Tag: #WOLF

HP Report Unveils Critical Gaps in Printer Platform Security

HP Wolf Security has released a new report – Securing the Print Estate: A Proactive Lifecycle Approach to Cyber Resilience – highlighting the challenges of securing printer hardware and firmware (platform security), and the implications of these failures across every stage of the printer’s lifecycle. Based on a global study of 800+ IT and security decision-makers (ITSDMs), the findings show that platform security is being overlooked, leaving concerning security gaps.

Exploring four lifecycle stages, the report reveals that during the Ongoing Management stage, just 28% of UK ITSDMs apply firmware updates promptly. This is despite IT teams spending 4 hours per printer per month managing hardware and firmware security issues. Failure to promptly apply firmware updates to printers unnecessarily exposes organisations to threats that could lead to damaging impacts, such as cybercriminals exfiltrating critical data or hijacking devices.

Further security gaps revealed across the other stages of the printer’s lifecycle include:

Supplier Selection & Onboarding stage: 

  • Lack of procurement collaboration: Only 34% of UK ITSDMs say procurement, IT, and security collaborate to define printer security standards – with 63% warning that this lack of collaboration puts their organisation at risk.
  • RFPs going unchecked: 47% of UK ITSDMs fail to involve IT/security teams in vendor presentations; 57% fail to request technical documentation to validate security claims; and 58% fail to submit vendor responses to security teams for review.
  • Inability to verify the printer’s integrity: Once the printer arrives 51% of ITSDMs cannot confirm if the printer has been tampered with in the factory or in transit.

Remediation stage:

  • Inability to detect and remediate threats:  Many organisations are struggling to keep on top of patching devices. Only 31% of UK ITSDMs globally are able to identify vulnerable printers based on newly published hardware or firmware vulnerabilities, not to mention zero-day threats that are unknown to the vendor or the public.  Only 35% can track unauthorised hardware changes made by users or support teams, and only 30% of ITSDMs can detect security events linked to hardware-level attacks.
  • Not just cyber – print risks are physical too: 66% of UK ITSDMs are increasingly worried about offline threats, such as employees printing and mishandling sensitive company information.

Decommissioning and Second Life stage

  • End of life risk: 88% of UK ITSDMs say data security is a barrier to printer reuse, resale or recycling – a big problem, given that on average ITSDMs report having approximately 103 printers that are redundant or are in the process of being decommissioned within their organisations.
  • Lack of confidence: ITSDMs lack confidence in current sanitisation solutions, with 37% saying they are uncertain whether printers can be fully and safely wiped. Meanwhile, more than 1-in-4 (28%) believe it’s necessary to physically destroy printer storage drives, and nearly 1-in-10 (9%) insist on destroying both the device and its storage drives to ensure data security.

“Printers are no longer just harmless office fixtures – they’re smart, connected devices storing sensitive data,” warns Steve Inch, Global Senior Print Security Strategist at HP Inc. “With multi-year refresh cycles, unsecured printers create long-term vulnerabilities. If compromised, attackers can harvest confidential information for extortion or sale. The wrong choice can leave organisations blind to firmware attacks, tampering or intrusions, effectively laying out the welcome mat for attackers to access the wider network.”

The report offers recommendations on how to address these security challenges across the printer’s lifecycle, including:

  • Ensure IT, security and procurement teams collaborate effectively to define security and resilience requirements for new printers.
  • Require and leverage manufacturer provider security certificates for products and / or for supply chain processes.
  • Apply firmware updates promptly to minimise exposure to security threats.
  • Leverage security tools to streamline printer policy-based configuration compliance.
  • Deploy printers that can continuously monitor for zero-day threats and malware with the ability to prevent, detect, isolate and recover from low-level attacks.
  • Select printers with built-in secure erasure of hardware, firmware and stored device data to enable safe second life and recycling.

