Layered security becomes critical as malware attacks rise

Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.

malware detections Q2 2020

Malware detections during Q2 2020

Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.

Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.

“Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cyber criminals have too,” said Corey Nachreiner, CTO of WatchGuard.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.

“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

JavaScript-based attacks are on the rise

The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.

Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic.

To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

Attackers increasingly use encrypted Excel files to hide malware

XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.

Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.

The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

An old, highly exploitable DoS attack makes a comeback

A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.

Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Malware domains leverage command and control servers to wreak havoc

Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.

One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.

DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.

What are script-based attacks and what can be done to prevent them?

Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.

what are script-based attacks

Attackers will use scripts directly on the machine or embed them in Office documents and PDFs sent to the victim as email attachments. This article provides an overview of the current script threat landscape as well as the most common script attacks and methods.

Script-based cyber-attacks

Script-based cyber-attacks gained popularity in 2017 and their prevalence has grown by over 100%. Nation-state and cybercrime groups adopted the use of scripts and fileless malware in this same timeframe. Today, script-based attacks account for 40% of all cyberattacks, according to the 2020 endpoint security report from Ponemon Institute.

In 2019 and 2018, increased use of fileless attack methods was noted. Particularly suspicious was a spike in the abuse of legitimate applications and native tools such as PowerShell for lateral movement and infection.

A script can be anything from a sequence of simple system commands, advanced scripting languages used for system configurations, complex task automation, and other general purposes. Common scripting languages are VBScript, JavaScript, and PowerShell. Unlike applications that run after being compiled into machine code, computers interpret scripts. To put in the words of Larry Wall, creator Perl scripting language, “a script is what you give the actors, but a program is what you give the audience.”

How attackers use scripts

Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.

The use of scripts poses many advantages to the attacker: scripts are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Moreover, attackers can use many types of script files to carry out an attack – the most popular being PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts. Since fileless attacks occur in memory, traditional static file detection is rendered useless. Furthermore, scripts complicate post-event analysis since many artifacts related to the attack only exist in the computer’s memory and may be overwritten or removed through a reboot, for example. In-memory detection and artifact collection are possible through the use of heuristics and behavioral analysis, which can detect malicious in-memory activities.

Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run. For example, in most cases, the script is contained either as a script file within an email requiring user action or as a VBA macro in a document that requires the user to enable macros.

Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.

Studying a sample set of attacks, Deep Instinct Threat Intelligence concluded 75% of fileless campaigns use scripts – mostly one or more of PowerShell, HTA, JavaScript, VBA – during at least one of the attack stages.

For example, the Helminth Trojan, used by the Iran-based OilRig group, uses scripts for its malicious logic. In the attack, a Microsoft Word document file exploiting CVE-2017-0199 delivers an HTA script executed by the Windows process, which runs the HTML executable mshta.exe. Once executed, the script initiates the attack, delivering the Helminth Trojan as PowerShell and VBS files.

PowerShell: A powerful tool for sysadmins and attackers

PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.

A malicious file loader using PowerShell

Attackers use PowerShell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.

As with other types of attacks, in a script-based attack, the initial hold of the victim generally occurs through a successful phishing attack, which contains a dropper – such as a PDF, RTF, Office file, or archive. In most cases, the dropper will then run a script, either a VBA macro or another type of script, such as PowerShell, JavaScript, or HTA.

In some cases, the scripts act as downloaders, either downloading a PE file to disk before removing it, injecting a PE file into another process, or downloading another script to carry out the next stage of the attack. In rare cases, the script contains the entire malicious logic. In other cases, the attacker exploits the vulnerabilities in the document reader, for example, Adobe Acrobat, to drop the next phase of the attack. The use of droppers is widespread not only in script-based malware but also in file-based malware attacks, including well-known ransomware and financial malware campaigns.

A well-known attack using this method was Cobalt malware, which used a document dropper exploiting CVE-2017-11882. When the user opened the document, the exploit contained in the document downloaded a JavaScript, which in turn executed several PowerShell scripts – the last of which included Cobalt DLLs in the script code. These completed in PowerShell’s memory without being dumped to disk. Through the use of this exploit, attackers executed a fileless attack, in which the only action performed by the user was opening the document dropper.

In many cases, PowerShell allows the attacker to gain an initial foothold on a victim, since using PowerShell enables attackers to obtain permissions and privileges, perform the lateral movement in the system, as well as interact with other Windows applications such as Microsoft Exchange.

JavaScript: An unwanted guest on your PDF reader

JavaScript is a standard scripting language used in web pages, web applications, and browsers. JavaScript can manipulate and modify PDF files with implemented objects, web page links, and more. Most PDF-based attacks use the PDF reader software or an in-browser reader to run JavaScript code on the victims’ machine.

Additional script-based threats

HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.

Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.

VBScript (Microsoft Visual Basic Scripting Edition) is a Microsoft scripting language based on VBA (Visual Basic for Applications). Instead of a full application development that VBA offers, VBS offers more straightforward usage, aiming at task automation for system administrators. Much like PowerShell, intended for similar uses, VBScript in often seen in script-based attacks. Microsoft’s support of script encoding in the form of VBE files is another reason attackers find it useful.

Should I allow scripts to run in my organization’s network?

With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.

A basic first step any organization should consider is segmenting employees into several groups:

1. Running scripts is part of their day-to-day job
2. Running scripts is not common but might happen
3. There is no need to run scripts

Once segmented, security teams should ensure scripts can only execute from read-only locations and access specific machines. Additionally, security teams should restrict and monitor the use of interactive PowerShell across the organization. Additionally, practicing good IT hygiene can limit an organization’s attack surface and the risk associated with script-based attacks.

With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.

Most global brands fail to implement security controls to prevent data leakage and theft

The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.

global brands security controls

Global brands fail to implement security controls

As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.

There’s a troubling lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming. These attacks exploit vulnerable JavaScript integrations running on 99% of the world’s top websites, Tala Security reveals.

The report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript.

In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.

Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.

JavaScript risk has increased in 2020

The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. JavaScript powers richness but also the framework of what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.

Content delivered by third-party JavaScript integrations

58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above.

This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.

Websites expose data to an average of 17 domains

Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.

While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.

Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.

No attack is more widespread than XSS

While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Standards-based security controls exist that can prevent these attacks. They are infrequently applied.

Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:

  • Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
  • 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
  • Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.

Magecart Group 8 skimmed card info from 570+ online shops

Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.

Magecart Group 8

Magecart Group 8’s modus operandi and targets

The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.

“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.

Their research also revealed that:

  • Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
  • The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate and tried to imitate popular website plugins and payment gateways
  • The group occasionally used public and custom obfuscation methods to make the injected information-stealing JavaScript less noticeable and detectable
  • The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.

“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.

“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”

The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.

The profitability of Magecart attacks

The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.

“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.

It is unknown if the group is state-sponsored or not. While we may think of Magecart groups as “mere” cyber criminals, Sansec researchers recently tied one of them to a North Korean APT group.

For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.

Avoiding smaller sites/shops might be a good idea, and so is using browser plugins that prevent JavaScript loading from untrusted sites, but there is no 100% guarantee.

Macy’s online store compromised in Magecart-style attack

The webshop of noted U.S. department store company Macy’s has been compromised and equipped with an information-stealing JavaScript, which ended up collecting users’ personal and payment card information for a week. What is known about the breach According to the notice sent by Macy’s to affected customers, the breach was discovered on October 15, 2019, after they were alerted to a suspicious connection between and another website. “Based on our investigation, we believe that … More

The post Macy’s online store compromised in Magecart-style attack appeared first on Help Net Security.