Getty Images/iStockphoto
Hackers Successfully Exploiting Older, Unpatched Microsoft Vulnerabilities
Despite the issue of software updates three years ago, hackers are continuing to exploit and gain access to networks through vulnerable, unpatched Microsoft vulnerabilities.
The most frequent exploit in the last three months caught by HP Sure Click was against an older, unpatched memory corruption vulnerability in Microsoft Office, accounting for nearly 75 percent of all exploits in Q4 2020, according to a recent threat insights report from HP Bromium.
The Q4 2020 report reviews notable malware trends identified by HP Sure Click from October 1 to December 31.
CVE-2017-11882, found in Equation Editor, is a memory corruption vulnerability that can allow an attacker to execute remote code on vulnerable devices, after the victim opens a malicious document -- typically sent in a phishing email.
The malicious attachment launches the exploit and provides the ability to deploy further malware. Although it was disclosed in 2017, hackers have continued to exploit the flaw to gain access to victims’ networks.
Just last year, the Department of Homeland Security found the vulnerability was one of the three most commonly exploited by nation-state hackers. Microsoft has already provided a software update to eliminate the risk, but these unpatched systems are leaving the door open to attacks.
The report also showed a 12 percent growth in malware used against another years-old flaw: CVE-2017-0199. The vulnerability was also among the most commonly exploited flaws observed by DHS in 2020. McAfee also found attackers leveraging the flaw for remote code execution in 2017.
“This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective,” officials explained, at the time.
“Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software,” they added.
In light of the successful exploits of older vulnerabilities -- combined with the recent Microsoft Exchange exploits, entities should ensure they’ve successfully patched all known flaws to avoid falling victim to attack.
Notably, 88 percent of the threats isolated by HP were delivered via email in Q4 2020, with the remaining 12 percent stemming from web downloads. About 29 percent of the threats stopped by HP were not known by hash to antivirus scanning engines when isolated.
As such, researchers believe that there’s a high degree of sample novelty stemming from the widespread use of packers and polymorphic or metamorphic obfuscation techniques. In fact, it took nearly nine days, on average, for samples to become known by hash to other antivirus tools.
The report also showed a 12 percent increase in the volume of executable format malware from Q3 to Q4, particularly Portable Executable EXE files. Researchers attributed the spike to an increase in malicious email campaigns distributing attachments through these file types.
The largest increase was seen in the distribution of Dridex malware, which rose a staggering 239 percent in sample volume in Q4. Dridex is typically delivered through malicious Excel spreadsheets. Though it was initially a banking trojan, the threat has since shifted to exorting money from victims.
The threat was the second-most distributed behind the notorious Emotet variant. Federal security researchers took down the botnet in January 2021.
Further, 68 adversary techniques were observed by researchers during Q4. The most popular methods used by threat actors were execution through module load, obfuscated files or information and execution through API.
Overall, threat actors have switched from leveraging Word document malware to spreadsheet and executable formats. The most effective method leveraged older technologies like Excel 4.0 macros, which often have limited visibility -- allowing for attack obfuscation.
Researchers attributed the rise in malicious spreadsheet use in these campaigns to the rise in Dridex.
As many healthcare providers struggle with adequate patch management strategies, the report, in combination with recent supply-chain attacks, should serve as a reminder of the importance of prompt patching. Researchers have previously noted that an effective program begins with a complete inventory of all devices on the network.