Avast researchers discover new zero-day exploits and changes in attack vectors since Microsoft Office macros were blocked
PRAGUE, August 10, 2022 /PRNewswire/ — Avast (LSE:AVST), a global leader in digital security and privacy, today released its Q2/2022 Threat Report, revealing a significant 24% increase in global ransomware attacks compared to Q1/2022. The researchers also discovered a new zero-day exploit in Chrome, signaling how cybercriminals are preparing to move away from macros as an infection vector.
Ransomware attacks are on the rise
After months of decline, global ransomware attacks increased significantly in the second quarter of 2022, up 24% sequentially. The highest quarterly increases in ransomware risk ratio were in Argentina (+56%), United Kingdom (+55%), Brazil (+50%), France (+42%) and India (+37%).
“Consumers, but especially businesses, should be alert and prepared for ransomware encounters as the threat is not going away anytime soon,” said Jakub Kroustek, Avast Malware Research Director. “The decrease in ransomware attacks we observed in Q4/2021 and Q1/2022 was due to law enforcement arresting members of ransomware groups and was caused by the war in Ukraine, which also caused disagreements within the Conti ransomware group and halted its operations. Things changed dramatically in the second quarter of 2022. Conti members have now branched off to form new ransomware groups such as Black Basta and Karakurt, or may join other existing groups such as Hive, BlackCat, or Quantum, leading to a spike in activity.
Avast researchers discovered two new zero-day exploits used by Israeli spyware provider Candiru to target journalists Lebanon, among other. The first was a flaw in WebRTC that was exploited to target Google Chrome users in highly targeted watering hole attacks, but affected many other browsers as well. Another exploit allowed attackers to escape from a sandbox they ended up in after exploiting the first zero-day. The second zero-day attack discovered by Avast was exploited to penetrate the Windows kernel.
Another zero-day detailed in the report is Follina, a remote code execution bug in Microsoft Office that has been widely exploited by attackers ranging from cyber criminals to Russia-affiliated APT groups operating in Ukraine. The zero-day was also abused by Gadolinium/APT40, a well-known Chinese APT group, in an attack on targets in China Palau.
Macros blocked by default
Microsoft now blocks VBA macros in Office applications by default. Macros have been a popular infection vector for decades. They were used by threats detailed in the Q2/2022 Threat Report, including remote access trojans like Nerbian RAT, a new RAT written in Go that appeared in Q2/2022, and by the Confucius APT group to inject more malware onto the computers to lay off the victims.
“We have already noticed that after macros are blocked by default, threat actors are starting to prepare alternative infection vectors. For example, IcedID and Emotet have already started using LNK files, ISO or IMG images and other tricks supported on the Windows platform as an alternative to Maldocs to spread their campaigns,” continued Jakub Kroustek “While cybercriminals will certainly continue to find other ways to get their malware onto people’s computers, we hope Microsoft’s decision will help make the internet a safer place.”
The full Avast Q2/2022 threat report is available here: https://decoded.avast.io/threaresearch/avast-q2-2022-threat-report/
Avast (LSE:AVST), a FTSE 100 company, is a global leader in digital security and privacy, headquartered in Prague, Czech Republic. With over 435 million online users, Avast offers products under the Avast and AVG brands that protect people from online threats and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, leveraging machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for mobile, PC or Mac are ranked and certified at the top by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom, and the Internet Watch Foundation. Visit: www.avast.com.
Stay connected with Avast:
View original content to download multimedia: https://www.prnewswire.com/news-releases/q22022-threat-report-ransomware-on-the-rise-301603500.html
SOURCE Avast Software, Inc.