 |
| Image Credit: technewsworld |
According to the quarterly HP Wolf Security Threat Insights Report released Thursday, cybercriminals have been using cat-phishing, exploiting a widely-used Microsoft file transfer tool, and sending fraudulent invoices among their notable techniques during the first three months of this year.
Cat-Phishing Exploits
Based on data from millions of endpoints running HP's software, the report uncovered that cybercriminals are exploiting website vulnerabilities to cat-phish users by redirecting them to malicious sites. Initially, users are directed to a legitimate website and then subtly redirected to a malicious one, making the switch difficult to detect.
“Open redirect vulnerabilities can be fairly common and are easy to exploit,” said Erich Kron, security awareness advocate at KnowBe4, a security training provider in Clearwater, Fla.
“The power in them falls back to the cybercriminal’s favorite tool, deception,” Kron explained to TechNewsWorld. “The open redirect allows bad actors to use a legitimate URL to redirect to a malicious one by crafting the link in a way that includes a rarely-checked part at the end of the URL, which takes the user to the malicious site, even if they hover over the link.”
“While the URL in the browser will show the redirected site, the victim is less likely to check it after believing they have already clicked a legitimate link,” he added.
“It is common to teach people to hover over links to ensure they appear legitimate,” Kron noted, “but they should also be taught to always review the URL in the browser bar before entering any sensitive information such as passwords, personal identification information (PII), or credit card numbers.”
Email remains a primary delivery mechanism for attachment-based redirects, stated Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif. “However,” he told TechNewsWorld, “we are also seeing these attachments being delivered outside of email, in platforms like Slack, Teams, Discord, and other messaging apps, often with obfuscated file names that appear real.”
Exploiting BITS
Another notable attack highlighted in the report involves leveraging the Windows Background Intelligent Transfer Service (BITS) to conduct "living off the land" operations on an organization's systems. Since BITS is a tool commonly used by IT staff for downloading and uploading files, attackers can exploit it to evade detection.
Ashley Leonard, CEO of Syxsense, a global IT and security solutions company, explained that BITS is a Windows component designed to transfer files in the background using idle network bandwidth. It is typically employed for downloading updates without disrupting work or for cloud synchronization, allowing applications like OneDrive to sync files between a local machine and cloud storage.
“Unfortunately, BITS can also be used for malicious purposes, as noted in the HP Wolf report,” Leonard told TechNewsWorld. “Malicious actors can use BITS for various activities—exfiltrating data, conducting command-and-control communications, or executing malicious code to gain deeper access within the enterprise.”
“Microsoft doesn’t recommend disabling BITS because of its legitimate uses,” he added. “However, enterprises can take several measures to protect themselves against its exploitation.” These measures include:
- Using network monitoring tools to detect unusual BITS traffic patterns, such as large data transfers to external servers or suspicious domains.
- Configuring BITS to allow only authorized applications and services, and blocking unauthorized processes from accessing BITS.
- Segregating critical systems and data from less sensitive areas of the network to limit the lateral movement of attackers in case of a compromise.
- Keeping all systems up to date with the latest patches and security updates to fix any known vulnerabilities that could be exploited by attackers.
- Utilizing threat intelligence feeds to stay informed about the latest tactics, techniques, and procedures used by cyberattackers, and proactively adjusting security controls accordingly.
RAT in the Invoice
The HP Wolf report also uncovered that cybercriminals are hiding malware inside HTML files disguised as vendor invoices. Once these files are opened in a web browser, they trigger a series of actions that deploy the open-source malware AsyncRAT.
“The advantage of hiding malware in HTML files is that attackers depend on their targets interacting with the file,” said Nick Hyatt, director of threat intelligence at Blackpoint Cyber, a provider of threat hunting, detection, and response technology, in Ellicott City, Md.
“By disguising malware as a fake invoice, attackers can entice users to click on it to see what the invoice is for,” he explained to TechNewsWorld. “This interaction increases the likelihood of a successful compromise.”
While using invoice lures is one of the oldest tricks in cybercrime, it remains highly effective and profitable.
“Employees in finance departments are accustomed to receiving invoices via email, making them more likely to open them,” said HP Wolf Principal Threat Researcher Patrick Schläpfer in a statement. “If attackers succeed, they can quickly monetize their access by selling it to cybercriminal brokers or deploying ransomware.”
“The growing threat of highly evasive browser-based attacks underscores the importance of prioritizing browser security and implementing proactive cybersecurity measures,” added Patrick Tiquet, vice president for security and architecture at Keeper Security, a password management and online storage company in Chicago.
“The rapid increase in browser-based phishing attacks, particularly those using evasive techniques, highlights the urgent need for enhanced protection,” he told TechNewsWorld.
Less Than Impervious Gateway Scanners
Another significant finding from the report revealed that 12% of email threats detected by HP Wolf’s software managed to evade one or more email gateway scanners.
“Email gateway scanners serve as valuable tools in combating common email threats. However, their effectiveness diminishes when faced with more targeted attacks like spearphishing or whaling,” noted KnowBe4’s Kron.
“Email scanners, including those utilizing AI, primarily seek out patterns, keywords, or threats within attachments or URLs,” he elaborated. “If malicious actors employ unconventional tactics, these filters may fail to detect them.”
“There exists a delicate balance between filtering out threats and inadvertently blocking legitimate email communications,” he emphasized. “In most instances, filters tend to err on the side of caution, prioritizing security over potential communication disruption.”
Kron acknowledged the importance of email gateway scanners as essential security measures but stressed the critical need for employee training to identify and promptly report any successful attacks.
“Cybercriminals are becoming increasingly inventive in crafting email campaigns that evade traditional detection methods,” added Krishna Vishnubhotla, vice president of product strategy at Zimperium, a mobile security firm based in Dallas.
“Organizations must safeguard their employees from phishing links, malicious QR codes, and harmful email attachments across all legacy and mobile devices,” he emphasized.