“By considering security at each stage of a printer’s lifecycle, organisations will not only improve the security and resilience of their endpoint infrastructure, but also benefit from better reliability, performance, and cost-efficiency over the lifetime of their fleets,” comments Boris Balacheff, Chief Technologist for Security Research and Innovation at HP Inc.

For further insights and recommendations, download the full report “Securing the Print Estate: A Proactive Lifecycle Approach to Cyber Resilience” here.

Hiding in Plain Site: Attackers Sneaking Malware into Images on Websites

HP Inc. today issued its latest Threat Insights Report, highlighting how threat actors are using malware kits and generative artificial intelligence (GenAI) to improve the efficiency of their attacks. Such tools are reducing the time and skill needed to create attack components, enabling attackers to focus on experimenting with techniques to bypass detection and trick victims into infecting their endpoints, such as embedding malicious code inside images.
The report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on data from millions of endpoints running HP Wolf Security, notable campaigns identified by HP threat researchers include:
  • Malware-by-numbers kits: HP threat researchers observed large campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware that leverage the same techniques and loaders, suggesting the use of malware kits to deliver different payloads. In both campaigns, attackers hid the same malicious code in images on file hosting websites like archive.org, as well as using the same loader to install the final payload. Such techniques help attackers circumvent detection, as image files appear benign when downloaded from well-known websites, bypassing network security like web proxies that rely on reputation.
  • GenAI helping to create malicious HTML documents: Researchers also identified an XWorm remote access trojan (RAT) campaign initiated by HTML smuggling, which contained malicious code that downloads and runs the malware. Notably, similar to an AsyncRAT campaign analysed in the previous quarter, the loader bore hallmarks that indicate that it may have been written with the help of GenAI, for example, including a line-by-line description and the design of the HTML page.
  • Gaming cheaters never prosper: Attackers are compromising video game cheat tools and modification repositories hosted on GitHub, adding executable files containing Lumma Stealer malware. This infostealer scrapes victims’ passwords, crypto wallets, and browser information. Users frequently deactivate security tools to download and use cheats, putting them at greater risk of infection without isolation technology in place.
Alex Holland, Principal Threat Researcher in the HP Security Lab, comments:
“The campaigns analyzed provide further evidence of the commodification of cybercrime. As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain. Throw GenAI into the mix to write the scripts, and the barriers to entry get even lower. This allows groups to concentrate on tricking their targets and picking the best payload for the job – for instance by targeting gamers with malicious cheat repositories.”
By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely – HP Wolf security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 65 billion email attachments, web pages, and downloaded files with no reported breaches.
The report, which examines data from calendar Q3 2024, details how cybercriminals continue to diversify attack methods to bypass security tools that rely on detection, such as:
  • At least 11% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.
  • Executables were the most popular malware delivery type (40%), followed by archive files (34%).
  • There was a notable rise in .lzh files, which made up 11% of archive files analysed – with most malicious .lzh archive files targeting Japanese-speaking users.
Neil Dover, country manager for Ireland at HP Inc., comments:
“Cybercriminals are rapidly increasing the variety, volume, and velocity of their attacks. If a malicious Excel document is blocked, an archive file in the next attack may slip through the net. Instead of trying to detect rapidly shifting infection methods, organisations should focus on reducing their attack surface. This means isolating and containing risky activities such as opening email attachments, clicking on links, and browser downloads to reduce the chances of a breach.”
HP Wolf Security runs risky tasks in isolated, hardware-enforced virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that can slip past other security tools and provides unique insights into intrusion techniques and threat actor behaviour.

