{"id":19614,"date":"2021-10-14T23:45:13","date_gmt":"2021-10-14T23:45:13","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19614"},"modified":"2021-11-19T02:43:10","modified_gmt":"2021-11-19T02:43:10","slug":"becoming-a-cybercriminal-keeps-getting-easier","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/trends\/becoming-a-cybercriminal-keeps-getting-easier\/","title":{"rendered":"Becoming a Cybercriminal Keeps Getting Easier"},"content":{"rendered":"

Zero-day vulnerabilities<\/a> are no longer exclusively for elite hackers. There are now automated scripts available on GitHub so even novice hackers can explore these previously unknown security flaws.<\/p>\n

That was one of the insights in the HP Wolf Security Threat Insights Report released today.<\/p>\n

The report noted that the average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, creating a large window for newly discovered vulnerabilities to be exploited.<\/p>\n

Anatomy of a Zero-day Exploit<\/h2>\n

The HP Wolf report noted that exploits of a Windows zero-day vulnerability (CVE-2021-40444<\/a>) were automated and shared on GitHub just three days after the first exploit last month.<\/p>\n

The vulnerability allowed for remote code execution through the MSHTML browser engine (Internet Explorer is based on this engine) using Microsoft Office documents. If the user didn’t open a document in read-only mode (the safe mode), macros were enabled, releasing malware<\/a>.<\/p>\n

While the read-only mode was a way to mitigate the attack, the exploit could also compromise a device through the File Explorer’s preview pane, taking the threat to the next level.<\/p>\n

These attacks are generally used to install backdoors on infected devices and sell access to ransomware<\/a> groups and other threat actors. Along with the ransomware as a service<\/a> (RaaS) trend, the barrier to entry is becoming very low for hackers, and that’s bad news for those charged with defending corporate networks.<\/p>\n

Also read: Best Ransomware Removal and Recovery Services<\/a><\/p>\n

Legitimate Cloud Providers Used as Hosts<\/h2>\n

Microsoft OneDrive is a file hosting service and synchronization service. Microsoft includes the service by default in most of its products, making it easier for files hosted on the platform to pass whitelisting<\/a> and intrusion detection<\/a> tests.<\/p>\n

Researchers found the Remcos Remote Access Trojan (RAT) used in a recent GuLoader campaign on OneDrive. They also discovered various malware families being hosted on the Discord social media platform.<\/p>\n

The RAT is particularly insidious as it doesn’t appear in the list of active programs and processes. It does not slow down the computer or delete files. The goal is to remain undetected to exfiltrate data, which is helpful for advanced threat actors<\/a>, for example.<\/p>\n

Normally, the best security advice, in this case, would be to avoid downloading files from untrustworthy sources, but OneDrive and Discord are legitimate platforms. Cloud platforms take down those accounts quickly, but the hackers don’t care. They only need a few hours to conduct their operations.<\/p>\n

Email Attachments the Primary Vector<\/h2>\n

In its report, the Wolf team revealed that 89% of malware detected was delivered via email. As soon as the victims open the email attachments, it deploys the malware. Attackers use that entry to steal credentials for business accounts or crypto wallets.<\/p>\n

Other noteworthy stats include:<\/p>\n