InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Microsoft has been strongly encouraging its customers to keep updating their Exchange servers, in addition to taking steps to ensure that the environment remains secured with robust security implementations.
While doing so, users can do the following things:-
Configure certificate-based signing of PowerShell serialization payloads
The number of attacks against unpatched Exchange servers will not diminish as long as unpatched servers remain unpatched. The unpatched environment of on-premises Exchange provides threat actors with too many opportunities for exfiltrating data and committing other illegal activities.
Numerous security flaws in Exchange Server have been uncovered in the past two years, leading to widespread exploitation in some cases.
Updating Unpatched Exchange Servers
Microsoft stresses that their security measures are temporary fixes and may not defend against all attack variations, thus requiring users to update security through provided updates.
Recent years have seen Exchange Server become an advantageous target for attackers due to numerous security vulnerabilities that have been exploited as zero-day attacks to penetrate systems.
Ensure the protection of your Exchange servers from exploits targeting recognized vulnerabilities by installing the latest cumulative update and the most recent security update that is supported.
The cumulative updates are available for:-
CU12 for Exchange Server 2019
CU23 for Exchange Server 2016
CU23 for Exchange Server 2013
The available security update:-
January 2023 SU
The cumulative updates and security updates for Exchange Server are cumulative, which means that only the most recent one needs to be installed.
Itâs crucial to run Health Checker post-update installation to identify any manual tasks required by the admin. Using Health Checker, you can access step-by-step guides and articles that provide you with all the information you need.
Always pay attention to the blog post announcements that Microsoft publishes, to keep informed of known issues and any manual actions Microsoft recommends or requires.
Make sure that you always review the FAQ before installing an update.
If you are looking for ways to inventory your servers and find out which of them need to be updated, then the Exchange Server Health Checker may help you.
Use the Exchange Update Wizard to upgrade your environment by selecting your current and target Cumulative Updates (CU) after determining the required updates.
The SetupAssist script can assist you in troubleshooting any errors that may occur during the update installation process.
There might be certain updates that you need to install on your Exchange server(s) in order to keep them up-to-date, so you should make sure that you do so.
Ensure to update dependent servers, such as Active Directory, DNS, and other servers utilized by Exchange, prior to installing necessary updates.
There is never an end to the amount of security work that needs to be done in order to keep your Exchange environment secure. However, the Exchange Server update process is constantly being reviewed by Microsoft in order to find ways to simplify it and make it more reliable.
According to reports, a group of hackers has launched a massive cyberattack on Israeli chemical companies operating in the occupied territories. The hackers have warned the companiesâ engineers and workers to resign their positions before they suffer severe repercussions as a result of the Tel Aviv regimeâs unrelenting violence against Palestinians.
âOur advice to scientists working in the chemical plants is to quit their job, hunt for a new one, and find sanctuary in a location where we are not present,â the message reads. âLeave their employment. Look for a new one.â This is while we have a strong presence anyplace,â the statement sent by the Electronic Quds Force was reported by the Arabic-language television news network RT Arabic.
In addition, the statement said, âWe confirm that your job in chemical factories presents a threat to your life; but, we will never hesitate to melt your bodies with chemicals the next time an act of violence is performed against Palestinians.â
Under the guise of apprehending Palestinians whom Tel Aviv considers to be âwanted,â Israeli soldiers virtually daily conduct raids in a variety of localities located inside the territory of the West Bank that is now under Israeli occupation. The raids almost often result in violent clashes between law enforcement and locals.
Israel has significantly stepped up its assaults on Palestinian villages and cities throughout the whole of the territory it occupies during the last several months. As a direct consequence of these assaults, the lives of dozens of Palestinians have been taken, and many more have been taken into custody.
According to the United Nations, 2022 was the deadliest year for Palestinians living in the West Bank in the previous 16 yearsâ worth of data.
After a group of pro-Palestinian hackers from Bangladesh took the websites of two commercial Israeli ports offline several weeks earlier, the websites of four major ports in the Israeli-occupied territories were taken offline by a massive cyber attack carried out by a group of Iraqi hackers at the end of August of last year.
