Posts

New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics

PDF cyberattacks are nothing new. They are, however, growing in volume, deception, sophistication and are now used as vehicles to modernize phishing campaigns.

SonicWall Capture Labs Threat Researchers announced a substantial increase of malicious or fraudulent PDF files. These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

In March 2019 alone, SonicWall Real-Time Deep Memory Inspection (RTDMI™) discovered more than 73,000 new PDF-based attacks. In comparison, we found 47,000 new attack variants in PDF files in all of 2018.

“Increasingly, email, Office documents and PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said SonicWall President and CEO Bill Conner in the official announcement. “SonicWall Capture ATP with its RTDMI technology is at the forefront of catching new cyberattacks that elude traditional security sandbox technology.”

Last year, RTDMI identified over 74,000 never-before-seen cyberattacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.

In March, the patent-pending technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.

Since 2017, Capture ATP with RTDMI has discovered increasing volumes of new threats leveraging PDFs and Office files.

Most traditional security controls cannot identify and mitigate malware hidden in PDF file types, greatly increasing the success of the payload. This increase implies a growing, widespread and effective strategy against small- and medium-sized businesses, enterprises and government agencies.

That’s where SonicWall RTDMI is unique. The technology analyzes documents dynamically via proprietary exploit detection technology, along with static inspection, to detect many malicious document categories, including PDFs, Office files, and a wide range of scripts and executables.

PDF malware attacks: A technical autopsy

SonicWall Capture Labs threat researchers dissected specific paths these fraudulent PDF campaigns take victims to infect them with malware.

In one example (see image below), Capture Labs cross-referenced a malicious file, at the time of detection, with popular collaboration tools from VirusTotal and ReversingLabs. No results were found, indicating the effectiveness of the RTDMI engine.

Targets of the scam email campaigns receive malicious documents from businesses luring victims with PDF files that are made to look deceivingly realistic with misleading links to fraudulent pages. The proposed “business offer” within the PDF is enticing to recipients, often promising free and profitable opportunities with just the click of a link.

Pictured below, the victim is sent to a fraudulent landing page masquerading as a legitimate money-making offer.

SonicWall hypothesizes that by using PDFs as delivery vehicles within their phishing campaigns, attackers are attempting to circumvent email security spam filters and next-generation firewalls — a core reason RTDMI is finding so many new malicious PDFs.

What does this PDF fraud campaign mean?

PDFs are becoming a very attractive tool for cybercriminals. Whether or not these are new attacks — or we are just developing the ability to detect them with RTDMI — the volume indicates that they are a serious problem for SMBs, enterprises, governments and organizations across a wide range of industries.

What’s the motive?

While SonicWall data doesn’t help us understand motivation, it does show that the amount of malicious, PDF-related activity is on the rise. We believe that this is happening for a variety of reasons, including:

  • Better awareness. Users have learned that executables sent to them are potential dangerous and could contain viruses, so they are more hesitant to click .exe files, forcing attackers to try new techniques.
  • Deprecation of Flash. Adobe Flash was a key attack vector in the past, but has been deprecated and will be completely end of life in 2020. So, attackers’ ability to use Flash exploits have been greatly reduced, forcing them to change tactics.
  • Must-trust files. Businesses move fast. Users are under constant pressure and don’t have the time, experience or know-how to vet every file type that hits their inbox. As such, users make assumptions that trusted file types (e.g., PDFs, Office files) used daily are, for the most part, safe. So, users are more likely to read and click links within them without considering the source or ramifications.

What is the impact of the PDF fraud campaigns?

This is very difficult to determine. In the 2019 SonicWall Cyber Threat Report, Capture Labs reported that 34% of the new attack variants found by Capture ATP were either PDF or Office files — a figure that had grown from 13% since the last half of 2017. This data implies that this attack vector is growing, is widespread and is an effective strategy.

Who is behind this?

While attribution is difficult, SonicWall believes the latest spike in malicious PDF activity is Russian-based because of the use of many .ru top-level domains leveraged across analyzed campaigns.