HP Wolf Security Offers Unique Business PC Protection Against Physical Cyberattacks

HP Inc. has announced the launch of HP Enterprise Security Edition, a unique suite of security capabilities designed to enhance the physical security of HP business class PCs. HP Enterprise Security Edition includes multilayered safeguards to protect PC hardware and firmware from targeted physical attacks, while giving IT admins unparalleled visibility to help detect unauthorised firmware, and component tampering throughout a device’s lifecycle.
The rise of hybrid work and Work from Anywhere (WFA) has increased the risk of PCs being compromised by attackers with brief physical access, underscoring the need for protection and visibility into the integrity of devices throughout their lifetimes. Over half (51%) of ITSDMs are concerned that they cannot verify if PC, laptop or printer hardware and firmware have been tampered with during transit. This visibility helps to mitigate the risk of targeted attacks that gain a persistent foothold within a company.
HP Enterprise Security Edition help defends against such attacks by preventing harm to hardware and firmware layers in the PC, while also enabling IT teams to check if hardware and firmware have been altered by malicious third parties during a device’s lifetime.
Neil Dover, HP Inc Ireland Country Manager, comments:
“Physical attacks are riskier and more difficult to perform, so they are typically targeted and organised – for instance, as part of a nation-state campaign or corporate espionage. But the lucrative market for selling access to corporate networks means more opportunistic attacks – spotting an unattended PC and briefly plugging in a ThunderboltTM device – could be worth the risk for a cybercriminal.”
Dover continues, “By tampering with device hardware and firmware, attackers can gain an almost undetectable foothold on a device, which could help them gain access to a corporate network or mount destructive attacks. This is attractive to bad actors, providing them with unparalleled visibility and control – and multiple ways to monetise.”
To combat these physical cyber threats, HP Enterprise Security Edition equips PCs with the following multilayered protection capabilities:
  • Firmware Lock: User-controlled lock implemented at the firmware level and used in conjunction with HP Sure Admin. Once Firmware Lock is activated, HP Sure Admin’s cryptographic password-less authentication process is used to unlock the PC. This provides substantially stronger protection than a standard operating system lock when a PC is left unattended, preventing a bad actor from even being able to interact with system boot or attempt to start the operating system.
  • Platform Certificates: These digital certificates enable customers to validate that hardware and firmware components have not been modified since manufacturing, such as disk, memory, processor, BIOS/firmware version, or PCIe devices and the trusted platform module. This offers visibility and detection of unauthorised modification of device hardware and firmware components.
  • Sure Start Virtualisation Protection: Pre-boot protection from malicious or compromised third-party hardware being plugged into a ThunderboltTM/USB C or PCIe port. Third-party firmware runs inside a micro-virtual machine, protecting device hardware and firmware, and preventing the device from being infected by malicious third-party firmware.
HP Enterprise Security Edition delivers platform integrity protection capabilities by ensuring the hardware and firmware beneath the operating system are more secure and resilient to physical attacks. This enables organisations to manage risk to their endpoint device supply chain by validating hardware and firmware integrity prior to device onboarding. Importantly, this will help organisations implement strong governance and controls over the security of their PC hardware and firmware across their device lifecycle. Finally, end users can be confident and reassured that their sensitive data is protected however and wherever they work.
Neil Dover, HP Inc Ireland Country Manager, comments:
“Securing PCs from physical attack is often overlooked, but if bad actors want your data badly enough, they’ll go to any lengths to obtain it. Whether it’s from executives traveling for work and leaving a laptop in an insecure hotel room or stepping away in a cafe to buy a coffee, there are many ways devices could find themselves exposed.”
Dover concludes:
“Preventing cyber-attacks on the hardware and firmware of a device is key to maintain integrity of an organisation’s PC endpoint supply chain. HP Enterprise Security Edition introduces new defensive capabilities for PC hardware and firmware. This will help safeguard data and protect the integrity of the PC fleet, while shining a light on threats lurking below the operating system surface, where traditional security tools can’t go.”
The new HP Enterprise Security Edition is available for select PC platforms.

HP Wolf Security Uncovers Evidence of Attackers Using AI to Generate Malware

HP has issued its latest Threat Insights Report revealing how attackers are using generative AI to help write malicious code. HP’s threat research team found a large and refined ChromeLoader campaign spread through malvertising that leads to professional-looking rogue PDF tools, and identified cybercriminals embedding malicious code in SVG images.

