Friday, October 7, 2022

Vulnerability Spotlight: Issue in Hancom Office 2020 could lead to code execution



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable memory corruption vulnerability in Hancom Office 2020.  

Hancom Office is a popular software collection among South Korean users that offers similar products to Microsoft Office, such as word processing and spreadsheet creation and management.  

TALOS-2022-1574 (CVE-2022-33896) exists in the way the Hword word processing software processes XML files. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, triggering a memory corruption error on the software and potentially leading to remote code execution on the targeted machine.   

Thursday, October 6, 2022

Threat Source newsletter (Oct. 6, 2022) — Continuing down the Privacy Policy rabbit hole


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

As I wrote about last week, I’ve been diving a lot into apps’ privacy policies recently. And I was recently made aware of a new type of app I never knew existed — family trackers. 

There are countless mobile apps for parents to track their children or other family members based on their location, phone usage, and even driving speed. As an anxious soon-to-be-parent, this sounds intriguing to me — it’d be a supped-up version of Find my Friends on Apple devices so I’d never have to ask my teenager (granted, I’m many years away from being at that stage of my life) when they were coming home or where they were. 

Just as with all other types of mobile apps, there are pitfalls, though.  

Life360, one of the most popular of these types of apps and even tells users what their maximum driving speed was on a given trip, was found in December 2021 to be selling precise location data on its users, potentially affecting millions of people. Once that precise location data is out there, there is no telling who could eventually get a hold of it. Even if Life360 doesn’t intend to let adversaries see this information, they don’t have direct control over how those third parties handle the information once it’s sold off. 

The app’s current and updated privacy policy states that it "may also share location information with our partners, such as Cuebiq and its Partners, for tailored advertising, attribution, analytics, research and other purposes.” However, users do have the ability to opt out of this inside the app. 

There is hardware that offers this same type of tracking. Jealous, angry or paranoid spouses and parents have used Apple’s AirTags in the past to unknowingly track people, eventually to the point that Apple had to address the issue directly and provide several updates to AirTags’ security and precise location alerts to make it easier for users to find potentially unwanted AirTags on their cars or personal belongings.  

This is truthfully just an area of concern I had never considered before. Many parents would do anything for their children’s safety, which is certainly understandable. But just like personal health apps, we need to consider the security trade-offs here, too. As we’ve said before, no one truly has “nothing to hide,” especially when it comes to minors or vulnerable populations. I’m not saying using any of these apps is inherently wrong, or that AirTags do not have their legitimate purposes. But any time we welcome this software and hardware into our homes and on our devices, it’s worth considering what sacrifices we might be making elsewhere.  


The one big thing 

Microsoft warned last week of the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. 

Why do I care? 

Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.  

So now what?

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. While Microsoft continues to update their mitigations, some security researchers posit they can be bypassed. Talos has released several Snort rules to detect the exploitation of these vulnerabilities and associate malware families used in these attacks. 

 

Top security headlines from the week


More than 2 million Australians’ personal information is at risk after a data breach at telecommunications giant Optus. More than 1.2 million customers have had at least one ID number from a current and valid form of identification, along with other personal data, according to an update from the company’s CEO. Adding to the confusion, the company told many residents in New South Wales that it would need to replace their driver’s license, only to later backtrack to say that would not be the case for everyone affected. Optus says it enlisted a third party to complete a thorough review of the compromise to identify security gaps and any other potential fallout. (ABC News, Nine News

The Vice Society ransomware group leaked more than 500 GB worth of data on employees and students at the unified Los Angeles School District after the district refused to pay a requested extortion payment after a ransomware attack several weeks ago. Officials said the leak was less extensive than originally expected and limited to attendance and academic records from 2013 - 2016. The district declined to pay the ransom because there was no guarantee that the actors would not leak the information anyway. Threat actors have commonly targeted the education sector with ransomware attacks as the school year started and their networks were particularly vulnerable. (Axios, Los Angeles Times

The infamous Lazarus Group threat actor continues to ramp up its activity, recently exploiting open-source software and Dell hardware to target companies all over the globe. A recent report from Microsoft found that the group was impersonating contributors to open-source projects and injecting malicious updates for that software to users. In a separate campaign, the APT also used an exploit in a Dell firmware driver to deliver a Windows rootkit targeting an aerospace company and high-profile journalist in Belgium. Lazarus Group is known for operating with North Korean state interests, often stealing cryptocurrency or finding other ways to earn money. (Bleeping Computer, Security Affairs)  


Can’t get enough Talos? 

Upcoming events where you can find Talos 



GovWare 2022 (Oct. 18 - 20)
Sands Expo & Convention Centre, Singapore 

Sands Capital Management, Arlington, Virginia 

Most prevalent malware files from Talos telemetry over the past week  


MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: f1fe671bcefd4630e5ed8b87c9283534 
Typical Filename: KMSAuto Net.exe 
Claimed Product: KMSAuto Net  
Detection Name: PUA.Win.Tool.Hackkms::1201 

MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe    
Claimed Product: N/A      
Detection Name: PUA.Win.Tool.Kmsauto::1201 

MD5: a779d230c944ef200bce074407d2b8ff 
Typical Filename: mediaget.exe 
Claimed Product: MediaGet 
Detection Name: W32.File.MalParent 

Tuesday, October 4, 2022

Developer account body snatchers pose risks to the software supply chain



By Jaeson Schultz.
  • Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research.
  • Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others.
  • Talos analyzed several of the major software repositories to assess the level of developer account security, focusing specifically on whether developer accounts could be recovered by re-registering expired domain names and triggering password resets.
  • Many software repositories have already begun taking steps to enhance the security of developer accounts. Talos has identified additional areas where the security of developer accounts could be improved. Talos worked with vulnerable repositories to resolve issues that we found.

Software supply chain attacks, once the exclusive province of sophisticated state-sponsored attackers, have been gaining popularity recently among a broader range of cyber criminals. Attackers everywhere have realized that software supply chain attacks can be very effective, and can result in a large number of compromised victims. Software supply chain attacks more than tripled in 2021 when compared with 2020.

Monday, October 3, 2022

Researcher Spotlight: Globetrotting with Yuri Kramarz

From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas 

By Jon Munshaw. 

Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. 

He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. 

“What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.” 

Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar.

Friday, September 30, 2022

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server


Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Threat Roundup for September 23 to September 30


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 29, 2022

Threat Source newsletter (Sept. 29, 2022) — Personal health apps are currently under a spotlight, but their warning signs have always been there


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary. 

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only." 

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, “gave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.” 

To me — these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in “pain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health.

Wednesday, September 28, 2022

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

By Chetan Raghuprasad and Vanja Svajcer.
  • Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
  • Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
  • The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Friday, September 23, 2022

Threat Roundup for September 16 to September 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

Thursday, September 22, 2022

Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November. 

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.  

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven. 

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.)