• Home
  • /
  • Enterprise
  • /
  • Lego-style cyber attacks test already strained defences

Lego-style cyber attacks test already strained defences

Christopher Tredger
By Christopher Tredger, Portals editor
Johannesburg, 07 Sept 2023
Yesh Surjoodeen, MD of HP Southern Africa.
Yesh Surjoodeen, MD of HP Southern Africa.

Cyber criminals are launching building-block style attacks to evade detection tools, according to the quarterly HP Wolf Security Threat Insights Report released in August 2023.

According to the report, threat actors are chaining different combinations of attacks together like Lego bricks. 

“Creative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques like Lego bricks, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analysed by HP in Q2 were unique,” the report adds.

Yesh Surjoodeen, MD of HP Southern Africa, says these types of attacks are widespread and global.

“The largest distributors of malicious spam like QakBot and IcedID target businesses and individuals around the world. Some malware variants like QakBot steal e-mail data from infected computers. Its operators can tell the malware to reply to stolen e-mail threads with malicious links and attachments – a technique called e-mail thread hijacking – to spread the malware further.”

QakBot is a brand of malware that cyber criminals use to get backdoor access to a computer without the knowledge of the user.

“The malware is designed to steal sensitive information from the infected PC like Windows login passwords and any credentials saved by the victim’s web browsers. All this information is sent back to the attackers, who decide what to do next. Commonly, cybercriminals will use their QakBot access to spread ransomware in an enterprise network with the hope of making money from a paid ransom,” adds Surjoodeen.

Blogger or keylogger

HP research also shows that attackers are hijacking legitimate platforms.

The company says attackers behind recent Aggah campaigns hosted malicious code within popular blogging platform, Blogspot. By hiding the code in a legitimate source, it makes it harder for defenders to tell if a user is reading a blog or launching an attack.

Threat actors use their knowledge of Windows systems to disable some anti-malware capabilities on the users’ machine, execute XWorm or the AgentTesla Remote Access Trojan (RAT), and steal sensitive information.

“Cyber criminals are trying lots of combinations of techniques to find a route into enterprise networks, but there are steps companies can take to make the lives of attackers harder,” says Surjoodeen.

Relying on users to spot what is suspicious will become harder in the future.

Yesh Surjoodeen

“Companies can improve their security postures by blocking off unnecessary routes into their networks as much as possible. For example, organisations should consider blocking JavaScript and other script execution on their users’ computers if it’s not needed. Attackers spend a lot of time and effort making their malware difficult to detect by security tools. Focusing on reducing attack surface and investing in tools that prevent attacks by isolating them are ways companies can stay a step ahead.”

HP advocates the combination of isolation technology and user education to strengthen defence.

Cyber security experts have repeatedly advised that human behaviour is a weak link in the cyber security chain and an area regularly exploited by threat actors. Surjoodeen says relying on user education alone is not enough to address attacks.

“Telling users to not click on suspicious attachments and links is impractical advice when many employees need to click to do their jobs. We’ve also seen phishing lures become more convincing over time and expect attackers to use artificial intelligence to improve the quality of their lures. So, relying on users to spot what is suspicious will become harder in the future. Isolation technology provides a secure environment for risky websites and files so if a user opens a malicious document, they’re protected.”

Hybrid work impact

HP adds that as the hybrid work model continues to gain traction in businesses, the boundaries between personal and work equipment are now porous.

“Innocent" actions, such as opening a personal email on a work computer, can have serious consequences. To secure hybrid employees, businesses need to take these four takeaways into consideration: protect the endpoint, isolate risky activities, seek trusted partners, and apply zero trust,” says Surjoodeen.

Dr Ian Pratt, global head of security for personal systems at HP, comments: “While infection chains may vary, the methods of initiation remain the same – it inevitably comes down to the user clicking on something. Instead of trying to second guess the infection chain, organisations should isolate and contain risky activities such as opening e-mail attachments, clicking on links, and browser downloads.”

Key findings from HP Wolf Security report:

  • The top threat vectors in Q2 were e-mail (79%) and browser downloads (12%).
  • Archives were the most popular malware delivery type for the fifth quarter running, used in 44% of cases analysed by HP.
  • Q2 saw a 23% rise in HTML threats stopped by HP Wolf Security compared to Q1.
  • There was a 4%-point increase in executables (from 14% to 18%) from Q1 to Q2, mainly caused by usage of the PDFpower.exe file, which bundled software with a browser hijacking malware.
  • HP noted a 6%-point drop in spreadsheet malware (19% to 13%) in Q1 compared to Q4, as attackers move away from Office formats that are more difficult to run macros in.
  • At least12% of e-mail threats identified by HP Sure Click bypassed one or more e-mail gateway scanners in Q2.