said digital is embedded in all business growth strategies. Along with this changing digital landscape, businesses are being put in a state of cyber threats and attacks. HP Wolf Security Threat Insights Report Q1 2024 brings an in-depth analysis of threats, laying out the ingenious ways attackers use to compromise security. This article explores the key insights from the report, organized around the key topics, showing the continuing challenges in cybersecurity.
1. Cat-phishing Using WikiLoader
In recent campaigns, attackers have increasingly employed a tactic known as “cat-phishing” to distribute the WikiLoader malware.
In Q1, 11% of threats caught by HP Sure Click were PDF documents.
This method involves sending targeted emails with fake overdue invoices to enterprise employees. These invoices appear legitimate but contain links that lead to malicious websites. Once the user is tricked into clicking these links, the malware is sideloaded through commonly used applications like Notepad++. The malware, hidden within legitimate-looking files, leads to further malicious activities without detection.
Also Read Top IT, Cloud, Cybersecurity News Updates: Weekly Highlights
2. New Vulnerabilities in 2024
The report identifies several new vulnerabilities that have emerged in 2024, focusing particularly on how cybercriminals exploit open redirect vulnerabilities and obscure JavaScript to sidestep traditional security measures. These vulnerabilities often redirect victims from trusted websites to malicious domains that host malware, significantly complicating security systems’ detection and response processes.
The vulnerabilities identified in the report include:Â
- HTML Smuggling (T1027.006): Attackers use HTML smuggling to deliver malware, notably AsyncRAT. This technique involves embedding a malicious payload inside an HTML file, which gets executed when the target interacts with the file, for instance, by clicking a button purported to download an invoice.
- Use of BITS for Malware Delivery (T1197): Attackers increasingly exploit the Windows Background Intelligent Transfer Service (BITS) to discreetly download malicious files, blending the malware traffic with legitimate administrative activities to avoid detection.
- DLL Sideloading (T1574.002): In campaigns involving WikiLoader malware, attackers are sideloading malicious DLLs via legitimate applications like Notepad++. This method helps the malware bypass security measures like application control and endpoint detection.
- Process Hollowing (T1055.012): This technique runs malicious code in the address space of another process to evade process-based defenses. It was observed with the AsyncRAT malware, demonstrating sophistication in avoiding detection and maintaining persistence.
- Obfuscation and Anti-Analysis Techniques (T1027.013 and T1497): Malware like Raspberry Robin and Ursnif uses advanced obfuscation and sandbox evasion techniques to make analysis difficult and evade antivirus detection.
3. Windows Background Intelligent Transfer Service (BITS)
Misusing Windows Background Intelligent Transfer Service (BITS) has been prevalent among cybercriminals. BITS, a component designed for transferring files between machines, is used by attackers to download and execute malicious payloads discreetly. This method is particularly dangerous because it mimics legitimate administrative network traffic, making it harder for security tools to identify malicious activities.
The report mentions the Windows Background Intelligent Transfer Service (BITS) as a tool frequently abused by attackers in their malware campaigns. BITS is a legitimate Windows service administrators use to transfer files between web servers and file shares. However, attackers have exploited this service (categorized under the MITRE ATT&CK technique T1197) to discreetly move files using the built-in capabilities of Windows, helping them avoid detection by blending in with legitimate system administration activities.
4. Living off the Land (LoTL) Techniques in Cybersecurity
Living off the Land (LoTL) techniques involve using the operating system’s built-in tools and features to conduct attacks. This helps attackers remain undetected by blending in with normal administrative activities. The report discusses how these techniques allow cybercriminals to execute their operations without installing their own malicious tools, which might be detected by antivirus software.
The report discusses using LoTLtechniques by attackers to help them remain undetected by blending in with legitimate system administration activity. These techniques involve the use of software tools that are already present on the computer rather than introducing new software that security measures could detect. Specific examples given include the abuse of Windows Background Intelligent Transfer Service (BITS) to transfer files discreetly between web servers and file shares, a method used to evade typical security detections​
Also Read: Top 10 Cybersecurity Forecasts and Statistics of 2024
5. HTML Smuggling Attacks
HTML smuggling has become a critical concern in 2024, allowing attackers to embed malicious scripts within HTML files. These files bypass network filters unnoticed because they appear benign and are often overlooked by security protocols. Upon opening the HTML file, embedded scripts are executed to download additional malware, such as remote access trojans, further compromising the system’s security.
The report highlights HTML smuggling attacks as one of the tactics used by attackers in the first quarter of 2024. This technique allows threat actors to bypass email and web filters by embedding malicious payloads inside HTML files. In one documented campaign, attackers sent targets HTML email attachments purportedly containing invoices from a delivery company. When these attachments were opened, JavaScript functions within the HTML decoded an encoded binary string, resulting in a Windows Script File (WSF) download. This kind of attack is classified under the MITRE ATT&CK technique T1027.006 and is used because it can effectively evade detection by concealing the malicious payload in a manner that is not easily recognizable by security systems.
Conclusion
The HP Wolf Security Threat Insights Report for Q1 2024 provides a comprehensive overview of cybercriminals’ sophisticated techniques and strategies. By understanding these tactics, such as cat-phishing, the exploitation of new vulnerabilities, and the abuse of system tools like BITS, LoTL techniques, and HTML smuggling, security teams can better prepare and strengthen their defenses against these evolving threats.
FAQs
1. What are Wikiloaders?
WikiLoader is a highly engineered downloader that drops a second-stage malware payload. It features heavy evasion tactics and a custom-made implementation, posing a large detection and analysis headache. More importantly, it appears WikiLoader was designed to be a for-rent tool for certain cybercriminal threat actors, which further underlines its strategic and elusive essence.
2. What are LOTL Techniques?
Living off the land refers to a technique of fileless malware or LOLbins cyberattacks in which hackers utilize native, legitimate tools that already exist within the victim’s system to orchestrate and further an attack. As opposed to conventional malware strategies that depend on signature files, LOTL attacks do not require the installation of extra code or scripts onto the target system. The attackers use existing tools within the environment, such as PowerShell, Windows Management Instrumentation, or utilities like Mimikatz, to carry out their malicious agenda.
3. What is “cat-phishing”?
Catfishing is the insidious practice by which a person assumes a false identity to mislead unsuspecting others into believing they are actually having an online encounter, often for purposes of social interaction or courtship. Having established a trusting relationship with their victims, catfishers can proceed to use the relationship to carry out acts aimed at embarrassing, humiliating, or distressing their victims, for example, revealing online personal secrets or publicly revealing the victim’s gullibility to their catfishing schemes.
4. What are HTML smuggling attacks?
HTML Smuggling: a variant of drive-by-download in which an attacker clandestinely inserts encoded malicious scripts into meticulously crafted HTML attachments or webpages. This surreptitious tactic aims at inducing an involuntary download of malware into the system of a naive user.
[To share your insights with us as part of editorial or sponsored content, please write to sghosh@martechseries.com]
