FEATURE: SECURING ENTERPRISES
PDF files are perceived as genuine documents but can also serve as containers for hiding malicious links and code. By taking advantage of familiarity with PDF attachments and employing social engineering tactics, attackers can boost their chances of deceiving end users. PDFs can slip past email security systems that are focused on flagging threats in other types of files says Shayimamba Conco at
Check Point Software. going undetected by traditional security vendors, with zero detections in VirusTotal for the past year.
Emulation provides real-time, zero-day protection against these elusive threats, blocking attack chains originating from PDFs before they can cause harm.
Why threat actors selects PDFs
PDFs are quite complex. The PDF specification, ISO 32000, spans 1,000 pages, providing a wealth of features that can be exploited for evasion. This complexity opens the door to numerous attack vectors that some security systems are ill-equipped to detect.
Over 400 billion PDF were opened last year, and 16 billion documents were edited in Adobe Acrobat. Over 87 % of organisations use PDFs as a standard file format for business communication, making them ideal vehicles for attackers to hide malicious code. Cybercriminals often turn to PDFs for phishing because the format is widely regarded as safe and reliable.
While 68 % of malicious attacks are delivered through email, PDF-based attacks now account for 22 % of all malicious email attachments, according to Check Point Research. This makes them particularly insidious for businesses that share large quantities of these files in the course of daily work.
Threat actors have begun leveraging their deep understanding of how security providers scan and analyse files, and PDFs are becoming a preferred entry point due to their high success rate.
Threat actors use sophisticated countermeasures to bypass detection, making these attacks increasingly hard to spot – and stop. Check Point Research has monitored vast quantities of malicious campaigns
In many ways, PDFs act like CAPTCHA tests. They are designed to lure human victims while being evasive to automated detection systems. This unique combination of simplicity for the user and complexity for security systems is what makes malicious PDFs so attractive to bad actors.
Malicious PDFs have evolved in their sophistication in recent years. In the past, cyber criminals used known vulnerabilities in PDF readers, CVEs to exploit flaws in the software. However, as PDF readers have become more secure and are frequently updated, especially browsers which now open PDFs by default, this attack method is less reliable for mass campaigns.
Attacks relying on JavaScript or other dynamic content embedded within PDFs – while still prevalent – have become less common. JavaScript-based attacks tend to be noisy and are more easily detected by security solutions. Check Point Research found that most socalled exploits based on JavaScript were unreliable across different PDF readers, with many security vendors able to catch them.
As with all things, when one door closes, another opens, and threat actors have been forced to shift tactics. Rather than using complex exploits, many
Weaponizing documents used by African enterprises
34 INTELLIGENTCIO AFRICA www. intelligentcio. com