The report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cybercriminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape.  Based on data from millions of endpoints running HP Wolf Security, notable campaigns identified by HP threat researchers include:

  • Generative AI assisting malware development in the wild: Cybercriminals are already using GenAI to create convincing phishing lures but to date there has been limited evidence of threat actors using GenAI tools to write code. The team identified a campaign using VBScript and JavaScript believed to have been written with the help of GenAI. The structure of the scripts, comments explaining each line of code, and the choice of native language function names and variables are strong indications that the threat actor used GenAI to create the malware. The attack infects users with the freely available AsyncRAT malware, an easy-to-obtain infostealer which can record victim’s screens and keystrokes. The activity shows how GenAI is lowering the bar for cybercriminals to infect endpoints.
  • Slick malvertising campaigns leading to rogue-but-functional PDF tools: ChromeLoader campaigns are becoming bigger and increasingly polished, relying on malvertising around popular search keywords to direct victims to well-designed websites offering functional tools like PDF readers and converters. These working applications hide malicious code in a MSI file, while valid code-signing certificates bypass Windows security policies and user warnings, increasing the chance of infection. Installing these fake applications allows attackers to take over the victim’s browsers and redirect searches to attacker-controlled sites.
  • This logo is a no-go – hiding malware in Scalable Vector Graphics (SVG) images: Some cybercriminals are bucking the trend by shifting from HTML files to vector images for smuggling malware. Vector images, widely used in graphic design, commonly use the XML-based SVG format. As SVGs open automatically in browsers, any embedded JavaScript code is executed as the image is viewed. While victims think they’re viewing an image, they are interacting with a complex file format that leads to multiple types of infostealer malware being installed.

Val Gabriel, Managing Director of HP Ireland, comments: 

There has long been speculation about AI being used by attackers, but evidence has been scarce, so this finding is significant. Typically, attackers tend to obscure their intentions to avoid revealing their methods, so this behaviour indicates an AI assistant was used to help write their code. It’s cases like this that showcases threat actors are constantly updating their methods. Instances like this one further lower the barrier to entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains, and launch more damaging attacks. So, businesses must build resilience, closing off as many common attack routes as possible and adopt a defence in depth strategy to mitigate any risks.”

By isolating threats that have evaded detection tools on PCs – but still allowing malware to detonate safely – HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 40 billion email attachments, web pages, and downloaded files with no reported breaches.

The report, which examines data from calendar Q2 2024, details how cybercriminals continue to diversify attack methods to bypass security policies and detection tools, such as:

  • At least 12% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, the same as the previous quarter.
  • The top threat vectors were email attachments (61%), downloads from browsers (18%) and other infection vectors, such as removable storage – like USB thumb drives and file shares (21%).
  • Archives were the most popular malware delivery type (39%), 26% of which were ZIP files.

HP Wolf Security[i] runs risky tasks in isolated, hardware-enforced virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that can slip past other security tools and provides unique insights into intrusion techniques and threat actor behaviour.

HP Catches Cyber criminals ‘Cat-Phishing’ Users

 HP Ireland today issued its quarterly HP Wolf Security Threat Insights Report, showing attackers are relying on open redirects, overdue invoice lures, and Living-off-the-Land (LotL) techniques to sneak past defences. The report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cybercriminals use to evade detection and breach PCs in the fast-changing cybercrime landscape.

