Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.
Malware detections during Q2 2020
Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.
Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.
“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.
“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”
The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.
To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.
Attackers increasingly use encrypted Excel files to hide malware
XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.
Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.
The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.
An old, highly exploitable DoS attack makes a comeback
A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.
Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.
Malware domains leverage command and control servers to wreak havoc
Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.
One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.
DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.
Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.
Attackers will use scripts directly on the machine or embed them in Office documents and PDFs sent to the victim as email attachments. This article provides an overview of the current script threat landscape as well as the most common script attacks and methods.
Script-based cyber-attacks gained popularity in 2017 and their prevalence has grown by over 100%. Nation-state and cybercrime groups adopted the use of scripts and fileless malware in this same timeframe. Today, script-based attacks account for 40% of all cyberattacks, according to the 2020 endpoint security report from Ponemon Institute.
In 2019 and 2018, increased use of fileless attack methods was noted. Particularly suspicious was a spike in the abuse of legitimate applications and native tools such as PowerShell for lateral movement and infection.
How attackers use scripts
Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.
Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run. For example, in most cases, the script is contained either as a script file within an email requiring user action or as a VBA macro in a document that requires the user to enable macros.
Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.
For example, the Helminth Trojan, used by the Iran-based OilRig group, uses scripts for its malicious logic. In the attack, a Microsoft Word document file exploiting CVE-2017-0199 delivers an HTA script executed by the Windows process, which runs the HTML executable mshta.exe. Once executed, the script initiates the attack, delivering the Helminth Trojan as PowerShell and VBS files.
PowerShell: A powerful tool for sysadmins and attackers
PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.
A malicious file loader using PowerShell
Attackers use PowerShell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.
In some cases, the scripts act as downloaders, either downloading a PE file to disk before removing it, injecting a PE file into another process, or downloading another script to carry out the next stage of the attack. In rare cases, the script contains the entire malicious logic. In other cases, the attacker exploits the vulnerabilities in the document reader, for example, Adobe Acrobat, to drop the next phase of the attack. The use of droppers is widespread not only in script-based malware but also in file-based malware attacks, including well-known ransomware and financial malware campaigns.
In many cases, PowerShell allows the attacker to gain an initial foothold on a victim, since using PowerShell enables attackers to obtain permissions and privileges, perform the lateral movement in the system, as well as interact with other Windows applications such as Microsoft Exchange.
Additional script-based threats
HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.
Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.
VBScript (Microsoft Visual Basic Scripting Edition) is a Microsoft scripting language based on VBA (Visual Basic for Applications). Instead of a full application development that VBA offers, VBS offers more straightforward usage, aiming at task automation for system administrators. Much like PowerShell, intended for similar uses, VBScript in often seen in script-based attacks. Microsoft’s support of script encoding in the form of VBE files is another reason attackers find it useful.
Should I allow scripts to run in my organization’s network?
With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.
A basic first step any organization should consider is segmenting employees into several groups:
1. Running scripts is part of their day-to-day job
2. Running scripts is not common but might happen
3. There is no need to run scripts
Once segmented, security teams should ensure scripts can only execute from read-only locations and access specific machines. Additionally, security teams should restrict and monitor the use of interactive PowerShell across the organization. Additionally, practicing good IT hygiene can limit an organization’s attack surface and the risk associated with script-based attacks.
With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.
The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.
Global brands fail to implement security controls
As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.
In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.
Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.
This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.
Websites expose data to an average of 17 domains
Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.
While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.
Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
No attack is more widespread than XSS
Standards-based security controls exist that can prevent these attacks. They are infrequently applied.
Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:
- Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
- 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
- Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.
Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.
Magecart Group 8’s modus operandi and targets
The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.
“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.
Their research also revealed that:
- Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
- The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate closetlondon.com) and tried to imitate popular website plugins and payment gateways
- The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.
“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.
“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”
The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.
The profitability of Magecart attacks
The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.
“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.
For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.
The post Macy’s online store compromised in Magecart-style attack appeared first on Help Net Security.