HP raises alarm over new hacking techniques by cybercriminals

American multinational IT company, HP Inc., says it has identified the latest techniques used by cybercriminals in its recent global HP Wolf Security threat insights report.

HP in a statement on Friday said that the insights report provides analysis of real world cybersecurity attacks by isolating threats that have evaded detection tools and made it to user endpoints.

It said that the HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.

“In our research, there was a huge six-fold increase (+588%) in attackers using malicious Microsoft Excel add-in (.xll) files to infect systems compared to last quarter, a technique found to be particularly dangerous as it only requires one click to run the malware.

“The team also found adverts for Microsoft Excel add-in dropper and malware builder kits on underground markets, which make it easier for inexperienced attackers to launch campaigns,” it said.

According to the report, a recent QakBot. (a prevalent information-stealing malware) spam campaign used excel files to trick targets, using compromised email accounts to hijack email threads and reply with an attached malicious excel (.xlsb) file.

It said that after being delivered to systems, qakbot injects itself into legitimate Windows processes to evade detection.

HP noted that Malicious Excel (.xls) files were also used to spread the Ursnif banking Trojan (Virus) to Italian-speaking businesses and public sector organisations through a malicious spam campaign, with attackers posing as Italian courier service BRT.

“Other notable threats isolated by the HP Wolf Security threat insight team include, the return of TA505.

“HP identified a MirrorBlast email phishing campaign sharing many tactics, techniques, and procedures (TTPs) with TA505, a financially motivated threat group known for massive malware spam campaigns and monetizing access to infected systems using ransomware.

“The attack targeted organisations with the FlawedGrace Remote Access Trojan (RAT),” it said.

HP said others were fake gaming platform infecting victims with RedLine, a spoofed discord installer website tricking visitors into downloading the RedLine infostealer and stealing their credentials.

Mr Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, said: “Abusing legitimate features in software to hide from detection tools is a common tactic for attackers as using uncommon file types that may be allowed past email gateways.

He noted that security teams should ensure they don’t rely on detection alone but keep up with the latest threats by updating their defenses accordingly.

“Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users.

“Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe, “Holland said.

He said other key findings in the report notes that 13 per cent of email malware isolated had bypassed at least one email gateway scanner.

Holland noted that hackers used 136 different file extensions in their attempts to infect organisations, adding that 77 per cent of malware detected was delivered via email, while web downloads were responsible for 13 per cent.

“The most common attachments used to deliver malware were documents (29 per cent), archives (28 per cent), executables (21 per cent) and spreadsheets (20 per cent).,” Holland said.

Dr Ian Pratt, Global Head of Security for Personal Systems, HP Inc. said: “Today, low-level threat actors can carry out stealthy attacks and sell access onto organised ransomware groups, leading to large-scale breaches that could cripple IT systems and grind operations to a halt.

Pratt said organisations should focus on reducing the attack surface and enabling quick recovery in the event of compromise.