It was stated by Sabereen News, a Telegram news channel affiliated with the Iraqi Popular Mobilization Units (PMU) or Hashd al-Shaâabi, that a hacking gang calling itself âALtahrea Teamâ knocked down the websites of the ports of Jaffa, Haifa, Acre, and Eilat on August 31.
Back on August 8, ALtahrea Team carried out a large cyber assault on hundreds of Israeli websites, one of which was the website of the municipality of the city of Sderot, which is located in the western part of the Negev.
n recent years, speaking to voice interfaces has become a normal part of our lives. We interact with voice-enabled assistants in our cars, smartphones, smart devices and during telephonic banking. More banks around the globe are using voice biometrics. In banks voice biometrics technology is used to match personal voice patterns and verify the customerâs identity in seconds using just voice. To identify a customer, voice biometrics technology captures a customerâs voice and compares the captured voice characteristics to the characteristics of a previously created voice pattern. If the two match, then the voice biometrics software will confirm that the customer speaking is the same as the customer registered against the voice pattern. Once the customer has created their voice authentication pattern, when they dial the bank, they just type their account, customer ID or card number and repeat the phrase âMy voice is my passwordâ or âMy voice is my signature.â Then customers can access their telephone banking account, where they can make transactions more securely.
According to the different bank websites, voice biometrics is very secure and like the fingerprint, the voice is unique. But threat actors can use voice biometric spoofing attacks also known as voice cloning or deep fake to break into peopleâs bank accounts. Using these attacks they use presentation attacks including recorded voice, computer-altered voice and synthetic voice, or voice cloning, to fool voice biometric systems into thinking it hears the real, authorized user and grants access to sensitive information and accounts. In simple words they clone the voice of bank customers by artificially simulating a customerâs voice.
According to Atul Narula, a cyber security expert, todayâs AI systems are capable of generating synthetic speech that closely resembles a targeted human voice. In some cases, the difference between the real and fake voice is imperceptible. Threat actors not only target public figures including celebrities, politicians and business leaders, but the reality is they can target anyone who has a bank account. They can use online videos, speeches, conference calls, phone conversations and social media posts to gather the data needed to train a system to clone a voice.
Cyber Criminals are using a new breed of phishing scams that exploit the fact that a victim believes they are talking to someone they trust. Last year, a UK-based CEO was tricked into transferring more than $240,000 based on a phone call that he believed was from his boss. These cyber criminals, armed with voice clones, are using phone calls and voicemail. And the attacks arenât just threatening businesses. In a new breed of the âgrandma scamâ cyber criminals are posing as family members who need emergency funds.
Cyber criminals have started using deep fake voices to spread misinformation and fake news. Imagine if somebody publishes a fake voice call of some public figure to sway public opinion or consider how manipulated executive or public figure statements could affect the stock market. Recently some people appeared to be using deepfake technology to imitate some members of the Russian political class, mainly from opposition to Vladimir Putinâs government, to make fake video calls to some representatives of European parliaments.
Deepfakes are also being used to create fake evidence that impacts criminal cases. Or for blackmailing people in cases where manipulated video and audio of people doing or saying things they didnât do or say.
HOW DEEP FAKE VOICE CLONING IS DONE?
Today, artificial intelligence and deep learning are advancing the quality of synthetic speech. With as little as a few minutes of recorded sample voice, developers can use it to train an AI voice model that can read any text in the targetâs voice.
According to Atul Narula, a cyber security expert from International Institute of Cyber Security, there are a variety of AI tools, which enable virtually any voice to be cloned. Some of these are
SV2TTS Real Time Voice Cloning, Resemblyzer and WaveRNN
There are some good free tools like Real Time Voice Cloning, Resemblyzer and WaveRNN which allow voice cloning with pre-trained models. While these can be used to generate speech using arbitrary text from one of a few hundred voices, it can also be fine-tuned to generate speech in an arbitrary voice using arbitrary text.
