Hackers and other malicious actors that target computing networks worldwide appear to be targeting a wider range of file types than ever, according to threat intelligence from HP-Bromium.
In HP-Bromium’s latest roundup for Q4 2020, threat actors were found to be moving from attacking Word documents to spreadsheets and executable formats including EXE, XLS and XLSM, as well as messaging apps and the usual barrage of phishing emails, ransomware and trojans.
“The most effective execution techniques involved old technologies such as Excel 4.0 macros that often offer limited visibility to detection tools,” according to the report.
“The most frequent exploit, accounting for nearly three-quarters of all exploits, was of CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor.”
Other common attacks were related to remote coding or access, obfuscated files or information, and executions via application programming interfaces (APIs) — including a 12% increase in malware that exploits Microsoft Word and WordPad remote code execution vulnerability CVE-2017-0199.
“Twenty-nine percent were not known by hash to antivirus scanning engines when they were isolated, suggesting a high degree of sample novelty due to widespread use of packers and polymorphic and metamorphic obfuscation techniques,” writes HP-Bromium.
“On average, it took 8.8 days for samples to become known by hash to other antivirus engines.”
Dridex malicious spam attacks soared 239% in the quarter, making it the second-most common crimeware family after phishing-focused Emotet. Dridex is a banking or ransomware trojan, typically propagated via malicious Excel spreadsheets.
HP Threat Research also identified a malware campaign relying on misspelled domains of popular instant messaging services. Instant messaging users were redirected to RigEK landing pages that included FickerStealer malware exploits of web browser and plugin vulnerabilities.
“FickerStealer is a family of information-stealing malware that emerged in October 2020 on Russian-language underground forums. Its capabilities include stealing sensitive information such as passwords, browser autocomplete forms and cryptocurrency wallets,” according to HP-Bromium.
How can customers help protect themselves?
HP-Bromium recommends customers enable the Threat Intelligence Service and threat forwarding.
“This will keep your endpoints updated with the latest Bromium Rules File (BRF) so that you benefit from detecting emerging threats in your network,” it said.
“Plan to update HP Sure Controller with every new release to receive new dashboards and report templates.”
HP Sure Click Enterprise works by aiming to isolate malware from the host computer so it cannot spread onto
the corporate network. According to HP-Bromium, users should keep it updated and monitor the operational and threat dashboards to ensure the isolation process operates correctly.
“We recommend that untrusted file support for email clients and Microsoft Office protection options are enabled (these are enabled by default in our recommended policies).
“Switching on these settings is an easy way to reduce the risk of infection posed by phishing campaigns,” according to the report.
“Enterprises are most vulnerable from users opening email attachments, clicking on hyperlinks in emails, and downloading files from the web. HP Sure Click Enterprise protects the enterprise by isolating risky activity in micro-VMs.”
Read more of HP-Bromium’s latest threat intelligence.
( Photo by Lindsey LaMont on Unsplash )