Rozena: backdoor distributed by exploiting Follina vulnerability

Fortinet researchers have published an analysis of a malicious campaign in which they have detected the distribution of a new backdoor exploiting the well-known Follina vulnerability (CVE-2022-30190).

This new malware has been named Rozena and its main function is to inject a reverse shell into the attacker’s host, allowing malicious actors to take control of the victim’s system, as well as to enable monitoring and information capture, and/or to maintain a backdoor to the compromised system

Regarding the methodology used to carry out the infection, it consists of distributing malicious office documents, which when executed, connect to a Discord URL that retrieves an HTML file that, in turn, invokes the vulnerable Microsoft Windows Support Diagnostic Tool (MSDT), resulting in the download of the payload, in which Rozena is included.

More info →

* * *

​Microsoft fixes an actively exploited 0-day

Microsoft has published its security bulletin for the month of July in which it fixes a total of 84 vulnerabilities, including one actively exploited 0-day.

Out of the total number of detected flaws, 5 correspond to denial of service vulnerabilities, 11 to information disclosure, 4 to omission of security functions, 52 to elevation of privileges, and 12 to remote code execution. Within this last type are the four vulnerabilities classified as critical (CVE-2022-30221, CVE-2022-22029, CVE-2022-22039, CVE-2022-22038), with the rest of the vulnerabilities being of high severity.

It is worth noting the 0-day, catalogued as CVE-2022-22047 with a CVSSv3 7.8, discovered by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), involves a Windows CSRSS elevation of privilege vulnerability, which could allow an attacker to gain SYSTEM privileges.

According to Microsoft, active exploitation of this flaw has been detected [6], although no further details have been provided so far, and it is recommended that patches be applied as soon as possible. Also, CISA has added this vulnerability to its catalogue of actively exploited vulnerabilities.

More info →

* * *

Vulnerability in the authentication of an AWS Kubernetes component

Security researcher Gafnit Amiga has discovered several security flaws in the authentication process of AWS IAM Authenticator, a component for Kubernetes used by Amazon Elastic Kubernetes Service (EKS).

The flaw lies in incorrect validation of query parameters within the authenticator plugin when configuring the use of the template’s “AccessKeyID” parameter within query strings. Exploiting it could allow an attacker to bypass existing protection against replay attacks or obtain the highest permissions in the cluster by impersonating other identities, i.e., escalate privileges within the Kubernetes cluster.

According to the researcher, two of the identified flaws have existed since the first release in 2017, while the third, which is the one that allows impersonation, has been exploitable since September 2020. The flaws as a whole have been identified as CVE-2022-2385 and have been given a high criticality.

AWS has confirmed that since 28 June all EKS clusters have been updated with a new version of IAM Authenticator that fixes the issue. Customers who manage their own clusters and use the “AccessKeyID” parameter of the authenticator plugin should upgrade to AWS IAM Authenticator for Kubernetes version 0.5.0.

More info →

* * *

VMware fixes vCenter Server vulnerability

VMware has recently published a new version of vCenter Server 7.0 3f in which it corrects, eight months later, a vulnerability in the integrated authentication mechanism with Windows discovered by Crowdstrike and with CVE-2021-22048.

This flaw can only be exploited from the same physical or logical network as the affected server, and although it is a complex attack, it requires few privileges and no user interaction. However, NIST suggests that it could be exploited remotely. The versions of vCenter Server affected by the vulnerability are 6.5, 6.7 and 7.0.

The company has provided mitigation measures for those who are unable to upgrade to the latest patched version by switching to an Active Directory over LDAP authentication model. CVE-2021-22048 also affects WMware Cloud Foundation versions 3 and 4 but has not yet been fixed.

More info →

* * *

​​Phishing campaign via Anubis Network

Portuguese media outlet Segurança Informatica has published details of a new wave of the persistent phishing campaign, which uses the Anubis Network portal to set up its attacks and has been active since March 2022.

Affected users, mainly in Portugal and Brazil, receive smishing or phishing messages from financial services where users are forced to enter their phone number and PIN number, only to be redirected to banking pages where they are asked for their login credentials.

According to the researchers, the Command & Control server, hosted by Anubis Network, is controlled by around 80 operators. The analysis also shows how Anubis provides facilities for tracking user data, fake domains created to impersonate banks and temporary email addresses that operators can set up for each case.

