Office and Penetration Testing Software Are Increasingly Sources for Malware

• By Dian Schaffhauser
• 12/11/19

Half of all malware that tried to infect computers during the third quarter of 2019 was already known. The other half was "zero-day" malware, which bypassed (and therefore went undetected by) traditional signature-based security software. On the list of the top-10 malware attacks for the three-month period, WatchGuard Technologies identified several Apache Struts vulnerabilities, which the cybersecurity company identified as the same type of malware used in the Equifax data breach. A report on WatchGuard's findings also highlighted an increase in the use of Microsoft Office exploits as well as "legitimate penetration testing tools" for delivering computer infections.

The bulk of the content for the latest "Internet Security Report" is generated and collected by willing participants using the company's products, including its Firebox firewall appliances and software, and DNS-level protection services.

Among the many findings shared in the report are these:

• Overall network attacks rose by 8 percent quarter over quarter, the company found. Among them was the Apache Struts 2 Remote Code Execution (the one that hit Equifax), which allows attackers to install Python or make a custom HTTP request to exploit the vulnerability "with just a few lines of code and obtain shell access to an exposed system." Two additional Apache Struts were also on the top-10 list. As the security researchers pointed out, the continued use of this vulnerability "should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible."

• Also on the list: two malware flavors that hit Office products. Both were delivered via email, the report noted, pointing up the importance of training users in the art of being able to identify phishing attempts and potentially malicious attachments.

• Two newly identified malware flavors incorporated penetration testing tools: Boxter, a "PowerSploit" script; and Hacktool.JQ, a password stealer. What researchers couldn't determine was whether these were being used by legitimate hackers for the purposes of testing enterprise networks or by cyber criminals "leveraging readily available open source tools."

• Among top compromised websites was one legitimate site (an Arabic platform) for sharing photos and links, which also hosted "malicious payloads." While the site validates the file extension when accepting an image, it doesn't go beyond that, which means attackers can change the file extension to something friendly while uploads still carry malware that's activated when the files are clicked.

• The dramatic increase in zero-day malware instances (up to 50 percent from 38 percent over the last several quarters) pointed up the need for a layered security approach that could use multiple services to defend against "advanced, ever-evolving threats."

"Our latest threat intelligence showcases the variability and sophistication of cyber criminals' growing playbook. Not only are they leveraging notorious attacks, but they're launching evasive malware campaigns and hijacking products, tools and domains we use every day," said Corey Nachreiner, the company's chief technology officer, in a statement. "As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints to the users themselves."

The security report, with more detailed findings, is available with registration on the WatchGuard website.