How to stop cyberattacks that use PDF and Office files

  • Force attacks to reveal intentions. SonicWall RTDMI operates in parallel with the SonicWall Capture ATP sandbox service to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.
  • Protect the most common attack vectors. Another important layer of defense against malicious PDFs is email security. SonicWall offers cloudhosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Make training a policy. Improve awareness by implementing employee training protocols to ensure users know how to examine PDF and Office file attachments carefully before opening or clicking unknown links.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior, including PDF attacks.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”

RTDMI Evolving with Machine Learning to Stop ‘Never-Before-Seen’ Cyberattacks

If I asked you, “How many new forms of malware did SonicWall discover last year?” What would be your response?

When I pose this question to audiences around the world, the most common guess is 8,000. People are often shocked when they hear that SonicWall discovered 45 million new malware variants in 2018, as reported in the 2019 SonicWall Cyber Threat Report.

The SonicWall Capture Labs threat research team was established in the mid-‘90s to catalog and build defenses for the massive volume of malware they would find each year. Because our threat researchers process more than 100,000 malware samples a day, they have to work smart, not hard. This is why SonicWall Capture Labs developed technology using machine learning to discover and identify new malware. And it continues to evolve each day.

How Automation, Machine Learning Stops New Malware

Released to the public in 2016, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service was designed to mitigate millions of new forms of malware that attempt to circumvent traditional network defenses via evasion tactics. It was built as a multi-engine architecture in order to present the malicious code different environments to detonate within. In 2018, this technology found nearly 400,000 brand new forms of malware, much of which came from customer submissions.

In order to make determinations happen faster with better accuracy, the team developed Real-Time Deep Memory InspectionTM (RTDMI), a patent-pending technology that allows malware to go straight to memory and extract the payload within the 100-nanosecond window it is exposed. The 2019 SonicWall Cyber Threat Report also mapped how the engine discovered nearly 75,000 ‘never-before-seen’ threats in 2018 alone — despite being released (at no additional cost to Capture ATP customers) in February 2018.

‘Never-Before-Seen’ Attacks Discovered by RTDMI in 2018

Image source: 2019 SonicWall Cyber Threat Report

Using proprietary machine learning capabilities, RTDMI has become more and more efficient at identifying and mitigating cyberattacks never seen by anyone in the cybersecurity industry. Since July 2018, the technology’s machine learning capabilities caught more undetectable cyberattacks in every month except one. In January 2019, this figure eclipsed 17,000 and continues to rise in 2019.

Year of the Processor Vulnerability

Much like how Heartbleed and other vulnerabilities in cryptographic libraries introduced researchers and attackers to a new battleground in 2014, so were the numerous announcements of vulnerabilities affecting processors in 2018.

Since these theoretical (currently) attacks operate in memory, RTDMI is well positioned to discover and stop these attacks from happening. By applying the information on how a theoretical attack would work to the machine learning engine, RTDMI was able to identify a Spectre attack within 30 days. Shortly thereafter, it was hardened for Meltdown. With each new processor vulnerability discovered (e.g., Foreshadow, PortSmash), it took RTDMI less and less time to harden against the attack.

Then, in March 2019, while much of the security world was at RSA Conference 2019 in San Francisco, the Spoiler vulnerability was announced. With the maturity found within RTDMI, it took the engine literally no time at all to identify if the vulnerability was being exploited.

Although we have yet to see these side-channel attacks in the wild, RTDMI is primed for the fight and even if there is a new vulnerability announced tomorrow with the ability to weaponize it, this layer of defense is ready to identify and block side-channel attacks against processor vulnerabilities.

Image source: 2019 SonicWall Cyber Threat Report

Scouting for New Technology

Now, if you are not a SonicWall customer yet and are evaluating solutions to stop unknown and ‘never-before-seen’ attacks (i.e., zero-day threats), ask your prospective vendors how they do against these types of attacks. Ask how they did on Day 1 of the WannaCry crisis. As for the volume of attacks their solutions are finding, ask for evidence the solution works in a real-world situation, not just as a proof of concept (POC) in a lab.

If you are a customer, Capture ATP, which includes RTDMI, is available as an add-on purchase within many of our offerings from the firewall, to email, to the wireless access point. You read that correctly: right on the access point.

We believe in the technology so much that we place it in everything to protect your networks and endpoints, such as laptops and IoT devices. This is why large enterprises, school districts, SMBs, retail giants, carrier networks and service providers, and government offices and agencies trust this technology to safeguard their networks, data and users every day.