HP has published their quarterly HP Wolf Security Threat Insights Report which suggests that cybercriminals are continuously discovering new methods of infecting devices. The HP Wolf Security threat research team has identified several notable malicious campaigns recently detected online:
– The DarkGate campaign uses advertising tools to extend attack ranges: Malicious PDF attachments disguised as OneDrive error messages direct users to sponsored content hosted on one of the popular advertising networks, ultimately leading to the malicious software DarkGate.
– Using advertising services, cybercriminals can analyze which “bait” generates clicks and infects the most users. This helps them refine their campaigns and increase the scale of their impact.
– Cybercriminals can use CAPTCHA tools to prevent malicious software scans and halt attacks. This ensures that human beings are clicking on the infected attachments or links.
– DarkGate provides cybercriminals with backdoor access to networks, exposing victims to risks such as data theft and ransomware attacks.
– A move away from macros in favor of Office exploits: In the fourth quarter, at least 84% of break-in attempts through spreadsheets and 73% through Word documents exploited loopholes in Office suite applications, reflecting a continuing trend away from Office package attacks using macros.
– The number of malicious software using PDF files is increasing: In the last quarter of 2023, 11% of malware programs used PDF files. A notable example is the WikiLoader campaign that uses a fake PDF file about a package delivery to induce users to install malicious Ursnif software.
– Discord and TextBin used to host malicious files: Cybercriminals use legitimate websites to share files and texts and to host malicious files. These sites are often categorized as trusted, helping attackers avoid anti-virus scanners and increasing the chance they will not be detected.
Alex Holland, Senior Malware Analyst in the HP Wolf Security threat research team, comments:
“Cybercriminals are increasingly reaching our psyche and better understanding how we operate and function online. This can be seen with popular cloud services, which are continuously improved. Now, GenAI can generate even more convincing malicious content at little or no cost, making it more difficult to distinguish real threats from fake ones.”
Thanks to isolating threats that could bypass security on computers and allowing attacks in a controlled manner, HP Wolf Security offers further insight into the latest techniques used by cybercriminals. HP Wolf Security users have clicked on email attachments, websites, and downloaded files over 40 billion times, with no reported breaches.
Other key findings in the HP report detail how cybercriminals continue to diversify attack methods to trick security systems:
– For seven consecutive quarters, archives were the most popular method of delivering malware (covering 30% of malicious software analyzed by HP).
– At least 14% of email threats identified by HP Sure Click bypassed at least one email gateway scanner.
– The main sources of threats in the fourth quarter of 2023 were email messages (75%), files downloaded using browsers (13%), and other media such as USB drives (12%).
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., comments:
“Cybercriminals use the same tools that companies use to manage marketing campaigns. They optimize malicious attack strategies and increase the likelihood that a user will fall for their trick. To protect themselves from organized cybercrime, companies should adopt a zero trust approach, curtailing risky behaviors such as opening email attachments, clicking on links, and downloading files from the browser.”
HP Wolf Security carries out risky tasks on isolated virtual machines operating at endpoints. This protects users without impacting their work performance. It also records detailed traces of infection attempts. HP’s isolation technology minimizes the risk of threats that can bypass other security tools and provides unique insight into breach techniques and cybercriminal behavior.
The data comes from the virtual machines of HP Wolf Security clients (who consented to its collection) from the period from October to December 2023.