Resemble.AI
Allows custom AI Generated voices from a speech source. It creates realistic text to speech voices with AI with just 5 minutes of sample voice. You can try it for free.
iSpeech
It is a high quality text to speech and speech recognition tool. You can generate anybodyâs voice in 27 languages.
Vera Voice
It uses machine-learning technology to create super realistic voice clones of any person. They claim that they need just an hour of audio data to train neural networks to generate a new voice.
Googleâs Tacotron â Wavenet
These systems from Google can generate speech which mimics any human voice and which sounds more natural. It needs text and sample voice data to generate a human-like voice. Â
Although voice samples are difficult to obtain, cyber criminals use social media to obtain them.
Itâs important to note that these tools were not created for the purpose of fraud or deception, mentions Atul Narula. But the reality is that business and consumers need to be aware of new threats associated with online AI voice cloning software.
Banks are forcing customers to activate voice biometrics. Banks use different phrases, like âmy voice is my passwordâ, or âmy voice is my signatureâ. To verify user identity users have to enter their account number or Customer ID or 16 digit card number and their voice authentication phrase. Account number is kind of public as it is on cheque book and threat actors can ask someone their account number to deposit some amount via social engineering and people will happily give their account number.
There are three scenarios that someone can use to hack into a voice authentication system used by many banks.
In the first scenario Someone calls you to sell something and forces you to use certain words during the call Like: âYesâ, âMy Voiceâ, âSignatureâ, âPasswordâ, âUsernameâ, âNoâ, and the name of your bank. And later on creates the phrase using the words and plays the recording during the telephone banking call.Â
In the second scenario someone calls you and asks you to repeat the entire phrase âmy voice is my signatureâ and later on plays the recording during the telephone banking call.
Third scenario is someone calls you and records a sample of your voice and by using Deep Fake artificial intelligence tools mentioned before generates the complete phrase or the missing words. These tools are not perfect yet but they can generate a voice similar to your voice, and with just a sample of a few minutes they can generate the phrase.
Using these three scenarios, a cyber security expert from International Institute of Cyber Security recorded a call and later on with the help of audio editing software, created the entire phrase. He then played the recorded audio during a telephonic banking call. Using this technique he was easily able to break into banks telephonic banking sessions. He used the same technique for generating the English and Spanish phrases. It seems voice authentication systems are vulnerable to voice cloning attacks and threat actors could break into anybodyâs account just by having the account number or customer ID and some social engineering to perform any of the scenarios mentioned before. See the video to see the POC.
IS IT POSSIBLE TO DETECT VOICE CLONING?
Mariano Octavio, a cyber security investigator mentions that voice cloning technology is not an evil technology. It has many positive and exciting use cases like.
Education: Cloning the voices of historical figures offers new opportunities for interactive teaching and dynamic storytelling in museums.
Audiobooks: Celebrity voices can be used to narrate books and historical figures can tell their stories in their own voices.
Assistive Technology: Voice cloning can be used to assist persons with disabilities or health issues that impact their speech.
According to Jitender Narula, a cyber security expert from International Institute of Cyber Security, Voice anti-spoofing, also called voice liveness detection, is a technology capable of distinguishing between live voice and voice that is recorded, manipulated or synthetic.
For advanced voice biometrics, interactive Liveness Detection is used â when a person is asked to say a randomly generated phrase. The current capabilities of neural networks allow bypassing interactive liveness detection.
Experts understand the risks associated with the biometric systems, and are beginning to resort to a multimodal approach â when several types of biometrics are embedded in the identification system. Like facial recognition and voice recognition.
But it seems banks donât have this technology as voice authentication used by many banks can be hacked as shown in the video.
Atul Narula mentions that there are a lot of risks associated with biometric authentication. Companies & Financial institutions need to focus attention on the development of advanced deep fake detection solutions. On the other hand we should focus on raising awareness and educating consumers of social media about the risk associated with the deepfake technology.
One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.
As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.
In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.
Unveiling the TTPs of Ransomware
During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.
