The HP Wolf Security threat research team has discovered evidence that threat actors are mobilizing quickly to weaponize new zero-day vulnerabilities.
According to HP Wolf Security Threat Insights Report, the attackers are abusing specific problems like CVE-2021-40444 -- the remote code execution flaw that enables exploitation of the MSHTML browser engine through Microsoft Office documents. The vulnerability was first identified by HP on September 8, a week before Microsoft released the patch.
By September 10, the HP threat research team detected scripts designed to automate the creation of this exploit being published it on GitHub. The exploit gives attackers a startlingly easy entry point into systems, deploying malware through an Office document that only needs very little user interaction.
The security researchers compile the report by examining the millions of endpoints running HP Wolf Security. The report shows that 12% of isolated email malware evaded at least one gateway scanner while 89% of malware spotted was delivered via email. Also, the web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%.
The average time for a company to apply, test, and fully deploy patches with the proper checks is 97 days, giving threat actors an opportunity to exploit this 'window of vulnerability', explained Alex Holland, the senior malware analyst with the HP Wolf Security threat research team.
"While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less¬ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," Holland said.
"Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit change. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor."
Unfortunately, some major platforms like OneDrive are allowing attackers to conduct 'flash in the pan' attacks. Although malware hosted on such platforms is generally taken down quickly, this does not deter attackers because they can often secure their goal of deploying malware in the few hours the links are live, Holland explained.
"Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives," Holland added.
Additionally, the researchers discovered threat actors exploiting Cloud and web providers to install malware as well as multiple malware families being hosted on Discord and other gaming social media platforms.
With cyber-assaults increasing with each passing day, Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. believes that companies can’t keep relying on detection alone. He believes the threat landscape is too dynamic and, as highlighted in the analysis of threats captured, attackers are increasingly evolving to bypass any detection tool.
"Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services," Pratt said.
