HP has released the Threat Insights Report for the first half of the year, which analyses cybersecurity attacks and exploited vulnerabilities. HP Wolf Security specialists collected the data from customer virtual machines between January and June. The study showed a significant increase in the number and ingenuity of cybercrimes. In addition, cybercriminals are 65% more likely to use tools downloaded from shadow forums and file hosting services.
Analysts noted that the tools actively used by hackers turned out to be quite effective. For example, one such tool could bypass CAPTCHA protection using computer vision technologies, namely optical character recognition (OCR), which allowed attackers to attack websites by filling in user credentials.
The report showed that cybercrime had become even more organized, including thanks to darknet resources, which act as a platform for attackers to establish cooperation with each other and exchange ideas about tactics, methods, and procedures for carrying out attacks. This allows even poorly trained hackers to create serious security risks for enterprises.
Among the most visible threats identified by the HP, Wolf Security Research Group are the following. Interaction between cybercriminals opens up opportunities for more comprehensive attacks:
Groups using the Dridex banking Trojan sell access to the compromised infrastructure of organizations to other attackers so that they can distribute ransomware. The decrease in the activity of the Emotet Trojan in the first quarter resulted in Dridex becoming the central malware family spun off by HP Wolf Security.
Attackers specializing in information theft are using increasingly dangerous malware. For example, the CryptBot info-stealer, historically used to steal credentials from crypto wallets and web browsers, is now being used to inject DanaBot, a banking Trojan run by organized crime groups.
VBS Downloader Attacks Targeting Business Executives: This is a multi-stage Visual Basic Script (VBS) campaign. Attachments are sent to users with a maliciously crafted ZIP archive named after a business executive. When the archive is opened, a hidden VBS downloader is installed on the victim’s computer. The LotL (Live off the Land) attack uses the already installed legitimate administrator tools to distribute malware and save it to devices.
From application to infiltration: An attack using malicious spam disguised as resumes and targeting shipping, maritime, logistics and related companies in seven countries (Chile, Japan, UK, Pakistan, USA, Italy and Philippines). The attack exploits a Microsoft Office vulnerability to deploy popular remote control and monitoring solutions (Remcos RAT) and gain access to infected computers through the backdoor.
These findings were based on data from the HP Wolf Security Threat Research Group, which monitors malware in isolated micro virtual machines to understand better and document the entire distribution chain, thereby helping companies fight threats.
Among other study findings, the following can be highlighted: 75% of detected malware reached victims’ computers via email and downloaded 25% from the Internet. The number of threats entering the system via web browsers increased by 24%, in part due to users downloading hacking tools and cryptocurrency mining software.
The most common phishing lures sent by email were invoices and information about business transactions (49%); another 15% of cases were replied to intercepted correspondence. Phishing baits mentioning Covid-19 accounted for less than 1%, down 77% over the reporting period.
Unusual types of archive files, such as JAR (Java archive files), are used by cybercriminals to evade detection and scanning with appropriate tools and install malware on victims’ computers that is not difficult to find on darknet marketplaces.The report showed that 34% of detected malware was unknown to analysts, 4% less than in the second half of 2020.
The number of malicious programs based on CVE-2017-11882, a widely exploited vulnerability in Microsoft Office / Microsoft WordPad that leads to memory corruption and fileless attacks, has increased by 24%.