Paradise for Attackers: Overdue Bills and Living off the Land
HP Wolf Security Threat Insights Report shows how cybercriminals are increasingly diversifying their attack methods to circumvent security policies and detection tools.
Based on data from millions of end devices running HP Wolf Security, security experts were able to identify several campaigns. In a sophisticated WikiLoader campaign, the attackers exploited so-called open redirects, vulnerabilities on websites, to avoid detection. Users were often redirected to trusted websites through open redirect vulnerabilities in ad embeds. They were then redirected directly to malicious websites, making it almost impossible to detect the switch.
Windows Background Intelligent Transfer Service
Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped the attackers remain undetected by using BITS to download the malicious files.
Fake invoices serve as the basis for HTML smuggling attacks. The malware was hidden in HTML files disguised as delivery invoices. When opened in a web browser, these triggered a chain of events in which the open source malware AsyncRAT was used. Interestingly, the attackers paid little attention to the design of the lure, indicating that the attack was carried out with little time and resources.
Data access can be monetized quickly
“Baiting with invoices is one of the oldest tricks in the book, but it is still very effective and therefore lucrative. Employees in finance departments are used to receiving invoices by email, so they are more likely to open them. If successful, data access can be quickly monetized by selling the information or using ransomware,” says Patrick Schläpfer, Principal Threat Researcher in the HP Wolf Security Threat Research Team.
At least twelve percent of email threats identified by HP Sure Click[i] bypassed one or more email gateway scanners. The top threat vectors in the first quarter were email attachments (53 percent), browser downloads (25 percent) and other infection vectors such as removable media, for example USB sticks, and file shares (22 percent). In this quarter, at least 65% of document threats were based on an exploit to execute code rather than macros.
Pursue a defense-in-depth approach
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP: “Living-off-the-land techniques expose the fundamental vulnerabilities of relying on detection alone. Because attackers use legitimate tools, it’s difficult to detect threats without causing a lot of nuisance false positives. Attack isolation provides protection even if a threat is not detected. It prevents malware from exfiltrating or deleting user data or credentials and attackers from remaining active. For this reason, companies should take a defense-in-depth approach to security, isolating and containing high-risk activities to reduce the attack surface.”
The data
was collected between January and March 2024 from HP Wolf Security customers who had given their consent.