Based on data from millions of endpoints running HP Wolf Security, notable campaigns identified by HP threat researchers include:

  • Attackers using open redirects to ‘Cat-Phish’ users: In an advanced WikiLoader campaign, attackers exploited open redirect vulnerabilities within websites to circumvent detection. Users were directed to trustworthy sites, often through open redirect vulnerabilities in ad embeddings. They were then redirected to malicious sites – making it almost impossible for users to detect the switch.
  • Living-off-the-BITS: Several campaigns abused the Windows Background Intelligent Transfer Service (BITS) – a legitimate mechanism used by programmers and system administrators to download or upload files to web servers and file shares. This LotL technique helped attackers remain undetected by using BITS to download the malicious files.
  • Fake invoices leading to HTML smuggling attacks: HP identified threat actors hiding malware inside HTML files posing as delivery invoices which, once opened in a web browser, unleash a chain of events deploying open-source malware, AsyncRAT. Interestingly, the attackers paid little attention to the design of the lure, suggesting the attack was created with only a small investment of time and resources.

Patrick Schläpfer, Principal Threat Researcher in the HP Wolf Security threat research team, comments:

Targeting companies with invoice lures is one of the oldest tricks in the book, but it can still be very effective and hence lucrative. Employees working in finance departments are used to receiving invoices via email, so they are more likely to open them. If successful, attackers can quickly monetise their access by selling it to cybercriminal brokers, or by deploying ransomware.”

By isolating threats that have evaded detection-based tools – but still allowing malware to detonate safely – HP Wolf Security has specific insight into the latest techniques used by cybercriminals. To date, HP Wolf Security customers have clicked on over 40 billion email attachments, web pages, and downloaded files with no reported breaches.

The report details how cybercriminals continue to diversify attack methods to bypass security policies and detection tools. Other findings include:

  • At least 12% of email threats identified by HP Sure Click* bypassed one or more email gateway scanners.
  • The top threat vectors in Q1 were email attachments (53%), downloads from browsers (25%) and other infection vectors, such as removable storage – like USB thumb drives – and file shares (22%).
  • This quarter, at least 65% of document threats relied on an exploit to execute code, rather than macros.

Val Gabriel, Managing Director at HP Ireland, comments:

Living-off-the-Land techniques expose the flaws of relying on detection alone as try sneak past defences. As they are using legitimate tools, it can be difficult to spot threats without throwing up a lot of disruptive false positives. Threat containment provides protection even when detection fails, preventing malware from destroying user data or credentials, and preventing attacker persistence.  This is why organisations should take a defence-in-depth approach to security, isolating and containing high-risk activities to reduce their attack surface.”

HP Wolf Security runs risky tasks in isolated, hardware-enforced disposable virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that slip past other security tools and provides unique insights into intrusion techniques and threat actor behaviour.

About the data

This data was gathered from consenting HP Wolf Security customers from January-March 2024.

Threat Actors Get Creative with Building Block Style Attacks, Finds HP

HP Ireland today issued its quarterly HP Wolf Security Threat Insights Report, showing how threat actors are chaining different combinations of attacks together like toy bricks to sneak past detection tools. It comes as the Government has published the Mid-Term Review of the National Cyber Security Strategy 2019-2024 plan to boost cybersecurity, which includes measures to support the potential growth of the cybersecurity industry.

The research has found that by isolating threats that have evaded detection tools on PCs, HP Wolf Security has specific[i] insight into the latest techniques used by cybercriminals in the fast-changing cybercrime landscape. To date, HP Wolf Security customers have clicked on over 30 billion email attachments, web pages, and downloaded files with no reported breaches.

Based on data from millions of endpoints running HP Wolf Security[ii], the researchers found:

  • It’s playtime for cybercriminals using building block style attacks: Attack chains are often formulaic, with well-trodden paths to the payload. Yet creative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analysed by HP in Q2 were unique.
  • Spot the difference – blogger or keylogger: Attackers behind recent Aggah campaigns hosted malicious code within popular blogging platform, Blogspot. By hiding the code in a legitimate source, it makes it harder for defenders to tell if a user is reading a blog or launching an attack. Threat actors then use their knowledge of Windows systems to disable some anti-malware capabilities on the users’ machine, execute XWorm or the AgentTesla Remote Access Trojan (RAT), and steal sensitive information.
  • Going against protocol: HP also identified other Aggah attacks using a DNS TXT record query – typically used to access simple information on domain names – to deliver the AgentTesla RAT. Threat actors know the DNS protocol is not often monitored or protected by security teams, making this attack extremely hard to detect.
  • Multi-lingual malware: A recent campaign uses multiple programming language to avoid detection. Firstly, it encrypts its payload using a crypter written in Go, disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.

