31.05.2023 | 1 Image

New attack methods: cyber criminals are exploiting UEFI vulnerabilities and abusing Microsoft file formats

G DATA threat report shows that the IT security situation remains tense

The number of averted IT attacks is plateauing at a high level. This is reflected in the current threat report from G DATA CyberDefense. Numerous vulnerabilities that cyber criminals are consistently exploiting give cause for concern. For example, UEFI bootkits deactivate security functions and make systems vulnerable to attack. Another of the attackers’ ploys is manipulated OneNote and Publisher files that contain malware.

The current threat report from G DATA CyberDefense proves that attackers react quickly when a situation changes. When software providers close one known vulnerability, they are already in the process of exploiting another. A recent example is vulnerabilities in the Unified Extensible Firmware Interface (UEFI). An important function of this interface between the firmware, the operating system and the modules of a computer is booting up in secure boot mode. Cyber criminals exploit existing vulnerabilities and are currently using boot kits that bypass the platform's security functions. Attackers thus gain full control over the boot process of an operating system and can deactivate various security mechanisms before the operating system is even loaded. At the same time, they can not only act undetected, but move around the system with high-level privileges.

“The risk of cyber attacks for companies and private individuals remains high,” says Tim Berghoff, Security Evangelist at G DATA CyberDefense AG. “The latest research shows that cyber criminals are not ignoring any vulnerabilities when it comes to penetrating networks. They are still finding new ways to compromise systems via malware. Furthermore, vulnerabilities in the UEFI SecureBoot are currently a major problem, because these often remain unpatched by the manufacturer for a long time.”

No change to high threat risk
The G DATA threat report shows that the number of averted cyber attacks increased slightly, by two percent, from the fourth quarter of last year to the first quarter of 2023. The expected decline due to seasonal conditions did not occur. Attackers traditionally use seasonal events to lure gullible customers into traps. The striking thing is that, while the number of averted attacks on companies fell by more than eight per cent, the number of averted attack attempts on private users increased by 3.9 per cent.

A year-on-year comparison shows how massively attacks increased in the first quarter of 2022 in the wake of the war in Ukraine. Comparing the first quarter of 2022 to the same period in 2023, the number of averted attack attempts on companies fell by more than 50 percent within one year. For private individuals, the decline in the same period was only 6.7 per cent.

Phishing: hacking with new attachments
Attackers are constantly finding new opportunities when it comes to phishing as well. In the last quarter, they did this using malicious OneNote or PUB files. For example, a security hole at Microsoft makes it possible to override a security function for Office macro policies in Microsoft Publisher. They unblock untrusted or malicious files. Attackers use this capability to infect the target system.

“Microsoft has already closed the vulnerability,” says Tim Berghoff. “However, users who have deactivated automatic updates are still at risk. They need to act immediately and start the update manually.”

Also new is the use of OneNote files as the initial infection vector, as a replacement for the Office macros that Microsoft has now severely restricted. This is because Microsoft has prevented the execution of macros in files such as Word documents or Excel spreadsheets by default. Malware can now pose as a OneNote note. Victims receive an email attachment containing a OneNote document. If someone opens this file, a request follows to double-click on the read-only document and open it. Anyone who follows this instruction will execute the embedded malware and install things such as screenshotters or information stealers. The attackers use this to extract personal information such as login data.

The latest G DATA CyberDefense threat report shows that cyber criminals are very adaptable when it comes to continuing to compromise potential victims successfully. This means that businesses have to keep a permanent eye on their IT security. Against this background, more and more companies are considering the use of managed security solutions. Securing the network is not a done project, but an ongoing process.

Print page Send link

With holistic cyber defence services, G DATA CyberDefense makes you defensible against cybercrime. The renowned IT security company protects with AI technologies, endpoint protection, security monitoring and offers penetration tests, incident response and awareness training in order to secure companies in the best possible way.

G DATA CyberDefense AG supports its customers in every security situation. From the headquarters in Bochum, more than 550 employees ensure the digital security of companies, critical infrastructures such as hospitals or airports as well as millions of private users. With almost 40 years of expertise in malware analysis, G DATA has become a top player in the cybersecurity world and conducts research and software development exclusively in Germany. This also applies to service and support, which is available around the clock for customers all over the world. G DATA security solutions are available in more than 90 countries and have received numerous awards from independent test institutes.