CTI Roundup: Q1 Exploit Trends, HijackLoader, & the State of Pentesting

In this week’s roundup, CTI looks at Kaspersky’s top vulnerabilities through the first quarter of 2024. Next, CTI investigates the modular malware known as HijackLoader which has been evolving since emerging last year. Finally, CTI wraps with the key findings from Cobalt’s 2024 State of Pentesting report.

1. Kaspersky releases the top exploit and vulnerability trends in Q1 2024

Kaspersky’s latest report looks at the top vulnerabilities from 2023 through the first quarter of 2024.

Kaspersky’s researchers analyzed which of these vulnerabilities were most frequently exploited to reveal trends as to what APTs are commonly targeting.

Registered vulnerabilities

According to Kaspersky, vulnerabilities registered as CVEs have been increasing every year.

• One contributing factor is the growth of bug bounty platforms which have been helping to identify and discover vulnerabilities.
• Another contributor factor is the continuous creation of applications and updates to existing applications that come with their own vulnerabilities.

In addition to the number of CVEs growing each year, the share of critical vulnerabilities is also rising.

Additional findings from Kaspersky’s report

Kaspersky looked at public sources, registered CVEs, and their own telemetry to draw conclusions and statistics related to vulnerability exploitation. They found that the number of Windows users experiencing vulnerability exploitation remained steady, while Linux users experienced an increase in vulnerability exploitation.

Looking at the vulnerabilities that were exploited, they found a few categories that were especially of interest to threat actors. These include browsers, operating systems, Microsoft Exchange, Microsoft SharePoint and the Microsoft Office suite.

Looking specifically at critical vulnerabilities only, the top exploited vulnerabilities were operating systems, accounting for 50%.

Vulnerability exploitation in APT attacks

Kaspersky found that many APTs leverage vulnerability exploitation in their attacks. The most exploited vulnerabilities in the first quarter of 2024 included CVE-2023-38831 (WinRAR), CVE-2017-11882 (MS Office), and CVE-2017-0199 (MS Office).

Kaspersky also discovered that the most common entry points include vulnerable remote access services, vulnerable access control features, and vulnerable Office applications.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The rise in vulnerability exploitation has been constant and does not appear to be letting up any time soon.

Kaspersky’s report indicates that threat actors and APTs are frequently looking to exploit remote access services, remote control features, and Microsoft Office applications. This trend reiterates how critical it is to have a good understanding of your own environment and infrastructure to be able to efficiently maintain a vulnerability management program.

2. HijackLoader evolves with new evasion techniques

According to Zscaler, the modular malware known as HijackLoader has been evolving since emerging in 2023.

The latest version of the malware includes additional modules that add an exclusion for Windows Defender AV, bypass UAC, evade inline API hooking, and employ process hollowing.

The malware is now being delivered via a PNG image file that is decrypted to load the next stage of the attack.

HijackLoader’s first stage

The first stage of the malware is responsible for decrypting and decompressing the various HijackLoader modules. It will also decrypt and execute the second stage.

In the first stage, it will dynamically resolve APIs and check for an internet connection. After confirming a connection, it will decrypt and execute shellcode designed for several things. This shellcode will resolve additional APIs and will check for blocklisted processes.

HijackLoader’s second stage

Next, the malware will load a copy of itself into memory and read its configuration file. This second stage is loaded in one of two ways: a PNG file is downloaded and used to load the second stage, or a PNG file is embedded and used to load the second stage.

The second stage is responsible for injecting the main module but will also leverage additional modules for anti-analysis including modCreateProcess, modCreateProcess64, modUAC, modUAC64, modWriteFile, modWriteFile64, and WDDATA.

Delivered malware

Zscaler analyzed 50 samples of HijackLoader in March 2024, all of which had an embedded PNG file.

They analyzed these samples to get a list of what malware families are being delivered by HijackLoader and confirmed that the following malware was distributed: Amadey, Lumma Stealer, Racoon Stealer v2, Remcos RAT, Meta Stealer, and Rhadamanthys.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Although HijackLoader has only been around since last year, it has been used to deliver some big-name malware families like Racoon Stealer, Lumma Stealer, Amadey, and Remcos RAT.

Its latest evolution increases HijackLoader’s threat level and likely makes it even more appealing to threat actors, primarily because of the additional evasion techniques. Its use of an embedded PNG for delivery is less commonly seen and is more likely to evade detection.

3. Cobalt releases its 2024 State of Pentesting report

Cobalt has released its 2024 State of Pentesting report which dives into key trends from 2023. This report is based on data from over 4,000 pentests along with survey responses from security practitioners.

In addition to covering some key observations, the report also looks at how increased AI adoption is impacting the landscape.

AI applications: a new attack surface

Cobalt performed several pentests on AI systems throughout 2023, seeing a significant increase in customers demanding these types of pentests.

To perform these tests, they use the OWASP top 10 for LLM applications, looking for information exposure and insecure output handling. During one of these tests, they came across an LLM that was able to provide access to sensitive information that it shouldn’t have when prompted.

They also identified several chatbots that were supposed to prevent misuse with various security controls, but they were able to easily bypass these controls.

Cobalt identified three vulnerability types that occurred most frequently including prompt injection, model denial of service, and prompt leaking.

Increase in vulnerabilities

Most 2023 trend reports have mentioned an increase in vulnerabilities. Cobalt similarly observed a 21% increase in the number of findings per pentest engagement, YoY.

Cobalt found more than 39,000 vulnerabilities across 4,068 pentests with the top vulnerability type being server security misconfigs.

Mean time to repair (MTTR)

Cobalt observed an increase in the MTTR compared to previous years, with the average MTTR being over 20 days. Most of them were classified as medium severity, with a small percentage reaching critical severity.

Survey results

Cobalt surveyed nearly 1,000 security professionals to understand why pentest findings don’t always get addressed or why they take some time to get addressed. What they found from the survey responses, coupled with their own research, tied a lot of this back to understaffed and overworked security teams.

81% of their survey respondents saw “noticeable disruptions to workload management” because of layoffs and overturn/resignations and 44% said they are currently experiencing burnout.

2024 data

So far in 2024, 62% of organizations are using pentests to look for specific vulnerabilities and 58% are pentesting specifically to enhance cloud security.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Cobalt provided some interesting statistics about how AI is playing a role in the threat landscape. For example, their survey found that 75% of security teams have adopted new AI tools already. Interestingly, Cobalt was able to break down the most common vulnerabilities in these AI tools into three buckets including prompt injection, model denial of service, and prompt leaking. This gives organizations some guidance as to what to look for when evaluating potential AI tools.

Cobalt also found that more than half of their respondents believed their security team did not have the ability to keep up with these tools and were not equipped to test the security of AI tools. This is a challenge that is only going to become more relevant as AI continues to evolve and is one that organizations should start to solution for.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.