Val Gabriel, Managing Director of HP Ireland, comments:

In Q2, we welcomed the Government’s plan to boost cybersecurity in Ireland but there is still a long way to go. We have observed that the top threat attack vectors that can be exploited to break into an IT system, is email (79%) and browser downloads (12%). Our research shows that today’s attackers are becoming better organised and more knowledgeable. It’s easier for attackers so exploit any security gaps by knowing the best entry points and how to easily navigate systems. To limit the chances of a security breach, businesses and users should avoid downloading files from untrusted sites or clicking on any suspicious links.

The report details how cybercriminal groups are diversifying attack methods to bypass security policies and detection tools. Key findings include:

  • Archives were the most popular malware delivery type for the fifth quarter running, used in 44% of cases analysed by HP.
  • Q2 saw a 23% rise in HTML threats stopped by HP Wolf Security compared to Q1.
  • There was a 4%-point increase in executables from 14% to 18% from Q1 to Q2, mainly caused by usage of the PDFpower.exe file, which bundled software with a browser hijacking malware.
  • HP noted a 6%-point drop in spreadsheet malware (19% to 13%) in Q1 compared to Q4, as attackers move away from Office formats that are more difficult to run macros in.
  • At least 12% of email threats identified by HP Sure Click bypassed one or more email gateway scanner in Q2.
  • The top threat vectors in Q2 were email (79%) and browser downloads (12%).

Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc., comments:

While infection chains may vary, the methods of initiation remain the same – it inevitably comes down to the user clicking on something. Instead of trying to second guess the infection chain, organisations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”

HP Wolf Security runs risky tasks in isolated, hardware-enforced virtual machines running on the endpoint to protect users, without impacting their productivity. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that slip past other security tools and provides unique insights into novel intrusion techniques and threat actor behaviour.

HP Expands the Boundaries for Remote PC Management through HP Wolf Connect

At its Amplify™ Partner Conference, HP Inc announced HP Wolf Connect, an IT management connectivity solution that provides a highly resilient and secure connection to remote PCs, enabling IT to manage devices even when powered down or offline.

Using a cellular-based network, HP Wolf Connect’s robust connectivity  helps ensure IT teams can readily manage a dispersed hybrid workforce. It can reduce the time and effort needed to resolve support tickets, secure data from loss or theft to mitigate a potential breach and optimise asset management.

“Hybrid work has made remote management at scale more complex for IT teams, yet even more essential,” comments Neil Dover, Country Manager at HP Ireland. “As we adapt to the hybrid work model the cloud has helped but hasn’t solved IT’s ability to manage devices that are powered down or offline. HP Wolf Connect’s highly resilient connection opens new doors to remote device management, enabling efficient and effective management of dispersed workforces.”

HP Wolf Protect and Trace with Wolf Connect is the world’s first software service capable of locating, locking and erasing a PC remotely, even when it’s turned off or disconnected from the Internet. This capability protects sensitive data on the move and helps lower IT costs by reducing the need for PC remediation or replacement.

Securing and managing the hybrid workforce is a top priority for organisations. New global research from HP Wolf Security found 82% of security leaders operating a hybrid work model have gaps in their organisation’s security posture. The global study of 1,492 security leaders found:

  • 61% say protecting their hybrid workers will get harder in the year ahead.
  • 70% say that hybrid work increases the risk of lost or stolen devices.

