Attackers Weaponizing Zero-Days at Record Pace

Cybercriminals exploited a new remote code execution (RCE) zero-day, CVE-2021-40444, a week before a patch was released in September—that’s just one of the recent findings in a report by HP Wolf Security.

On September 10, researchers discovered scripts on GitHub that automated the creation of the exploit, which ostensibly means that even less-savvy attackers can use it in their malicious actions, according to the company’s Quarterly Threat Insights Report. That doesn’t bode well at a time when miscreants are exploiting zero-days faster and companies are taking longer to patch them—an average of 97 days, the report found.

“As the report notes, cybercriminals are weaponizing zero-day vulnerabilities at a speed never seen before,” said Archie Agarwal, founder and CEO at ThreatModeler. “One reason for this is that we’re in a vicious cycle due to the surge in ransomware.”

“We’ve seen a recent surge in exploits of zero-days, mainly because hackers are opportunistic and adapt very quickly to changing circumstances and new opportunities—leaving security teams struggling to keep up,” said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

“Zero-days can give these cybercriminals the opening they need in multiple attack vectors,” he said.

Agarwal noted that “companies are now paying substantial ransoms to decrypt their data, creating a lucrative feedback loop,” and the “faster criminals can weaponize, the more profit for them.”

In the particular exploit detailed by HP Wolf Security researchers, just one click on an attachment will initiate an attack. From there, cybercriminals install backdoors into systems, then sell access to ransomware operators. The scary part? Users don’t have to open the file nor must they enable macros for the attack to be successful.

Attackers also are operating more like businesses. “We’re now seeing criminal ransomware groups with VPs of product and organizational structures mirroring legitimate organizations,” said Agarwal. “They are professionalizing, and the more ransoms that are paid the more revenue they have available to employ skilled exploit coders and buy zero-days off the shelf.”

Other findings from the report showed cybercriminals’ relentless assault using email and demonstrated that security techniques aren’t foolproof. Most malware detected (89%) was delivered by email—web downloads account for the remaining 11%. And of the email malware that was isolated, 12% bypassed at least one gateway scanner.

Attackers favored archive files—they were used in 38% of isolated threats during the quarter reviewed. That’s more than double the 17% reported the quarter before.

The researchers detailed notable threats—chief among them attackers use of legitimate cloud services, as well as collaborative platforms like Discord, to host malware—that helps them sidestep whitelisting as well as intrusion detection systems.

“Cloud environments are not immune, and IT security teams must be proactive about improving cybersecurity hygiene and the overall enterprise security posture, as these threats are only going to grow more sophisticated and dangerous as bad actors get more experience under their belt,” said Bar-Dayan.

While Microsoft Office downloaders and binaries are being detected with some frequency, the researchers said, JavaScript malware campaigns are not. That gives attackers ample opportunity to spread remote access trojans, the researchers said.

Threat actors also found that evading detection is sometimes as simple as switching their preferred file type from Office documents to HTA files.

“Attackers will always find ways to find zero-day vulnerabilities and get inside the enterprise network via the front door,” said Vishal Jain, co-founder and CTO at Valtix. “This applies to both on-premises and public cloud environments.”

Key to “advanced cyberattacks are pingbacks to command and control sites once a foothold is established,” said Jain. “These infiltrations can exist for months on your network before they are discovered.“