The following steps are taken by malware creators in order to accomplish these objectives:-
Abuses legitimate functionalities
Devise various techniques to exploit vulnerabilities
Evade defenses
Force users to infect their devices
Microsoft analyzed the following four Mac ransomware families:-
KeRanger
FileCoder
MacRansom
EvilQuest
Technical Analysis
It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoftâs observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-
Using the Find binary
Using library functions opendir, readdir, and closedir
Using the NSFileManager class through Objective-C
The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.
Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.
As far as hardware-based checks are concerned, they are the following:-
Checking a deviceâs hardware model
Checking the logical and physical processors of a device
Checking the MAC OUI of the device
Checking the deviceâs CPU count and memory size
Among the checks related to the code are the following:-
Delayed execution
PT_DENY_ATTACH (PTRACE)
P_TRACED flag
Time-based check
It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.
The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.
As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-
Creating launch agents or launch daemons
Using kernel queues
There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families.
The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.
The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-
NSCreateObjectFileImageFromMemory â used for creating an object file image from the data present in memory
NSLinkModule â used to link the object file image
NSLookupSymbolInModule â used for looking for a specific symbol
NSAddressOfSymbol â used to get the address of the symbol.
Recommendation
It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-
Do not install apps from sources other than the official app store of the software platform.
Protect privileged resources by restricting access to them.
Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
Keep your operating system and applications up-to-date by installing the latest versions of them.
On your Mac, make sure you are using Microsoft Defender for Endpoints.
This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipientsâ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.
Phishing email message
âThe content of this Facebook post appears legitimate because it uses a dummy âPage Supportâ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domainâ, according to Trustwave.
Here the Facebook post pretends to be âPage Support,â using a Facebook logo to appear as if the company manages it.
Facebook post masqueraded as a support page
The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebookâs copyright appeal page, is reached by clicking the link in the post.
Particularly, any data that victims enter into the form after hitting the send button, along with the victimâs client IP and geolocation data will be forwarded to hackers.
Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victimâs Facebook account.
The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.
Phishing page with OTP request
Any code entered by the victim will fail, and if the âNeed another way to authenticate?â button is pressed, the site will redirect to the real Facebook site.
According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.
Various Facebook accounts promoting the same fake alerts
Therefore, these fake Facebook âViolationâ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial linksâ seeming legitimacy.
This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.
Evidence suggests that the Cuba ransomware gang used malicious hardware drivers certified by Microsoftâs Windows Hardware Developer Program in an attempted ransomware attack.
Remember when, in 2021, a report surfaced that revealed Microsoft had signed a driver called Netfilter, and later it turned out it contained malware? Well, it has happened again, but on a larger scale.
Sophos X-Ops Rapid Response (RR) recently discovered evidence which proves that threat actors potentially belonging to the Cuba ransomware gang used malicious hardware drivers certified by Microsoftâs Windows Hardware Developer Program in an attempted ransomware attack.
Drivers â the software that allows operating systems and apps to access and communicate with hardware devices â require highly privileged access to the operating system and its data, which is why Windows requires drivers to bear an approved cryptographic signature before allowing the driver to load.
However, cybercriminals have long since found approaches to exploit vulnerabilities found in existing Windows drivers from legitimate software publishers. These hackers make an effort to progressively move up the trust pyramid, using increasingly well-trusted cryptographic keys to digitally sign their drivers.
Sophos along with researchers from Google-owned Mandiant and SentinelOne warned Microsoft about these signed malicious drivers which were being planted into targeted machines using a variant of the BurntCigar loader utility. These two then worked in tandem to kill processes associated with antivirus (AV) and endpoint detection and response (EDR) products.
âOngoing Microsoft Threat Intelligence Center analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,â Microsoft said in an advisory published as part of its monthly scheduled release of security patches, known as Patch Tuesday.
On left is a valid signature identified by Mandiant â On the right is a valid signature identified by Sophos
Microsoft concluded its investigation by stating that âno compromise has been identified,â and proceeded to suspend the partnersâ seller accounts. Moreover, they released Windows security updates to revoke the abused certificates.