“Before today, solutions relied on PCs being on or connected to the internet, but HP Wolf Connect now provides a highly resilient mobile connection to find, lock, and erase lost or stolen devices even if they are disconnected or powered down. This is particularly crucial in industries where devices may contain PII (personally identifiable information) or intellectual property. Now, teams can accurately report where and when devices were lost, and how long it took to lock or erase them,” continues Dover.

Securing the endpoint is ground zero for attacks on hybrid workers

Beyond PC loss and theft, the endpoint i.e., laptops, PCs or printers – continue to face serious threat from ransomware and is ground zero for attacks on hybrid workers. This requires the creation of new cybersecurity strategies and innovative security tools in response to changing employee behaviours.

  • 84% of security leaders say the endpoint is the source of most security threats and where the most business-damaging security threats happen.
  • 66% say the greatest cybersecurity weakness is the potential for hybrid employees to be compromised; with phishing, ransomware, and attacks via unsecured home networks cited as the top risks.
  • 65% say it is challenging to update their threat detection measures (e.g., Endpoint Detection & Response and Security Information and Event Management tools) to reflect the behavior of hybrid employees, making it harder to spot attacks.3
  • Three-quarters (76%) of security leaders agree application isolation is key to protect hybrid worker devices, but only 23% are benefiting from using it at present; with 32% planning to deploy in the next 12 months.

“The shift to hybrid work requires a move away from old perimeter-focused thinking. To close gaps, organisations must put the endpoint front and centre of any security strategy. Adopting hardware-enforced security features and protection above, in, and below the OS – such as application isolation – will be key for protecting users without impinging on the freedoms that hybrid work allows,” concludes Pratt.

Hybrid work security is a key focus for 2023

HP’s new hybrid security research details how security teams are prioritising securing the hybrid workplace:

  • Four-in-five (82%) security leaders have increased their cybersecurity budget specifically for hybrid workers. 71% expect this hybrid investment focus to increase further in 2023.
  • 80% have deployed a different set of tools and policies to protect hybrid employees.
  • 70% are limiting network access of people working remotely to minimise the risk of a breach.

To learn more, download HP Wolf Security’s latest report for IT decision makers and for Security Leaders.

HP Wolf Security report: Daily QR “Scan Scams” Phishing Users on their Mobile Devices

HP Ireland has today issued its latest quarterly HP Wolf Security Threat Insights Report, showing hackers are diversifying attack methods, including a surge in QR code phishing campaigns. By isolating threats on PCs and mobile devices that have evaded detection tools, HP Wolf Security has specific insight into the latest techniques being used by cybercriminals in the fast-changing cybercrime landscape. To date, HP Wolf Security customers have clicked on over 25 billion email attachments, web pages, and downloaded files with no reported breaches.

From February 2022, Microsoft began blocking macros in Office files by default, making it harder for attackers to run malicious code. Data collected by the HP Threat Research team shows that from Q2 2022, attackers have been diversifying their techniques to find new ways to breach devices and steal data. Based on data from millions of endpoints running HP Wolf Security, the research found:

  • The rise of QR scan scams: Since October 2022, HP has seen almost daily QR code “scan scam” campaigns. These scams trick users into scanning QR codes from their PCs using their mobile devices – potentially to take advantage of weaker phishing protection and detection on such devices. QR codes direct users to malicious websites asking for credit and debit card details. Examples in Q4 included phishing campaigns masquerading as parcel delivery companies seeking payment.
  • HP noted a 38% rise in malicious PDF attachments: Recent attacks use embedded images that link to encrypted malicious ZIP files, bypassing web gateway scanners. The PDF instructions contain a password that the user is tricked into entering to unpack a ZIP file, deploying QakBot or IcedID malware to gain unauthorised access to systems, which are used as beachheads to deploy ransomware.
  • 42% of malware was delivered inside archive files like ZIP, RAR, and IMG: The popularity of archives has risen 20% since Q1 2022, as threat actors switch to scripts to run their payloads. This is compared to 38% of malware delivered through Office files such as Microsoft Word, Excel, and PowerPoint.

