31.05.2023 | 1 Image

New attack methods: cyber criminals are exploiting UEFI vulnerabilities and abusing Microsoft file formats

G DATA threat report shows that the IT security situation remains tense
G_DATA__ThreatReport_KeyVisual © G DATA CyberDefense AG

This press release has:
The number of averted IT attacks is plateauing at a high level. This is reflected in the current threat report from G DATA CyberDefense. Numerous vulnerabilities that cyber criminals are consistently exploiting give cause for concern. For example, UEFI bootkits deactivate security functions and make systems vulnerable to attack. Another of the attackers’ ploys is manipulated OneNote and Publisher files that contain malware.

Press release Plain text

The current threat report from G DATA CyberDefense proves that attackers react quickly when a situation changes. When software providers close one known vulnerability, they are already in the process of exploiting another. A recent example is vulnerabilities in the Unified Extensible Firmware Interface (UEFI). An important function of this interface between the firmware, the operating system and the modules of a computer is booting up in secure boot mode. Cyber criminals exploit existing vulnerabilities and are currently using boot kits that bypass the platform's security functions. Attackers thus gain full control over the boot process of an operating system and can deactivate various security mechanisms before the operating system is even loaded. At the same time, they can not only act undetected, but move around the system with high-level privileges.  

“The risk of cyber attacks for companies and private individuals remains high,” says Tim Berghoff, Security Evangelist at G DATA CyberDefense AG. “The latest research shows that cyber criminals are not ignoring any vulnerabilities when it comes to penetrating networks. They are still finding new ways to compromise systems via malware. Furthermore, vulnerabilities in the UEFI SecureBoot are currently a major problem, because these often remain unpatched by the manufacturer for a long time.”

No change to high threat risk
The G DATA threat report shows that the number of averted cyber attacks increased slightly, by two percent, from the fourth quarter of last year to the first quarter of 2023. The expected decline due to seasonal conditions did not occur. Attackers traditionally use seasonal events to lure gullible customers into traps. The striking thing is that, while the number of averted attacks on companies fell by more than eight per cent, the number of averted attack attempts on private users increased by 3.9 per cent.

A year-on-year comparison shows how massively attacks increased in the first quarter of 2022 in the wake of the war in Ukraine. Comparing the first quarter of 2022 to the same period in 2023, the number of averted attack attempts on companies fell by more than 50 percent within one year. For private individuals, the decline in the same period was only 6.7 per cent.

Phishing: hacking with new attachments
Attackers are constantly finding new opportunities when it comes to phishing as well. In the last quarter, they did this using malicious OneNote or PUB files. For example, a security hole at Microsoft makes it possible to override a security function for Office macro policies in Microsoft Publisher. They unblock untrusted or malicious files. Attackers use this capability to infect the target system.

“Microsoft has already closed the vulnerability,” says Tim Berghoff. “However, users who have deactivated automatic updates are still at risk. They need to act immediately and start the update manually.”

Also new is the use of OneNote files as the initial infection vector, as a replacement for the Office macros that Microsoft has now severely restricted. This is because Microsoft has prevented the execution of macros in files such as Word documents or Excel spreadsheets by default. Malware can now pose as a OneNote note. Victims receive an email attachment containing a OneNote document. If someone opens this file, a request follows to double-click on the read-only document and open it. Anyone who follows this instruction will execute the embedded malware and install things such as screenshotters or information stealers. The attackers use this to extract personal information such as login data.

The latest G DATA CyberDefense threat report shows that cyber criminals are very adaptable when it comes to continuing to compromise potential victims successfully. This means that businesses have to keep a permanent eye on their IT security. Against this background, more and more companies are considering the use of managed security solutions. Securing the network is not a done project, but an ongoing process.


G DATA CyberDefense AG is a leading German company in the field of IT security. Since 1985, the company based in Bochum has stood for digital security “Made in Germany”.

More than 500 experts protect businesses, public authorities, and private users every day with modular solutions that seamlessly combine software and services:

  • Managed Extended Detection and Response (MXDR)
  • Endpoint Security for Businesses
  • Security Awareness Training
  • IT security services such as penetration testing, incident response, and forensic analysis

Transparency, data protection, and digital sovereignty are the cornerstones of the company’s security strategy. For this reason, G DATA develops and operates its solutions in Germany. With its no-backdoor guarantee and ISO 27001 certification, the company helps businesses and organizations meet regulatory requirements. In doing so, G DATA lays the foundation for CyberVertrauen and a secure, resilient future.

G DATA. Trust in German Sicherheit.

All contents of this press release as .zip:

Direct download

Release text 4247 Characters

Plain text Copy release text

Images (1)

G_DATA__ThreatReport_KeyVisual
1 200 x 630 © G DATA CyberDefense AG


Contact

(3) Stefan Karpenstein
Stefan Karpenstein
Public Relations Manager

+49 234 9762 - 517
stefan.karpenstein@gdata.de