Mandiantâs report is available here. In SentinelOneâs blog post, the security firm reported that it had seen several attacks where a threat actor used malicious signed drivers to evade security products which usually trust components signed by Microsoft.
The threat actors were observed to be targeting organisations in the business process outsourcing (BPO), telecommunications, entertainment, transportation, MSSP, financial and cryptocurrency sectors and in some instances, SIM swapping was the end goal.
Code signing overview
Cuba Ransomware group was identified to be involved in gaining $60 million from attacks against 100 organisations globally, according to a joint advisory earlier this month from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
The advisory also included warnings regarding the ransomware group which has been active since 2019 and continues to attack US entities in critical infrastructure, including financial services, government facilities, healthcare and public health, and critical manufacturing and information technology.
This is not the first time threat actors have used drivers signed by Microsoft in their operations, as we know it, and it seems that putting a stop to this practice has not been an easy task for Microsoft.
ThreatFabricâs security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.
Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas âclipper,â Erbium, and the Aurora stealer, etc.
This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.
Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.
According to ThreatFabricâs blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.
The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.
What does Zombinder Do?
In the campaign detected by ThreatFabricâs researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the applicationâs original website. The victim is lured to visit this site via malicious ads.
The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.
It is worth noting that two downloaded buttons on the malicious websiteâs landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.
How to Stay Protected?
If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the appâs rating, and reviews, and check out the app developersâ website before installing a new app.
Pwn2Own Toronto 2022 Day Two â Participants demonstrated exploits for smart speaker, smartphone, printer, router, and NAS.
On the first day of the Zero Day Initiativeâs Pwn2Own Toronto 2022 hacking competition participants earned $400,000 for 26 unique zero-day exploits.
On the second day of the competition, participants earned more $281,000 for smart speaker, smartphone, printer, router, and NAS exploits.
Researchers from Qrious Secure team used two flaws to execute an attack against the Sonos One Speaker, they earned $60K and 6 Master of Pwn points.
STAR Labs team also hacked the Sonos One Speaker in the Smart Speaker category using one unique bug and another previously known bug. The team earned $22,500 and 4.5 Master of Pwn points.
The Bugscale team demonstrated an exploit against the Synology router and HP Printer using one unique bug and another previously known flaw. The team earned $37,500 and 7.5 Master of Pwn points.
The researchers from Interrupt Labs executed an improper input validation attack against the Samsung Galaxy S22 in the Mobile Phone category. The team earned $25K and 5 Master of Pwn points.
The researcher Luca Moro was awarded $40,000 for a Classic Buffer Overflow attack against the WD My Cloud Pro Series PR4100 in the NAS category.
The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers.
In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp usersâ mobile phone numbers on a popular hacking community forum which surfaced as an alternative to popular and now-sized Raidforums.
The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers (45 million), Italy with 35 million, and the US with 32 million.
The complete list of countries is included in the original report by Cybernews which also contains the exact amount of numbers up for sale. According to the threat actor, they are willing to sell the US dataset for $7000, the UK one for $2500, and the German one for $2000.Â
Upon being requested, the threat actor also shared a sample of data with researchers who then confirmed that the numbers included in the sample were in fact WhatsApp users. The exact sample contained 1097 UK and 817 US mobile numbers.
The seller did not reveal their process for obtaining the database and simply said they âused their strategyâ to collect the data. Whatever the method used, the damage that can be caused by this leakage should not be taken lightly.
Such data is readily bought by attackers to use for smishing and vishing attacks. It is advised that you cautiously interact with unknown calls, unsolicited calls, and messages. Impersonation and fraud are also common worries associated with mobile number leakage.
Meta has refused to comment on this for now, while in their report, Cybernews speculates that this information could have been obtained by harvesting information at scale, also known as scraping, which violates WhatsAppâs Terms of Service.
