Cybercriminals refine tactics to exploit zero-day vulnerabilities

2021-10-18 08:56

Reports

Cybercriminals refine tactics to exploit zero-day vulnerabilities

By VB Staff 

HP Wolf Security captured exploits of the zero-day CVE-2021-40444 — a remote code execution vulnerability in the MSHTML browser engine that can be triggered simply by opening a malicious Microsoft Office document — as early as September 8, a week before a patch was issued.

The latest HP Wolf Security Threat Insights Report shows how cybercriminals continue to innovate in their tactics, techniques, and procedures, and how sophisticated threats like zero-day exploits are rapidly filtering down to less-capable attackers. Looking at the recent CVE-2021-40444 vulnerability, exploit generators emerged on public code-sharing websites days after the vulnerability bulletin was released.

This exploit is ripe for abuse by attackers because they can gain control of a system simply by tricking a victim into previewing a malicious Office document in File Explorer. Because so little user interaction is required to exploit the vulnerability, victims are less likely to realize that their system has been compromised compared to other techniques, giving attackers a head start in achieving their objectives — whether it’s stealing data or holding a business to ransom.

This particular exploit isn’t limited to the most advanced cybercriminals, either. Proof of concept scripts that allowed almost anyone to weaponize the exploit appeared four days before a patch was available for organizations to install. As many organizations will still be deploying the patch, HP expects to see this vulnerability exploited more over the coming months.

One of the emerging malware trends between July and September is that cybercriminals are increasingly piggybacking off legitimate cloud services like OneDrive to host their malware. This allows them to slip past network security controls that rely on website reputation to protect users, such as web proxies. HP also saw an uptick in JavaScript and HTA (HTML Application) malware delivered as email attachments. These file formats have proven effective at evading detection, allowing attackers to reach employee inboxes. In fact, 12% of email malware isolated by HP Wolf Security in Q3 bypassed at least one email gateway scanner.

To protect against zero-day exploits spread via malicious attachments, or stealthy threats that are slipping past detection tools, organizations need to make sure they are following zero trust principles — for example, by using threat isolation as part of a layered defense. This will protect the organization from the most common attack vectors like clicking on malicious links, attachments, and downloads, or visiting malicious web pages. Risky tasks are executed in disposable, isolated virtual machines, separated from the host operating system. If a user opens a malicious document, the malware is trapped — its operator has nowhere to go and nothing to steal. This renders malware harmless and helps keep organizations safe.

Read the full report by HP.