Image: © RareStock/Stock.adobe.com
Other cybersecurity trends spotlighted by the report include the use of fake invoices, archives containing malicious scripts and ‘living off the land’ techniques.
A new report from HP Ireland has highlighted a rise in ‘cat-phishing’ cyberattacks, where users are directed to malicious websites through vulnerabilities in ads and website links.
The quarterly HP Wolf Security Threat Insights Report details a variety of cyberthreat trends observed by HP in the first quarter of 2024.
According to the report, bad actors exploited open redirect vulnerabilities to deliver WikiLoader malware, where users were directed to trustworthy sites through ad embeddings before being redirected to malicious sites – a switch that is “almost impossible” for users to detect. These exploits are used to simplify phishing attacks.
As well as cat-phishing campaigns, HP’s threat researchers noted that social engineering techniques such as fake overdue invoices were popularly deployed. These fake invoices were typically used to target enterprises rather than individuals for a higher potential return on investment, and were presented to organisations in PDF format. According to the report, 11pc of cyberthreats caught by HP were delivered through PDF documents.
RAT problems
The report mentioned that a common method used with these PDF campaigns involved the use of archives to spread malware. Upon clicking a link in a PDF, a ZIP archive was downloaded containing malicious scripts that were then used to infect endpoints.
Similarly, some attackers used HTML smuggling techniques to bypass email and web filters to infect PCs. Threat actors would send targets HTML attachments through email, again disguised as invoices. These attachments were used to hide malicious payloads such as AsyncRAT, an open-source remote access trojan (RAT), which would be deployed once a HTML attachment was opened. HP Ireland noted that in these instances, attackers seemed to pay little attention to the design of the lure, suggesting that these attacks were created with minor investment of time and resources.
Patrick Schläpfer, principal threat researcher in the HP Wolf Security threat research team, commented that while fake invoice lures are “one of the oldest tricks in the book”, they can still be very effective and lucrative.
“Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them,” he said. “If successful, attackers can quickly monetise their access by selling it to cybercriminal brokers or by deploying ransomware.”
According to the report, 53pc of identified threats in the first quarter were sent as email attachments.
Living off the land
According to HP, many cyberattack campaigns abused the Windows Background Intelligent Transfer Service, a legitimate tool built into Windows OS that’s used by administrators to transfer files between web servers and file shares. Threat actors abuse this tool by blending in with legitimate system admin activity to reduce the chances of their external attack tools being detected – a strategy known as ‘living off the land’.
Val Gabriel, managing director at HP Ireland, stated that these living-off-the-land techniques expose the flaws of “relying on detection alone”.
“As [threat actors] are using legitimate tools, it can be difficult to spot threats without throwing up a lot of disruptive false positives,” he said. “Threat containment provides protection even when detection fails, preventing malware from destroying user data or credentials and preventing attacker persistence.
“This is why organisations should take a defence-in-depth approach to security, isolating and containing high-risk activities to reduce their attack surface.”
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