However, Hackread.com can confirm that, at the time of writing, the listing was deleted from the hacker forum. Another listing was published in which another threat actor is claiming to sell details of WhatsApp users.
ust under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange.
As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082:
[were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.
The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behaviour in Exchangeâs Autodiscover feature, described by Microsoft as a protocol that is âused by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchangeâ.
Fortunately, the Autodiscover misfeature that could be exploited in the ProxyShell attack by any remote user, whether logged-in or not, was patched more than a year ago.
Unfortunately, the ProxyShell patches didnât do enough to close off the exploit to authenticated users, leading to the new CVE-2022-40140 zero-day, which was soon laconically, if misleadingly, dubbed ProxyNotShell.
The Worok threat infects victimsâ computers with information-stealing malware by concealing malware within PNG images with the help of the Steganography technique, which makes it very difficult to detect by malware scanners.
The finding has substantiated one of the most crucial links in the chain of infection of the threat actor as claimed by the experts at Avast. These malicious PNG images are used by threat actors to conceal a payload that facilitates information theft under the guise of being an image.
In the past couple of months, ESET has been revealing details of attacks that Worok has been launching against several high-profile companies and local government agencies in the following regions:-
Middle East
Southeast Asia
South Africa
There are tactical overlaps between Worok and a Chinese threat actor known as TA428 that is believed to be sharing similar tactics.
Compromise Chain
Steganography is a technique that hides scripts within PNG images, such as the compromise series of Worok, which utilizes a C++-based loader which is known as âCLRLoad.â
As of right now, we do not know what vector was used in the initial attack. As part of certain intrusions, the malware was also deployed on Microsoft Exchange Server by exploiting the ProxyShell vulnerability.
A custom malicious kit was then deployed by the attackers using publicly available exploit tools that were available for free. Therefore, the final compromise chain can be summarized as follows:-
First, CLRLoader is implemented, where simple code is implemented to load the PNGLoader, which is the second stage in the process.
In order to decode the malicious code possessed within the image, the PNGLoad comes in two different variants. While doing so, they launch either the following payloads:-
PowerShell script
.NET C#-based
It has been difficult for PowerShell to find the script and they have recently discovered a new malware called DropboxControl, which is spyware that steals information from the system. Provide the threat actor with the ability to upload, download, and run commands contained in specific files.
Malware in PNG Files
When a viewer of an image is opened to view the steganographic code within it, it appears as if the image file is normal.
An image was encoded in a way that allows malicious code to be embedded in the least significant bits of each pixel in the image using a technique known as âleast significant bitâ (LSB) encoding.
No matter how the third-stage implant is deployed, it is clear that Worok has intelligence-gathering objectives that go beyond simply harvesting files of interest.
Worok attacks have been prompted by tools that are not circulating in the wild. Therefore, itâs likely that these tools are used by the group themselves exclusively to conduct attacks.
Indicators of Compromise
PNG file with steganographically embedded C# payload
As part of the criminal case against a former student of the University of Puerto Rico (UPR), a judge in Puerto Rico sentenced him to serve 13 months in federal prison.
The former student, IvĂĄn Santell-VelĂĄzquez (aka Slay3r_r00t) was accused of hacking over a dozen of the universityâs female classmatesâ email and Snapchat accounts.
On July 13, Ivan pled guilty to being a cyberstalker, admitting that he had targeted over 100 students in his online campaign. He also engaged in other schemes to steal information such as using spoofing and phishing.
He has been accused of harassing women and in some cases, he has published pictures that he has stolen from them in their nudist states between 2019 and 2021.
Apart from hacking student email accounts, he also managed to get access to multiple university email accounts by spoofing and phishing attempts through which he gathered personal information.
Students Data Stolen
The appellant, IvĂĄn Santell-VelĂĄzquez targeted 15 female students in total at the University of Puerto Rico. A victim of cyberstalking may experience a significant amount of emotional distress as a result of it.
