Deep Instinct on Monday released its report on cybercrime during the first half of 2022 and found at least three important trends: Threat actors are using documents less and using LNK, HTML and archived email attachments; the industry experiences continued vulnerabilities in Windows and Linux despite earnest attempts to fix them; and attackers are doing more data exfiltration attacks that target third parties.
Jerrod Piker, competitive intelligence analyst at Deep Instinct, said on the documents issue, because Microsoft disables all macros by default, attackers have focused on other ways of initially infecting their victims. One such technique involves using LNK files, which Piker explained are pointers or links to other files, folders or applications. Piker said what makes the technique successful is that the LNK object itself is not malicious and will thereby pass undetected by most endpoint-security and file-scanning technologies.
“Threat actors from the most recent resurrection of the Emotet campaign have been frequently discovered using this technique to silently break into organizations by using an LNK file to point to an Emotet payload that is subsequently auto-launched upon double-clicking the LNK,” said Piker. “Another method on the rise involves using HTML either embedded in RELS files within Microsoft OOXML documents or hidden in Web page source code on compromised sites. Email attachments are yet another common attack vector that continues to be frequently used in the initial phase of attacks.”
Piker added that because Windows end-user workstations and Linux servers are still the most widely used operating systems in the corporate and enterprise world, attackers will continue to attack them. Piker said as operating systems have evolved over the years, providing ease of use, nearly infinite integrations, and countless cross-platform and internet connectivity features, the number of vulnerabilities has unsurprisingly exploded.
“While Microsoft and the open Linux development community have put efforts into plugging the holes discovered in their respective operating systems, it’s still a cat-and-mouse game, one in which the attackers are constantly a step ahead,” Piker said. “We are highly unlikely to ever see a time where new OS versions or feature packs are released without vulnerabilities.”
Finally, Piker said many third-party organizations that partner with larger organizations don’t have as many resources to focus on security. As a result, Piker said they often have gaps that are relatively easy to identify and exploit via data exfiltration.
“Exfiltrated data commonly includes credentials, and as we’ve seen in many high-profile attacks over the last few years, third-party businesses that partner with larger organizations, such as HVAC vendors and middleware developers, often have credentials with privileged access to systems owned by the larger partner organization,” Piker said. “This presents an opportunity for attackers to silently infiltrate a big fish from downstream and do a great deal of damage before being discovered.”
Joseph Carson, chief security scientist and Advisory CISO at Delinea, pointed out that while each new Linux update tries to improve security, to get the value security teams must enable and configure it correctly. Carson said the overall, the state of Linux security today has evolved in a positive way with more visibility and security features built it though, like many operating systems security teams must install, configure and manage it with security in mind and cybercriminals take advantage of the human component.
“Organizations should focus on reducing the risks such as ensuring these systems are not publicly-facing the internet or that they are hardened from initial access using security solutions such as privileged access security,” Carson said.
Rick Holland, CISO and vice president strategy at Digital Shadows, added that organizations need to instrument their networks to detect data exfiltration.
“Perimeter monitoring is apparent, so be on the lookout for the egress of large amounts of data,” Holland said. “Internal monitoring is also essential, adversaries often stage stolen data before exfiltrating it.”
