The threat report shows new attack methods: Cyber criminals exploit UEFI vulnerabilities and misuse Microsoft file formats to circumvent macro security functions.
The number of IT attacks averted is stagnating at a high level. This emerges from the current threat report from G DATA CyberDefense. There are numerous vulnerabilities that cybercriminals consistently exploit. How UEFI bootkits disable security features and make systems vulnerable. Another scam used by attackers is manipulated OneNote or Publisher files that contain malware.
Vulnerabilities are exploited immediately
The current threat report from G DATA CyberDefense proves that the attackers react quickly to a changed situation. When software vendors close one known vulnerability, they are already in the process of exploiting another. A current example are vulnerabilities in the Unified Extensible Firmware Interface (UEFI). An important function of this interface between the firmware, the operating system and the modules of a computer is booting in Secure Boot mode. Cyber criminals exploit existing vulnerabilities and are currently using bootkits that bypass the platform's security features.
Full control through dangerous UEFI bootkits
This gives attackers full control over the boot process of an operating system and they can disable various security mechanisms before the operating system is even loaded. At the same time, they can not only act undetected, but also move within the system with high privileges.
"The risk of cyber attacks for companies and private individuals remains high," says Tim Berghoff, Security Evangelist at G DATA CyberDefense AG. “The current investigations show that cybercriminals do not miss any vulnerabilities in order to penetrate networks. And they're still finding new ways to compromise systems with malware. In addition, vulnerabilities in UEFI SecureBoot are currently a major problem because they often remain unpatched by the manufacturer for a long time."
Unchanged high threat risk
The G DATA threat report shows that the number of cyber attacks averted increased slightly by two percent compared to the fourth quarter of the previous year and the first quarter of 2023. The decline that was actually to be expected due to seasonal conditions did not materialize. Traditionally, attackers use seasonal events to trap gullible customers. Striking: While the number of repelled attacks on companies has fallen by more than eight percent, the number of repelled attempts at attacks on private users has increased by 3,9 percent.
A year-on-year comparison shows how massively the attacks in the course of the Ukraine war increased in the first quarter of 2022: Within one year, the number of repelled attempts to attack companies fell by more than 50 percent - compared to the first quarter of 2022 and the same period in 2023. For private individuals, the decline over the same period was only 6,7 percent.
Phishing: Hacking with new attachments
Attackers are also constantly finding new opportunities when it comes to phishing. In the last quarter, this was achieved with defective OneNote or PUB files. A vulnerability at Microsoft makes it possible to override a security function for Office macro policies in Microsoft Publisher. They unblock untrusted or malicious files. Attackers use this opportunity to infect the target system.
"Microsoft has already closed the vulnerability," says Tim Berghoff. “However, users who have disabled automatic updates are still at risk. You must act immediately and start the update manually.”
OneNote files as a macro replacement weapon
Also new are OneNote files as an initial infection vector – as a replacement for the Office macros, which are now severely restricted by Microsoft. Because Microsoft has prevented the execution of macros in files such as Word documents or Excel spreadsheets by default. Recently, the malware poses as a OneNote note. Victims receive an email attachment with a OneNote document. When someone opens this file, they are prompted to double-click to open the read-only document. Anyone who follows this instruction runs the embedded malware and installs, among other things, Screenshotter or an information stealer. The attackers use this to derive personal information such as login data.
More at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.