âThe prosecution of cyber criminals is a top priority in the Justice Department. Cybercrimes not only cause financial losses to corporate victims but also result in financial and psychological harm to vulnerable victims, oftentimes children or the elderly. This conduct will not be tolerated.â
âThis case also demonstrates the importance of safeguarding personal information and passwords, and the care we must take when responding to suspicious e-mails and text messages.â
As a result of his illicit crimes, Ivån Santell-Velåzquez was sentenced to 13 months of rigorous imprisonment along with 2 years of supervised release for cyberstalking by Silvia Carreño Coll, the U.S. District Court Judge.
The cybersecurity company Kaspersky detected almost 900 servers being compromised by sophisticated attackers leveraging the critical Zimbra Collaboration Suite (ZCS), which at the time was a zero-day without a patch for nearly 1.5 months.
âWe investigated the threat and was able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting all vulnerable servers in Central Asiaâ, Kaspersky
Zimbra Collaboration Suite (ZCS) Vulnerability
The vulnerability tracked as (CVE-2022-41352) is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.
Kaspersky researchers say that various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.
Reports say a proof of concept for this vulnerability was added to the Metasploit framework, laying the groundwork for massive and global exploitation from even low-sophistication attackers.
Patch Available for the Vulnerability
Zimbra released a patch for this vulnerability; With ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible. Hence, update your devices immediately.
Researchers say performing disinfection on Zimbra is extremely difficult, since the attacker had access to configuration files containing passwords used by various service accounts.
Therefore, these credentials can be used to regain access to the server if the administrative panel is accessible from the internet.
Volexity stated that they identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells.
.@Volexity uncovers mass exploitation of #Zimbra Collaboration Servers (ZCS) via CVE-2022-27925 using authentication bypass. Over 1000 ZCS instances compromised worldwide. Read more about the exploit: https://t.co/NDtfZ5eFUZ#threatintel#dfir
Reports say the initial attacks started in September, targeting vulnerable Zimbra servers in India and some in Turkey. Therefore, it was probably a testing wave against low-interest targets to assess the effectiveness of the attack.
Notably, Kaspersky assessed that the threat actors compromised 44 servers during this initial wave. Later on the threat actors began to carry out mass targeting to compromise as many servers worldwide before admins patched the systems and close the door to intruders.
At present, the second wave had a greater impact, infecting 832 servers with malicious webshells. Hence, it is recommended to update your devices immediately.
Cybersecurity researchers at Kaspersky Security Labs have recently identified an unofficial version of WhatsApp for Android, which is dubbed by experts âYoWhatsApp.â
This unofficial version of WhatsApp is mainly designed to steal usersâ account access keys or login credentials. There are many unofficial versions of legitimate apps that are advertised as being unofficial versions.
While these unofficial versions lure users by advertising features that the official versions do not have. Though YoWhatsApp is an unofficial version of WhatsApp, but, itâs a fully working messenger with some key additional features like we have mentioned below:-
UI customization
Blocking access to individual chats
Several emojis
Unofficial WhatsApp: YoWhatsApp
There is no difference between YoWhatsApp and the standard WhatsApp application in terms of permissions. The promotion of this unofficial Android mod is done using ads on popular Android apps such as the following ones:
Snaptube
Vidmate
n the latest version of YoWhatsApp, version 2.22.11.75, the threat actors were able to obtain the keys to the WhatsApp accounts of their victims and take full control.
It is claimed that YoWhatsApp will allow users to send files up to 700 MB using their service. While there is a limit of 100 MB per file that can be sent from the official app to your contacts, and this makes the YoWhatsApp more appealing.
In a modified version of WhatsApp, the app sends the userâs access keys to a server located remotely on the developerâs server.
Kali Linux is a Linux distribution designed for digital forensics, penetration testing, security research, and reverse engineering.
Here is a selection of books for different experience levels, you can either start from scratch or get advanced tips â thereâs something for everyone.
This book is the hands-on and methodology guide for pentesting with Kali Linux. Youâll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether youâre new to the field or an established pentester, youâll find what you need in this comprehensive guide.