More info →

Raspberry Robin: worm detected in multiple Windows networks

Microsoft has issued a private advisory to Microsoft Defender for Endpoint subscribers, informing about the detection of the Raspberry Robin malware in multiple networks, mostly from the industrial sector.

The worm, created in 2019 and first detected in September 2021, is mainly disseminated through infected USB devices. Some of its characteristics are the use of QNAP NAS devices as command and control (C2) servers and its ability to connect to the Tor network.

In addition, Raspberry Robin abuses legitimate Windows tools such as the msiexec process to infect new devices, execute malicious payloads and ultimately deliver malware. There are no evidences indicating that the operators of this malware have exploited the accesses obtained from their activities.

Plus, it has not been possible to attribute this campaign to any specific malicious actor, although Microsoft has rated it as high risk, as the attackers could deploy additional malware on the victims’ networks and escalate privileges at any time.

More info →

​* * *​​​​​​​

Critical vulnerability in Spring Data for MongoDB

NSFOCUS TIANJI Lab researcher Zewei Zhang has reported a critical remote code execution (RCE) vulnerability in Spring Data MongoDB, a project for integrating documents into MongoDB databases.

The flaw has been identified as CVE-2022-22980 and has received a criticality of 9.8 (CVSSv3). The vulnerability in particular consists in the possibility of performing a malicious SpEL (Spring Expression Language) injection that would allow an attacker to execute arbitrary code remotely with legacy privileges. The flaw affects versions 3.4.0, 3.3.0 to 3.3.4, and earlier unsupported versions.

Spring has already released the corresponding patched versions of Spring Data MongoDB, 3.4.1 and 3.3.5 at the end of June. However, in case it is not possible to implement these new versions, there are mitigation measures that can be consulted in the advisory published by VMware, which are recommended to be applied immediately taking into account the public availability of proofs of concept on this vulnerability.

More info →

​* * *​​​​​​​

Malicious version of Brute Ratel C4

Researchers at Palo Alto Networks have published about a malicious sample of the legitimate Brute Ratel C4 (BRc4) software. This tool has emerged as an alternative to Cobalt Strike for red team penetration testers.

Just as Cobalt Strike leaves beacons on infected computers, Brute Ratel installs badgers that perform a similar function, establish persistence and connect to command and control servers to receive commands and execute code on infected computers.

Additionally, this tool was specifically designed to evade endpoint detection (EDR) and antivirus detection. According to the researchers, it is very likely that former members of Conti ransomware have created shell companies in order to pass a part of the verification process required to obtain this software.

Finally, they urge security vendors to update their protections to detect this software and for organisations to take proactive steps to defend themselves.

More info →

​* * *​​​​​​​

​Critical vulnerability in OpenSSL

Security researcher Xi Ruoyao has discovered a vulnerability in the OpenSSL cryptographic library that could lead to remote code execution under certain circumstances. The flaw, identified as CVE-2022-2274, lies in the implementation of RSA for X86_64 CPUs supporting AVX512IFMA instructions.

The vulnerability could lead to memory corruption during computation, which an attacker could use to ultimately trigger remote code execution on the machine performing the computation.

The flaw affects OpenSSL version 3.0.4, which was released on 21 June 2022, and has been fixed with OpenSSL version 3.0.5. OpenSSL versions 1.1.1 and Open SSL 1.0.2 are not affected by this vulnerability.

More info →

​* * *​​​​​​​

​New HavanaCrypt ransomware campaign

TrendMicro researchers have analysed a campaign of the new ransomware family called HavanaCrypt, which is reportedly masquerading as the Google Software Update application for distribution.

HavanaCrypt is compiled in .NET and uses Obfuscar, an open-source obfuscator to secure .NET code. It has also been confirmed to be using an IP address of a Microsoft hosting service such as C&C (Command&Control) to evade detection, which is unusual for this type of threat.

TrendMicro has also detected the use of multiple anti-virtualisation tools to evade possible dynamic analysis in virtual machines. Finally, it is worth mentioning the QueueUserWorkItem function, used to distribute other payloads and encryption tools.

After the encryption process, during which it uses legitimate KeePass Password Safe modules and the CryptoRandom function, this ransomware does not leave any ransom note, so researchers believe it may still be under development.

More info →