We have seen a rise in scan scams, malvertising, archives and PDF malware recently, and we would encourage everyone to look out for emails and websites that ask to scan QR codes and give up sensitive data, as well as PDF files linking to password-protected archives. Being aware of the signs to watch out for is the first line of defense when it comes to detecting and eliminating any breaches, it ensures these threat actors don’t gain access to sensitive data and move throughout systems,” explains Val Gabriel, Managing Director of HP Ireland.

In Q4, HP also found 24 popular software projects imitated in malvertising campaigns used to infect PCs with eight malware families – compared to just two similar campaigns in the previous year. The attacks rely on users clicking on search engine advertisements, which lead to malicious websites that look almost identical to the real websites.

While techniques evolve, threat actors still rely on social engineering to target users at the endpoint,” comments Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc.

Organisations should deploy strong isolation to contain the most common attack vectors like email, web browsing and downloads. Combine this with credential protection solutions that warn or prevent users from entering sensitive details onto suspicious sites to greatly reduce the attack surface and improve an organisation’s security posture.”

HP Wolf Security runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users, capturing detailed traces of attempted infections. HP’s application isolation technology mitigates threats that might slip past other security tools and provides unique insights into novel intrusion techniques and threat actor behavior.

The full report can be found here: https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-q4-2022/

“.ZIP past” Office docs as most common malicious file type

HP Inc. has issued its third quarter HP Wolf Security Threat Insights Report, finding that archive file formats – such as ZIP and RAR files – were the most common file type for delivering malware, surpassing Office files for the first time in three years. This report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cybercriminals use to evade detection and breach users in the fast-changing cybercrime landscape.

Based on data from millions of endpoints running HP Wolf Security, the research found 44% of malware was delivered inside archive files – an 11% rise on the previous quarter – compared to 32% delivered through Office files such as Microsoft Word, Excel, and PowerPoint.

The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques – where cybercriminals embed malicious archive files into HTML files to bypass email gateways – to then launch attacks.

For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware onto their PCs.

As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult. Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious ZIP file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious ZIP files.

“Evidently, threat actors are becoming more and more agile in their methods to break into systems and smuggle information. With the right tools to detect and eliminate any breaches, it ensures these threat actors don’t gain access to sensitive data and move throughout the system. Organisations can also use Zero Trust Principle to make sure potentially malicious tasks, like clicking on unsecure links or opening deceptive attachments, are executed in a disposable virtual machine separated from the underlying systems” explains Val Gabriel, Managing Director of HP Ireland.

HP also identified a complex campaign using a modular infection chain, which could potentially enable attackers to change the payload – such as spyware, ransomware, keylogger – mid-campaign, or to introduce new features, like geo-fencing. This could enable an attacker to change tactics depending on the target they have breached. By not including malware directly in the attachment sent to the target, it is also harder for email gateways to detect this type of attack.

HP Wolf Security runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users, capturing detailed traces of attempted infections. HP’s application isolation technology mitigates threats that can slip past other security tools and provides unique insights into novel intrusion techniques and threat actor behaviour. By isolating threats on PCs that have evaded detection tools, HP Wolf Security has specific insight into the latest techniques being used by cybercriminals. To date, HP customers have clicked on over 18 billion email attachments, web pages, and downloaded files with no reported breaches.

About the data

This data was anonymously gathered within HP Wolf Security customer virtual machines from July-September 2022.

About HP

HP Inc. is a technology company that believes one thoughtful idea has the power to change the world. Its product and service portfolio of personal systems, printers, and 3D printing solutions helps bring these ideas to life. Visit http://www.hp.com.

About HP Wolf Security

HP Wolf Security is a new breed of endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organisations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. Visit https://www.hp.com/uk-en/security/endpoint-security-solutions.html.