Build a modern dockerized environment
Discover the fundamentals of the bash language in Linux
Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
Apply practical and efficient pentesting workflows
Learn about Modern Web Application Security Secure SDLC
If youâre getting started along the exciting path of hacking, cybersecurity, and pentesting, Linux Basics for Hackers is an excellent first step. Using Kali Linux, an advanced penetration testing distribution of Linux, youâll learn the basics of using the Linux operating system and acquire the tools and techniques youâll need to take control of a Linux environment.
First, youâll learn how to install Kali on a virtual machine and get an introduction to basic Linux concepts. Next, youâll tackle broader Linux topics like manipulating text, controlling file and directory permissions, and managing user environment variables. Youâll then focus in on foundational hacking concepts like security and anonymity and learn scripting skills with bash and Python. Practical tutorials and exercises throughout will reinforce and test your skills as you learn how to:
Cover your tracks by changing your network information and manipulating the rsyslog logging utility
Write a tool to scan for network connections, and connect and listen to wireless networks
Keep your internet activity stealthy using Tor, proxy servers, VPNs, and encrypted email
Write a bash script to scan open ports for potential targets
Use and abuse services like MySQL, Apache web server, and OpenSSH
Build your own hacking tools, such as a remote video spy camera and a password cracker
In this book youâll learn an offensive approach to enhance your penetration testing skills by testing the sophisticated tactics employed by real hackers. Youâll go through laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. Youâll explore different ways of installing and running Kali Linux in a VM and containerized environment and deploying vulnerable cloud services on AWS using containers, exploiting misconfigured S3 buckets to gain access to EC2 instances.
This book delves into passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on this, different vulnerability assessments are explored, including threat modeling. See how hackers use lateral movement, privilege escalation, and command and control (C2) on compromised systems. By the end of this book, youâll have explored many advanced pentesting approaches and hacking techniques employed on networks, IoT, embedded peripheral devices, and radio frequencies.
For more information about this book, we have a video with the author you can watch here.
This is a comprehensive guide for those who are new to Kali Linux and penetration testing that will have you up to speed in no time. Using real-world scenarios, youâll understand how to set up a lab and explore core penetration testing concepts.
Throughout this book, youâll focus on information gathering and even discover different vulnerability assessment tools bundled in Kali Linux. Youâll learn to discover target systems on a network, identify security flaws on devices, exploit security weaknesses and gain access to networks, set up Command and Control (C2) operations, and perform web application penetration testing. In this updated second edition, youâll be able to compromise Active Directory and exploit enterprise networks.
Finally, this book covers best practices for performing complex web penetration testing techniques in a highly secured environment.
NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US governmentâs intelligence and defense organizations.
With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.
DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.
Until 30 September, the Dark Web site that hosted BlackCatâs leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.
âWe strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,â ALPHV said, per the screenshot.
Earlier today it was reported that ALPHV ransomware group had breached a United States Department of Defense contracting company which provides IT infrastructure services.
In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat.
Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.
A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.
Here below we have mentioned those ransomware families:-
Conti
LockBit
REvil
Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.
As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.
It is estimated that the groupâs activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the groupâs strategy, high-profile, critical industries are being targeted by the group.
In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world.
There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.
Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.
As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.
0-Day Flaws Exploited
Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-
CVE-2022-41040:Â Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
CVE-2022-41082:Â Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.
The combination of these two zero-day vulnerabilities together has been named âProxyNotShell.â The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.
In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.
It is suspected that these intrusions were carried out by a Chinese threat actor.
Mitigation
No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.
If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-
Enable cloud-based protection in Microsoft Defender Antivirus.
Protect security services from being interrupted by attackers by enabling tamper protection.
Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
Protect the Internet network from malicious domains and other malicious content by enabling network protection.
Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
Discovering your networkâs devices will allow you to have greater visibility into whatâs going on.
While as additional prevention measures they also recommended users to:-
![A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back by [Bruce Schneier]](https://m.media-amazon.com/images/W/WEBP_402378-T1/images/I/41Yeq54EmfL.jpg)
