This Week in Cyber 22nd March 2024

Analyst Insight

This week's cyber news brings to light innovative methods in phishing campaigns, including HTML smuggling and exploiting digital document publishing platforms. Additionally, a cautionary note from Microsoft reveals that UK organisations are falling behind in cyber-resilience. A study, supported by the University of London, found that just 13% of UK organisations are sufficiently resilient to defend against cyber-attacks, which is concerning. Furthermore, there are growing apprehensions regarding the potential of AI to bolster self-augmenting malware, capable of circumventing YARA rules. YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. Lastly, we present our comprehensive analysis of the cyber security employment landscape, delving into current trends, statistics, and our own firsthand observations.

New Malware Campaign Exploits Google Sites and HTML Smuggling for AZORult Distribution

Cybersecurity researchers have uncovered a new malware campaign employing Google Sites pages and HTML smuggling to distribute AZORult malware, aiming to steal sensitive information. The phishing campaign, widespread and attributed to no specific threat actor, seeks to collect valuable data for underground forums. AZORult, a known information stealer, is distributed via various channels such as phishing emails, trojanized software, and malvertising. The recent attack tactic involves counterfeit Google Docs pages on Google Sites, leveraging HTML smuggling to deliver the payload stealthily. Adding a CAPTCHA barrier enhances legitimacy and evades URL scanners. Upon download, a Windows shortcut file masquerades as a PDF bank statement, initiating a series of actions to deploy the AZORult loader and malware. The campaign bypasses traditional security measures, using legitimate domains like Google Sites to deceive victims. Additionally, threat actors have utilised AutoSmuggle to disseminate Agent Tesla and XWorm through malicious SVG files, and LokiBot via shortcut files within archives, targeting users with AutoIt-based malware in Latin America.

Phishing Threat: Exploiting Document Publishing Platforms

Hackers are increasingly exploiting digital document publishing (DDP) platforms like FlipSnack and Issuu for phishing attacks, credential theft, and session token hijacking. Leveraging the favourable domain reputation and interactive flipbook format of these platforms, threat actors create multiple accounts using free tiers or trial periods to host malicious documents. The transient nature of DDP services, coupled with productivity features like automatic content expiration and anti-extraction mechanisms, complicates detection efforts. In these attacks, DDP sites serve as intermediaries to redirect users to bogus login pages mimicking Microsoft 365, evading traditional email and web content filtering controls. 

Emerging Threat: AI-Powered Malware Evades Detection Using LLMs

A recent report by Recorded Future warns that large language models (LLMs) in AI tools could enable the creation of self-augmenting malware that bypasses YARA rules. YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. By leveraging generative AI, threat actors can modify malware source code to evade detection while maintaining functionality. Although there are limitations, such as processing large code bases, threat actors can overcome these by utilising LLMs. Additionally, AI tools pose risks beyond malware, including creating deepfakes and conducting reconnaissance for follow-on attacks. Recent findings also highlight the possibility of jailbreaking LLM-powered tools to produce harmful content using ASCII art inputs, known as the ArtPrompt attack.

UK Organisations Lag in Cyber-Resilience, Urgent Need for Improvement

A new report by Microsoft and the University of London reveals that just 13% of UK organisations are resilient to cyber-attacks, while the majority are either vulnerable (48%) or at high risk (39%) of damaging cyber-incidents. The lack of secure foundations threatens the UK's ambition of becoming an AI superpower, prompting Microsoft to advocate for increased investment in AI technologies to combat the growing weaponisation of AI by cyber-threat actors. The report highlights that resilient organisations have implemented security-by-design and adopted AI security tools for faster threat detection and response.

Additionally, it estimates that cyber-attacks could cost UK organisations £87bn annually, with stronger cybersecurity potentially saving £52bn per year. Concerns about geopolitical tensions increasing cyber risks are prevalent among decision-makers and senior security professionals, with many expressing fears about AI-related risks. Despite this, only a fraction of organisations are adequately prepared for cyber threats, with limited understanding of necessary cybersecurity skills and insufficient cyber-awareness training for staff. Incorporating AI into cybersecurity strategies could reduce financial losses after successful attacks and increase resilience against cyber threats.

Opinion Piece: The UK Cyber Security Sector Still has a Serious Employment Problem

If you take a stroll through the world of cyber security online, you're likely to come across plenty of articles talking about the huge amount of vacancies and lack of people in Cyber. The World Economic Forum says the world needs almost 3.4 million more cybersecurity experts to support the global economy. According to the Department for Science, Innovation & Technology, in 2022 we saw 58,000 workers employed in full-time positions in the cyber sector; that's up 10% from the previous year. On top of that there are a number of initiatives to engage young people to take up a career in a reportedly booming industry; the CyberFirst scheme has reportedly "engaged more than 300,000 young people" in the last five years. In the same report, they show a record figure of £10.5bn in revenue.

Contrary to this, if you talk to anybody trying to get a start in the industry, you'll hear a story starkly contrasting this narrative. Apparently there are no jobs, and those that do exist are competed for viciously. So, how could there possibly be job shortages? A recent article from Haris Pylarinos, founder of Hack The Box (a popular resource for practicing and developing ethical hacking skills), suggested that one of the major problems facing the Cyber Recruitment landscape is that there is a hidden pool of candidates not being looked at. He argues that the ones being overlooked are those privately developing practical skills, but don't have the traditional education to show for it. While he's not dismissing the value of a degree in cyber, he suggests that those with a degree are the ones getting the jobs. To some extent this is true, anecdotally. However, I can say there are plenty of very qualified undergraduates still struggling to find an organisation who will even give them a second look. I spoke to three graduates who hold impressive CVs, but were still being overlooked consistently. One suggested he had applied to over 80 entry level jobs in the industry and had only received a single interview. What gives? By all accounts there should be swathes of organisations fighting over such people. 

Going back to the previously mentioned report from the Department for Science, Innovation & Technology, there's an interesting section describing barriers reported by cyber security businesses regarding employment. 44% of businesses stated that a lack of candidates in the labour market have the technical cyber security skills needed, and 42% say that there's competition for candidates from other businesses in the cyber sector. I think we may have found the problem, an age old issue plaguing near enough every industry; the famous catch 22 of experience for entry level positions. There is a huge amount of competition for a very select few people who have already entered the industry or proven themselves in unique ways, whereas those who have yet to prove themselves in practical business have no opportunities to. Perhaps its time for the industry to start offering more graduate schemes and entry level positions, train these promising individuals how they want to, and meet the requirements. 

At Telesoft we're constantly engaged with talent development. We frequently have internships and work experience students here to learn and progress their skills. We aim to usher in new excited faces to the industry with lots to give. Protecting global business might require a further 3.4 million employees, but for now I'm sure we at Telesoft can help protect yours. Our 24/7/365 UK Managed SOC Service is ready to protect you.