A new HP report shows a 65% increase in the use of hacking tools downloaded from underground forums and filesharing websites during the first half of 2021 compared to the second half of 2020.

The HP report also shows a significant increase in the frequency and sophistication of cybercrime activity. The data was gathered within HP Wolf Security customer virtual machines during the first half of this year.

The hacking tools in wide circulation are surprisingly capable, according to HP. For example, one tool can solve CAPTCHA challenges to perform credential stuffing attacks against websites.

More broadly, the report found cybercrime is more organized than ever. Underground forums provide a perfect platform for threat actors to collaborate and share attack tactics, techniques and procedures.

Surprisingly Low Detection

HP’s Alex Holland

Alex Holland is senior malware analyst at HP.

“One of the more surprising findings was seeing how effective obfuscation can be at evading traditional detection technologies,” he said. “In March, we investigated a multi-stage obfuscated Visual Basic Script malware campaign that targeted senior business executives. An initial malicious script was used by the attacker to establish persistence on the victim’s computer and deliver secondary stages of malware. What surprised us was the low detection rate of the malware, with only 21% of antivirus scanners on VirusTotal detecting it as malicious at the time.”

The increase in hacking tool downloads likely points to growing attacker intent and capability, Holland said.

“The cybercrime ecosystem today is driven by ransomware affiliates, who have created demand for specialized services needed to conduct successful attacks, such as initial access to networks and malware distribution,” he said. “We believe this demand is having the effect of encouraging more financially-motivated criminals into cybercrime, feeding into increased levels of attacker desire and the expectation that attacks will succeed.”

Notable Threats

Among key findings in the HP report:

“Threat actors are collaborating more than ever – be it buying and selling tools or access from each other, or coordinating attacks together,” Holland said. “The result is that organizations face risks from highly capable and experienced crews, making it harder to protect the endpoint. In response, we recommend organizations put comprehensive and resilient endpoint infrastructure and cyber defense measures in place.”

Features like hardware-based process isolation minimize the attack surface of systems, he said. It can contain threats from email, browsers and downloads, the most common attack vectors.

Other key findings in the report include:

Assessing Risk

“One way to assess the risk posed by different types of threats is to consider the factors that drive and enable threat actors, such as desire, expectation, knowledge and resources,” Holland said. “The increase in hacking tool activity may indicate an increase in attacker intent, i.e. the desire to perform attacks and the expectation they will succeed. It also points to the widespread availability of hacking tools within the cybercrime ecosystem, i.e. the resources at attackers’ disposal. A big driver of why hacking tools are so easy to obtain is widespread malware piracy or ‘cracking,’ enabling anyone to use tools without payment – even if developers intended otherwise.”

One positive development is COVID-19-related phishing lures appear to be waning. They contributed to less than 1% of email phishing lures in HP Wolf Security telemetry.

“Malware distributors prefer to use lures that have proven effective generically across different regions,” Holland said. “So this could indicate that topical lures related to the pandemic have been less effective recently at tricking users into clicking malicious links and attachments compared to other types of lures.”