Malicious online actors used email as their prime vehicle for delivering malware to their victims in the last quarter of 2020, HP and Bromium reported Tuesday.
The HP-Bromium Threat Insights Report found that 88 percent of malware was delivered by email into its targets’ inboxes, many times evading measures at email gateways to filter out the infected correspondence.
“Ultimately, attackers are taking advantage of the fact that it’s normal to share and open documents by email,” observed Alex Holland, a senior malware analyst at HP.
“Finance and IT departments tend to be heavy users of macros to automate business processes, so banning them across the board often isn’t a realistic option,” he told TechNewsWorld.
Email will continue to be a prime delivery vehicle due to the weakness of the humans involved, maintained Joseph Neumann, director of offensive security at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services.
“Unlike firewalls or servers, every person’s security awareness is different and changes hourly due to how much coffee they might have or not have had,” he told TechNewsWorld.
Dvir Sayag, head of cyber threat research at Hunters, an open XDR threat hunting company with offices in Tel Aviv and Lexington, Mass., added that hackers understand that email phishing attacks, especially using social engineering, are among the most cost-effective ways of compromise.
“Word macros are easy to buy or code from scratch, and making victims click on one via a simple social engineering email attack is, in most cases, effortless,” he told TechNewsWorld.
Dodging Detection
The HP-Bromium report noted a 12 percent increase over the previous quarter in the use of malware that exploited a flaw used to run malicious scripts when a Microsoft Word document is opened.
HP researchers also found a 12 percent rise in the use of malicious executable files, with nearly three-quarters of them exploiting a memory corruption flaw in Microsoft Office’s Equation Editor.
“The main advantage of an executable is that you remove the need for intermediate stages of malware and hosting the payload, which is susceptible to being taken down by domain registrars and Web hosts,” Holland explained.
The HP report also revealed that the average time for threats to become known by hash to antivirus engines was more than a week (8.8 days).
“Threats take such a long time due to the ability of malware to change signatures,” Neumann explained.
“AV hashes have to be generated by someone identifying the malware and then submitting it as bad,” he continued. “AV detections based on hash values alone are a dying animal and are being replaced more frequently with systems that detect and respond to heuristic-based behavioral detections.”
Holland added that attackers have repeatedly found new ways to bypass traditional detection-based tools.
“For every new malware variant hackers create, they have a few days’ head start to capitalize on their campaigns, infecting machines before detection tools catch up,” he said. “With automation, this process is now easier than ever.”
Obfuscation Techniques
HP researchers also reported that 29 percent of the malware captured for analysis was previously unknown, primarily due to due to the widespread use of packers and obfuscation techniques used to evade detection.
“Malicious actors use a range of techniques to obscure their attacks. The specifics depend on what defenses they encounter in their victim’s environment,” explained Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.
“The challenge with ‘previously unknown’ threats is that there are initially no known indicators of compromise, which means initial detection has to come from attacker behavior or some other activity that reveals their presence,” she told TechNewsWorld.
One way attackers hide their activities is through using covert channels, observed Brian Kime, a senior analyst with Forrester Research.
“They can use the DNS service to encode malicious commands inside a seemingly benign DNS request,” he told TechNewsWorld. “Every enterprise has to use DNS. It’s how the internet functions.” DNS, the Domain Naming Service, turns web names into IP addresses so a browser can get to a desired destination.
An obfuscation technique cited in the HP report is DOSfuscation. It’s a collection of obfuscation techniques described by security researcher Daniel Bohannon in 2018.
“They are designed to evade rigid detection rules by hiding suspicious strings in command-line interpreters and logs,” Holland explained.
“Telltale indicators of DOSfuscation include using environmental variable substrings, character insertions, reversals, and for-loop encoding,” he continued.
“The technique is effective because SIEM [Security Information and Event Management] rules often rely on matching suspicious keywords to distinguish malicious and legitimate activity from processes such as PowerShell,” he said.
Traditional Deficiencies
Neumann maintained that most hackers don’t need to obscure their threat activity.
“Most exploits and techniques exploit common vulnerabilities or use social engineering to gain access and pillage networks,” he said.
“With cyberspace being the vast size that it is,” he continued, “there are things left open, unmonitored or unpatched that just allow the actors in.”
“Most networks lack full visibility into network traffic or threats and don’t know when they are actively being or have been exploited,” Neumann added.
HP’s Global Head of Security for Personal Systems, Ian Pratt, noted that the quarterly report highlights the deficiencies in traditional defenses that rely on detection to block malware from reaching endpoints.
“Trying to detect every threat is futile; something will always slip through the net,” he said in a statement.
“Organizations are beginning to recognize this and are increasingly looking to implement zero-trust design principles into their security architecture,” he continued.
“Application isolation through virtualization applies least-privilege access to risky activities on the endpoint, rendering malware harmless by isolating it in micro-virtual machines,” he explained. “Hardware-enforced isolation removes the opportunity for malware to cause harm to the host PC — even from novel malware — because it does not rely on a detect-to-protect security model.”
Overinvesting in Prevention
As long as there are zero-day vulnerabilities, prevention strategies will have a high failure rate, maintained Tim Wade, technical director for the CTO team at Vectra AI, a San Jose, Calif.-based provider of automated threat management solutions.
“The current state of organizational overinvestment in prevention is almost always an exercise in expensive, marginal increases in capability with a stifling cost of paralyzed business objectives and increasingly constrained productivity,” he asserted.
“What’s more important than prevention,” he continued, “is resilience, which involves identifying security investments that minimize the impact of an attack.”