Based on data from millions of endpoints running
- Attackers using open redirects to ‘Cat-Phish’ users: In an advanced WikiLoader campaign, attackers exploited open redirect vulnerabilities within websites to circumvent detection. Users were directed to trustworthy sites, often through open redirect vulnerabilities in ad embeddings. They were then redirected to malicious sites – making it almost impossible for users to detect the switch.
- Living-off-the-BITS: Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
- Fake invoices leading to HTML smuggling attacks:
HP identified threat actors hiding malware inside HTML files posing as delivery invoices which, once opened in a web browser, unleash a chain of events deploying open-source malware, AsyncRAT. Interestingly, the attackers paid little attention to the design of the lure, suggesting the attack was created with only a small investment of time and resources.
Patrick Schläpfer, Principal Threat Researcher in the
"Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers, or by deploying ransomware.”
By isolating threats that have evaded detection-based tools – but still allowing malware to detonate safely –
The report details how cybercriminals continue to diversify attack methods to bypass security policies and detection tools. Other findings include:
- At least 12% of email threats identified by
HP Sure Click* bypassed one or more email gateway scanners. - The top threat vectors in Q1 were email attachments (53%), downloads from browsers (25%) and other infection vectors, such as removable storage – like USB thumb drives – and file shares (22%).
- This quarter, at least 65% of document threats relied on an exploit to execute code, rather than macros.
Dr.
"Living-off-the-Land techniques expose the fundamental flaws of relying on detection alone. Because attackers are using legitimate tools, it’s difficult to spot threats without throwing up a lot of disruptive false positives. Threat containment provides protection even when detection fails, preventing malware from exfiltrating or destroying user data or credentials, and preventing attacker persistence. This is why organizations should take a defence-in-depth approach to security, isolating and containing high-risk activities to reduce their attack surface."
About the data
This data was gathered from consenting
About
About
*
**
HP Media Relations Email: MediaRelations@hp.com
Source:
2024 GlobeNewswire, Inc., source