Patching Shouts for Help from NDR!

Patching against Zero day threats continues to be a reactive process requiring organisations such as HP Wolf Security to identify and notify new vulnerabilities, such as their latest catch, CVE-2021-40444.

HP Wolf Security threat research team are seeing cybercriminals using legitimate cloud providers to host malware, and switching up file and script types to evade detection tools.

New? No, but it's becoming more commonplace and increases the pressure on Cloud, MSP and MSS providers to shout for help to proactively identify, quarantine and destroy these malware intrusions as a first level of protection and not rely solely on patching. But please don't stop patching.

The HP Wolf Security threat research team found evidence that cybercriminals are mobilizing quickly to weaponize new zero-day vulnerabilities. Exploits of the zero-day CVE-2021-40444 – a remote code execution vulnerability that enables exploitation of the MSHTML browser engine using Microsoft Office documents – were first captured by HP on September 8, a week before the patch was issued on September 14.

By September 10 – just three days after the initial threat bulletin – the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub. Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction. It uses a malicious archive file, which deploys malware via an Office document. Users don’t have to open the file or enable any macros, viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once the device is compromised, attackers can install backdoors to systems, which could be sold on to ransomware groups.

Specific to providers:

• The rise in cybercriminals using legitimate Cloud and web providers to host malware: A recent GuLoader campaign was hosting the Remcos Remote Access Trojan (RAT) on major platforms like OneDrive to evade intrusion detection systems and pass whitelisting tests. HP Wolf Security also discovered multiple malware families being hosted on gaming social media platforms like Discord. 

“The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cybercriminals an opportunity to exploit this ‘window of vulnerability’. While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less­ knowledgeable and resourced threat actors," explains Alex Holland, Senior Malware Analyst, HP Wold Security

Patching is a critical exercise but we need to catch the attack before it gets to the user,

Security teams have a hard time as it is, especially as "74% of malware is undetectable to signature-based tools", Watchguard technologies, but help is available.

Upgrade your IDP, IPS, NTA tools and join the growth in deployments of Network, Detection & Response technology. Detecting these new anomalies is critical, but as important is the response capability, both automated or 'one-click'.

There are some strong players in this category of security tools, Vectra AI is one them that directly address the concerns around Cloud security, recognised recently, claiming the Globee 2021 Disruptor Company Award for Security Cloud/SaaS. 

NDR is about detecting 'Attacks' not events. The security teams are already overwhelmed with 'Noise', so whichever NDR vendor you choose to evaluate, ensure they understand that size [of events] doesn't count, its all about the performance (identifying attacks).

[1] This data was gathered within HP Wolf Security customer virtual-machines from July - September 2021.

[2] Microsoft credited security researchers Rick Cole (MSTIC), Dhanesh Kizhakkinan of Mandiant, Haifei Li of EXPMON, and Bryce Abdo of Mandiant for discovering the zero-day vulnerability.