Researchers warn that European governments and municipalities in the US have been targeted by a phishing campaign using malicious RTF documents.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, i.e. Windows 7 and later, as well as Server 2008 and later.

Worse, it is noted that the vulnerability is in many ways similar to the PrintNightmare problem, which Microsoft could not fix for quite some time. The fact is that Follina also pulled the discovery of other bugs, the consequences of exploiting which can be no less serious.

We have already written that Chinese hackers are actively using the fresh 0-day, and experts warned that soon there will be more such attacks. Unfortunately, the predictions of the experts turned out to be correct: now Proofpoint analysts report that they have discovered a phishing campaign aimed at government agencies in Europe and municipal authorities in the United States, which in total affected at least 10 of the company’s customers. According to experts, government hackers are behind these attacks.

To deceive potential victims and force them to open a decoy document, the attackers used the theme of a pay increase. Opening the document resulted in the deployment of a Powershell script that checked to see if the system was a virtual machine and was then used to steal information from multiple browsers, email clients, and file services, as well as collect system information, after transferring the data to a server controlled by hackers.

According to Bleeping Computer, the payload collected a lot of data from a wide variety of applications, including:

1. passwords from browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser;
2. data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat;
3. system information: computer information, list of usernames, Windows domain information.

Most of the attacks are reported to have been in the United States, as well as Brazil, Mexico and Russia.

Since there is still no patch for Follina, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also officially recommended to disable file previews in Windows Explorer, because the attack is possible in this way as well.

In the absence of an official patch, an unofficial one has already appeared, from 0patch. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Unofficial patches are provided for Windows 11 v21H2, Windows 10 (1803 to 21H2), Windows 7 and Windows Server 2008 R2. Moreover, instead of disabling MSDT recommended by Microsoft, 0patch specialists added additional cleaning of the path provided by the user, which also helps to avoid exploiting the bug.

Meanwhile, information security experts are already beginning to criticize Microsoft for its sluggishness and lack of fixes.

The post Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster appeared first on Gridinsoft Blog.

The bug is related to a bypass of the information disclosure patch (CVE-2021-24084) released by Microsoft engineers in February this year. This month, cybersecurity researcher Abdelhamid Naseri, who initially discovered the problem, noticed that the vulnerability was not fully fixed and can be used to gain administrator rights.

0patch confirms that by using the method described in the blog of researcher Raj Chandel, combined with a bug discovered by Abdelhamid Naseri, it is possible to be able to run code as a local administrator.”

While Microsoft has likely already taken notice of the researchers’ reports, the company has yet to fix the bug, meaning especially systems running Windows 10 (with the latest security updates from November 2021) are still vulnerable to attacks.

Fortunately, two specific conditions must be met for implementation of vulnerability. Firstly, system protection must be enabled on drive C and at least one restore point must be created. Second, at least one local administrator account must be activated on the computer, or the credentials of at least one member of the Administrators group must be cached.

While Microsoft prepares patches, 0patch has already released unofficial free updates for all vulnerable versions of Windows 10 (Windows 10 21H2 also supports 0patch). Let me remind you that 0patch is a platform designed for such situations, there are zero-day fixes and other unpatched vulnerabilities to support products that are no longer supported by manufacturers, custom software, and so on.

The fixes are already available and apply to the following Windows versions:

• Windows 10 v21H1 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v20H2 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v2004 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1909 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1903 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1809 (32-bit and 64-bit) with May 2021 updates.

Experts point out that the bug does not apply to Windows Server (since there are simply no problematic functions), there is simply no access to work or study there), and the bug does not apply to Windows 10 version 1803 and earlier versions. The point is that Access to work or study works there in a different way.

The post Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service appeared first on Gridinsoft Blog.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.