In February 2022, Microsoft implemented a decision to disable macros by default, which had long been a favored attack vector for cybercriminals, enabling the automation of malicious scripts in specific file types, and resulting in malware downloads in email phishing campaigns. The decision forced groups to find new and innovative ways to get a foothold, giving rise to a new normal of threat activity, according to Proofpoint’s new report.
Proofpoint’s analysis of data collected between January 2021 to March 2023 showed that phishing campaigns relying on macros dropped almost 66%, while the use of containers, such as ISO, RAR, and Windows Shortcut (LNK) files, increased as alternative delivery methods. A class of cybercriminal known as initial access brokers, who specialize in gaining access to victim assets and selling it to others, has adapted and experimented with old file types, unexpected attack chains, and a variety of techniques resulting in malware infections.
HTML smuggling, an observed tactic in recent years, where attackers smuggled encoded malicious scripts in HTML attachments, increased dramatically between June and October 2022 and rebounding in February 2023, which may have been experimented by a group Proofpoint tracks as TA570 to increase the difficulty for defenders to identify and block threats.
Another tried and true method that saw a resurgence was malicious PDF file attachments, with multiple initial access brokers using them starting in December 2022, and their use spiking in early 2023. TA570 was also observed experimenting with PDF encryption in April 2023, which again could be an attempt to increase the difficulty for defenders to detect and block threats.
The cybersecurity firm underlined that the experimentation and constant pivot to new payload delivery techniques by tracked threat actors, especially initial access brokers, were vastly different from the past and pointed the finger at a new normal of threat activity. Grupo Guardia Civil warned that cybercriminals would use different tactics if they could no longer use macros in an article shared by TechXplore in 2022. The researchers recommended that organizations reinforce their security by using secure email gateway solutions, implementing multi-layer filtering and strong email authentication protocols, and ensuring that employees are aware of and trained to identify email phishing and malware threats.
In conclusion, the rapid rate of change in techniques for many threat actors highlights their ability to develop and execute new methods, indicating that the current threat landscape is highly adaptive, requiring organizations to evolve their defensive strategies.
Sources:
Vicens, AJ. Cybercriminals have adapted since Microsoft’s decision to block macros. (Tech Xplore, 2023)
Guardia Civil. Cybercriminals will use different tactics if they can no longer use macros. (Tech Xplore, 2022)
<< photo by Alexander Cifuentes >>
You might want to read !
- The Rise of Macro-less Malware: How Cybercriminals Have Found a Way Around Microsoft’s Macro Blocking.
- “Infamous Twitter Hacker Faces Trial in US After Extradition”
- “Google receives court approval to mandate filtering of botnet traffic by ISPs”
- The Three Key Pillars of Security in the Modern Era: Networking, Vendor Consolidation, and OT Focus
- “Unveiling the Future of Cybersecurity: A Look into the AT&T 2023 Edge Ecosystem Insights Report”
- Moonsense secures $4.2M in seed funding to lead the way in advanced user behavior analysis
- “Cloud Security at Risk: New Study Reveals Over 1/3 of Companies Reuse Passwords”
- Sysco’s Security Breach Shocks with Customer and Employee Data Leaked