Advanced persistent threat (APT) actors are targeting vulnerable remote access services and access control mechanisms like Windows Smart Screen in their attacks leveraging vulnerability exploitation, the latest research by Kaspersky has revealed.

Analysis of available data on exploits used in APT attacks in 2023-2024 also shows that office applications like Microsoft Office and WinRAR are frequent targets.

Although APT attacks rarely occur, they pose a significant threat to large corporations. Threat actors usually target specific objectives, and endeavour to remain undetected within the infrastructure for prolonged periods.

In the first quarter of 2024, the most popular vulnerabilities used by advanced adversaries turned out to be command injection and authentication bypass in Ivanti’s software for IT security and systems management – CVE-2024-21887 and CVE-2023-46805 (Common Vulnerabilities and Exposures) respectively, according to the available data on APT attacks.

The popularity of CVE-2024-21887 is likely due to its novelty. In targeted attacks, adversaries typically exploit vulnerabilities actively in the first weeks following registration and publication, before companies have had the chance to apply patches. The CVE-2023-46805 vulnerability may be used in conjunction with CVE-2024-21887.

In third place is the vulnerability in WinRAR, discovered in 2023 but still actively used in targeted attacks. It misleads users regarding the nature of the archived file being opened, thereby lowering their vigilance.

In 2023, the most exploited vulnerabilities in advanced attacks were found to be the ones in WinRAR (CVE-2023-38831), with CVE-2017-11882 and CVE-2017-0199 in the Microsoft Office suite following behind.

“Interestingly, while exploits for the Microsoft Office suite have traditionally held first place and widely used – due to Windows’ popularity that of its software in the corporate world – the latest snapshot of APT attacks reveals a different trend. Microsoft Office has ceded its leadership to WinRAR exploits,” explains Alexander Kolesnikov, a security expert at Kaspersky.

The analysis was conducted utilising information from available sources on APT attacks, which leveraged CVEs that have been registered.