Cybersecurity

Cat-Phishing, Living-Off-The-Land, Fake Invoices Top Q1 Cyberthreats: Report

information technology professional usinging artifical intelligence to monitor a computer network

Cat-phishing, using a popular Microsoft file transfer tool to become a network parasite, and bogus invoicing are among the notable techniques cybercriminals deployed during the first three months of this year, according to the quarterly HP Wolf Security Threat Insights Report released Thursday.

Based on an analysis of data from millions of endpoints running the company’s software, the report found digital desperadoes exploiting a type of website vulnerability to cat-phish users and steer them to malevolent online locations. Users are first sent to a legitimate website, then redirected to the malicious site, a tactic that makes it difficult for the target to detect the switch.

“Open redirect vulnerabilities can be fairly common and are easy to exploit,” noted Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“The power in them falls back to the cybercriminal’s favorite tool, deception,” he told TechNewsWorld. “The open redirect allows bad actors to use a legitimate URL to redirect to a malicious one by crafting the link in the message to include a part at the end of the URL, which is rarely checked by people, that takes the user to the malicious site, even if they know enough to hover over the link.”

“While the URL in the browser will show the site the person is redirected to, the victim is less likely to check it after believing they have already clicked a legitimate link,” he explained.

“It is common to teach people to hover over links to make sure they appear legitimate,” he added, “but they should also be taught to always review the URL in the browser bar before entering any sensitive information such as passwords, PII, or credit card numbers.”

Email continues to be a primary delivery mechanism of attachment-based redirects, noted Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif. “But,” he told TechNewsWorld, “we are also seeing delivery of these attachments outside of email in Slack, Teams, Discord and other messaging apps with obfuscated file names that look real.”

Exploiting BITS

Another notable attack identified in the report is using the Windows Background Intelligent Transfer Service (BITS) to perform “living off the land” forays on an organization’s systems. Because BITS is a tool used by IT staff to download and upload files, attackers can use it to avoid detection.

Ashley Leonard, CEO of Syxsense, a global IT and security solutions company, explained that BITS is a component of Windows designed to transfer files in the background using idle network bandwidth. It’s commonly used to download updates in the background, ensuring a system stays up to date without disrupting work or for cloud synchronization, enabling cloud storage applications like OneDrive to sync files between a local machine and the cloud storage service.

“Unfortunately, BITS can also be used in nefarious ways, as noted in the Wolf HP report,” Leonard told TechNewsWorld. “Malicious actors can use BITS for a number of activities — to exfiltrate data, for command-and-control communications or persistence activities, such as executing malicious code to entrench themselves more deeply into the enterprise.”

“Microsoft doesn’t recommend disabling BITS because of its legitimate uses,” he said, “But there are ways enterprises can protect themselves against malicious actors exploiting it.” Those include:

  • Use network monitoring tools to detect unusual BITS traffic patterns, such as large amounts of data being transferred to external servers or suspicious domains.
  • Configure BITS to allow only authorized applications and services to use it and block any attempts by unauthorized processes to access BITS.
  • Segregate critical systems and data from less sensitive areas of the network to limit the lateral movement of attackers in case of a compromise.
  • Keep all systems up to date with the latest patches and security updates to fix any known vulnerabilities that could be exploited by attackers.
  • Utilize threat intelligence feeds to stay informed about the latest tactics, techniques, and procedures cyberattackers use, and proactively adjust security controls accordingly.

RAT in the Invoice

The HP Wolf report also found network marauders hiding malware inside HTML files masquerading as vendor invoices. Once opened in a web browser, the files unleash a chain of events that deploy the open-source malware AsyncRAT.

“The advantage of hiding malware in HTML files is that attackers rely on interacting with their target in most cases,” said Nick Hyatt, director of threat intelligence at Blackpoint Cyber, a provider of threat hunting, detection, and response technology, in Ellicott City, Md.

“By hiding malware in a fake invoice, an attacker is likely to get a user to click on it to see what the invoice is for,” he told TechNewsWorld. “This, in turn, gets the user interacting and increases the chance for successful compromise.”

While targeting companies with invoice lures is one of the oldest tricks in the book, it can still be very effective and lucrative.

“Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them,” HP Wolf Principal Threat Researcher Patrick Schläpfer said in a statement. “If successful, attackers can quickly monetize their access by selling it to cybercriminal brokers or by deploying ransomware.”

“The escalating threat landscape posed by highly evasive browser-based attacks is yet another reason organizations must prioritize browser security and deploy proactive cybersecurity measures,” added Patrick Tiquet, vice president for security and architecture at Keeper Security, a password management and online storage company, in Chicago.

The rapid surge in browser-based phishing attacks, especially those employing evasive tactics, highlights the urgent need for enhanced protection,” he told TechNewsWorld.

Less Than Impervious Gateway Scanners

Another report finding was that 12% of email threats identified by HP Wolf’s software had bypassed one or more email gateway scanners.

“Email gateway scanners can be a helpful tool to eliminate the common types of email threats. However, they are far less effective at more targeted attacks, such as spearphishing or whaling,” observed KnowBe4’s Kron.

“Email scanners, even ones that use AI, are typically looking for patterns or keywords or will look for threats in attachments or URLs,” he continued. If the bad actors use non-typical tactics, the filters may miss them.”

“There is a fine line between filtering out threats and blocking legitimate email messages,” he said, “and in most cases, the filters will be set to being more conservative and less likely to cause problems by stopping important communication.”

He acknowledged that email gateway scanners, even with their flaws, are vital security controls, but he asserted that it is also critical that employees be taught how to spot and quickly report attacks that make it through.

“Bad actors are getting creative in designing email campaigns that bypass traditional detection mechanisms,” added Krishna Vishnubhotla, vice president of product strategy at Zimperium, a mobile security company based in Dallas.

“Organizations must protect their employees from phishing links, malicious QR codes, and malicious attachments in these emails across all legacy and mobile endpoints,” he said.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels