In a few months HP Wolf Security will celebrate its first year as a comprehensive security platform. As we told you at the time, HP had the great idea of unifying its multiple security proposals in a platform, which grows in value above what the sum of the parts would mean, both due to the substantial improvements in the integration of its multiple components, as for the intelligence that, with this new model, can be extracted and analyzed to improve the security they provide.
As a result of this intelligence source, HP Wolf Security has published a most interesting report on the Q4 2021 Security Threatsa document that, by showing us what has happened in recent months, brings us up to date on the threats we face in the present, thus helping us to direct our countermeasures and defensive actions in general towards them.
MS Recommends
And an interesting and worrying fact that we extract from this HP Wolf Security report is that during the last quarter of 2021 cybercriminals have targeted Excel, more specifically .xll add-inswhich by their nature facilitate the infection of systems with a simple click, and in a singularly discreet manner, thus preventing the user and certain security solutions from being aware of their presence in the system at an early stage.
In this regard, and compared to the previous quarter, practically multiplied by six (+588%) the number of attackers who relied on the add-ins feature of Microsoft Excel (.xll) to infect systems, a growth that demonstrates that this is a particularly useful and easy technique to exploit. So much so that HP Wolf Security technicians even found malware creation kits to create malicious xll without any programming skills.
Macros and add-ins for Microsoft Office applications have always been, due to their great versatility, a priority target of many cybercriminals, as we have learned throughout history and are reminded of by HP Wolf Security. So much so that Microsoft has spent years adopting measures to reduce the risk associated with their misuse, such as the fact that these components are disabled by default in all documents from unreliable sources.
Another key point of the HP Wolf Security report confirms a trend that we have been seeing for some time, and that is that cybercriminals are becoming more careful when it comes to malware visibility and, consequently, they spend more and more time debugging it so that it goes unnoticed when it reaches the endpoint and starts its work. As a consequence, HP Wolf Security tools detected threats (which could be isolated, protecting the system and taken as samples for analysis) of pathogens that managed to successfully reach the compromised systems.
Although the arrival of malware at the endpoint is, at its base, something negative due to its danger, is also a key means of obtaining samples that can be isolated and analyzed in order, in this way, to have a much more specific vision of the latest techniques used by cybercriminals. This is why telemetry systems are so important in security solutions.
Other very interesting data that we found in the HP Wolf Security report, which you can consult at this link, are the following:
- Analysis of a recent phishing campaign could indicate a return to activity by the TA505 group.
- Discord users are increasingly targeted by cybercriminals, with campaigns like the one that infected Discord users with RedLine.
- Uncommon file formats in the malware ecosystem remain a way to evade threat detection. In the HP Wolf Security report we read the case of how the Aggah cybercriminal organization attacked Korean-speaking organizations with malicious PowerPoint add-in files (.ppa) disguised as purchase orders, infecting systems with Trojans that gained remote access. PowerPoint malware is unusual, accounting for only 1% of malware.
«Today, low-level or novice hackers can carry out stealth attacks and sell access to organized ransomware groups, leading to large-scale attacks that could cripple IT systems and operations«, comments Carlos Manero, Head of Digital Services and Security at HP Spain.
«Organizations must focus on reducing the attack surface and enabling rapid recovery in the event of a compromise. This means following the principles of zero trust and applying strong identity management, least privilege, and isolation from the hardware level. For example, by isolating the most common attack vectors, such as email, browsers or downloads, through microvirtualization, any potential malware or exploit that is exposed is contained, rendering it harmless«, adds Carlos Manero.
