Hackers exploit zero day before enterprises can patch
Cybercriminals exploited the new CVE-2021-40444 remote code execution zero-day a week before the patch was issued on September 14, according to the latest report from HP Wolf Security.
Researchers also saw scripts that automated the creation of the exploit on Github on the 10th, making it easier for less-sophisticated attackers to use the exploit against vulnerable organisations.
This illustrates the trend of cybercriminals moving faster than ever to exploit zero-days, while businesses take 97 days on average to implement patches, creating a window of vulnerability.
The latest Threat Insights Report reveals the use of JavaScript downloaders to evade detection tools, and the Trickbot Trojan now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or achive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.
"The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cybercriminals an opportunity to exploit this 'window of vulnerability'. While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less-knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," says Alex Holland, senior malware analyst on the HP Wolf Security threat research team. "Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit changes. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor."
Among other findings are that 12 percent of email malware isolated had bypassed at least one gateway scanner, and 89 percent of malware detected was delivered via email, while web downloads were responsible for 11 percent, and other vectors like removable storage devices for less than one percent.
The most common attachments used to deliver malware are archive files (38 percent -- up from 17.26 percent last quarter), Word documents (23 percent), spreadsheets (17 percent), and executable files (16 percent).
The top five most common phishing lures relate to business transactions such as 'order', 'payment', 'quotation' and 'request'. The report finds that 12 percent of malware captured was previously unknown.
You can find the full report on the HP Wolf Security blog.
Image credit: Profit_Image / Shutterstock