PDF files are not the trusted file format people believe them to be anymore. Data reveals that cybercriminals are using trusted tools like PDFs and Office files to plant malware in systems.
In fact, research has found a pattern in vulnerabilities and weaponization across the entire family of Adobe products.
A recent 2019 SonicWall Cyber Threat report shows that cybercriminals are using trusted tools like PDFs and Office files to sidestep traditional firewalls and sandboxes. While this trend is on the rise, ransomware attacks have spiked globally, IoT attacks are escalating, and there is a steady rise in encrypted attacks.
“Everyday files are being weaponized. And more are on the way,” the report says.
The attack could come from confidential files ending with familiarities such as ‘.xlxs’ or as attachments from trusted sources with important and official sounding business. Cybercriminals trust that either these tactics or plain human curiosity will lead to the opening of the file.
File types, either PDFs or Office files like Word, Excel, and PowerPoint, are being effectively used to deliver malware into a system while dodging traditional legacy firewalls.
A Pattern Emerges
Another recent report by RiskSense about Adobe Product Vulnerabilities shows a pattern in vulnerabilities and weaponization across the entire family of Adobe products. The report dwells on how popular software from a leading vendor like Adobe becomes a source of inspiration for cybercriminals.
“A significant number of these vulnerabilities are exploitable and have remote code execution capabilities, changing their status from a potential threat to an active and live cyber risk exposure point,” the report says.
Not just recent data but data from 1996 through 2018 reveals long-term trends. 2018 comes out as the most active and significant year in terms of weaponization, since it had the largest overall number of weaponized vulnerabilities.
The report pointed out that the top three software weaknesses within 50% of Common Vulnerabilities and Exposures (CVEs) affecting Adobe products belong to the memory management category, indicating that software development involving Adobe products implement poor memory management techniques. Also, of the top three products contributing to the overall vulnerability, Acrobat/Reader and Flash products take the lead in every year.
The Numbers Speak for Themselves
Last year, SonicWall Real-Time Deep Memory Inspection (RTDMI) identified over 74,000 never-before-seen attacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.
In March, the company’s patent-pending RTDMI technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.
SonicWall Capture ATP discovered 391,689 new attack variants in 2018, out of which, 47,073 were new PDF attacks and 50,817 were new Office file attacks. Towards the end of 2017, they found 13% of new attack variants were PDFs and Office files. The end of 2018 showed a 34% spike in that average and still growing.
In fact, PDFs and Office files are the new popular choice of cybercriminals over traditional delivery options such as scripts, executables, and other miscellaneous file types.
Banking on known human computer interaction and behavior, cybercriminals also use Visual Basic for Applications (VBA) to embed macros in Word or Excel documents to deliver file-less malware. After the malware reaches inside the environment, the scripts download the malicious payload to execute the attack.
“Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” SonicWall President and CEO Bill Conner said in a press release. He also said that in 2018 they had discovered over 47,000 new attack variants in PDF files. 2019 has already seen the number rise with more than 73,000 PDF-based attacks discovered in March alone.
How They Lure
In December 2018, EdgeSpot detected multiple PDF samples that exploit a Google Chrome zero-day unpatched flaw. With the help of this exploited vulnerability, the sender of the PDF files can track and gather user information in the case that they use Google Chrome as a local PDF viewer.
Cybercriminals use phishing style PDF scam campaigns to target email users. Victims are lured with attached PDF files that look realistic but have misleading links to fraudulent pages. People often find it hard to resist free and profitable business offers inside the PDF attachment, which seems attainable with just the click of a link.
Such attempts often succeed because people tend to trust their existing security systems to take care of it. However, most of the traditional ways of security controls are not able to identify and mitigate the lurking danger, especially since PDF files are a trusted format. Several small- and medium-sized businesses, enterprises, and government organizations have fallen victim to these scams.
Evaluate and Be Up-to-date
There is clearly a need to evaluate vulnerabilities in the context of weaponization of daily tools. At the same time, an organization must also keep an up-to-date view of vulnerability weaponization to make wise information security decisions.
While the UK, the US, and India seem to be the most targeted countries for malware, according to Nextgov, security experts are reporting that most weaponized PDFs being sent to recipients in the US and the UK seem to be originating in Russia.
SonicWall’s President and CEO, Bill Conner, told Nextgov that he had recently made several trips to London and Washington to discuss the risks with government officials.