Read Time:7 Second
FEDORA-EPEL-2023-1f39b04ca0
Packages in this update:
kitty-0.26.5-7.el8
Update description:
fix clone-in-kitty + security fix #2196803
Daily Archives: May 10, 2023
kitty-0.26.5-5.el9
Read Time:7 Second
FEDORA-EPEL-2023-ec641493c2
Packages in this update:
kitty-0.26.5-5.el9
Update description:
fix clone-in-kitty + security fix #2196803
kitty-0.26.5-5.fc37
Read Time:7 Second
FEDORA-2023-a354113801
Packages in this update:
kitty-0.26.5-5.fc37
Update description:
fix clone-in-kitty + security fix rhbz#2196803
kitty-0.26.5-5.fc36
Read Time:7 Second
FEDORA-2023-6a76c10a13
Packages in this update:
kitty-0.26.5-5.fc36
Update description:
fix clone-in-kitty + security fix rhbz#2196803
OneNote documents have emerged as a new malware infection vector
Read Time:3 Minute, 45 Second
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Intro
In February 2022, Microsoft disabled VBA macros on documents due to their frequent use as a malware distribution method. This move prompted malware authors to seek out new ways to distribute their payloads, resulting in an increase in the use of other infection vectors, such as password-encrypted zip files and ISO files.
OneNote documents have emerged as a new infection vector, which contain malicious code that executes when the document is interacted with. Emotet and Qakbot, among other high-end stealers and crypters, are known malware threats that use OneNote attachments.
Researchers are currently developing new tools and analysis strategies to detect and prevent these OneNote attachments from being used as a vehicle for infection. This article highlights this new development and discusses the techniques that malicious actors use to compromise a system.
Attack chain
With the disablement of VBA macros, threat actors have turned to using OneNote attachments as a new way to install malware on an endpoint. OneNote attachments can contain embedded file formats, such as HTML, ISO, and JScripts, which can be exploited by malicious actors. OneNote attachments are particularly appealing to attackers because they are interactive and designed to be added on to and interacted with, rather than just viewed. This makes it easier for malicious actors to include enticing messages and clickable buttons that can lead to infection. As a result, users should exercise caution when interacting with OneNote attachments, even if they appear to be harmless. It is essential to use updated security software and to be aware of the potential risks associated with interactive files.
Email – Social engineering
Like most malware authors, attackers often use email as the first point of contact with victims. They employ social engineering techniques to persuade victims to open the program and execute the code on their workstations.
In a recent phishing attempt, the attacker sent an email that appeared to be from a trustworthy source and requested that the recipient download a OneNote attachment. However, upon opening the attachment, the code was not automatically updated as expected. Instead, the victim was presented with a potentially dangerous prompt.
In this case, as with many OneNote attachments, the malicious actor intends for the user to click on the “Open” button presented in the document, which executes the code. Traditional security tools are not effective in detecting this type of threat.
One tool that can be used for analyzing Microsoft Office documents, including OneNote attachments, is Oletools. The suite includes the command line executable olevba, which can be helpful in detecting and analyzing malicious code.
Upon attempting to execute the tool on the OneNote attachment, an error occurred. As a result, the focus of the analysis shifted towards a dynamic approach. By placing the document in a sandbox, we discovered a chain of scripts that were executed to download and run an executable or DLL file, resulting in more severe infections like ransomware, stealers, and wipers.
Tactics and techniques
This particular campaign employs encoded JScript data to obscure their code, utilizing the Windows tool screnc.exe. While in encoded form, the Open.jse file is not readable.
After decoding the JScript file, a dropper for a .bat file was uncovered. When executed, the .bat file launches a PowerShell instance, which contacts the IP address 198[.]44[.]140[.]32.
Conclusion
To effectively combat the constantly evolving threat landscape, it is crucial for analysts to stay abreast of the latest attack strategies utilized by malware authors. These approaches can circumvent detection if systems are not appropriately configured to prevent such attachments from bypassing proper sanitization and checks. As such, it is essential for analysts to familiarize themselves with techniques to analyze these attachments. Currently, dynamic analysis is recommended, as placing a sample in a sandbox can provide critical information about the malware, including the C2 servers it connects to, process chain information, and where data is written to on disk and then executed. For more in-depth analysis, analysts should also become familiar with the various file formats typically associated with and embedded within OneNote attachments, such as encoded JSE files, htm documents, and ISOs.
However, the best defense is always prevention. Therefore, security teams must update their systems to detect these types of attachments and educate employees on the dangers of downloading unknown and untrusted attachments.
Dell pushes security, devops integration in storage updates
Read Time:7 Second
The company’s latest storage updates include Ansible and Terraform integration, zero trust readiness and security, and an array of incremental enhancements.
Microsoft fixes bypass for critical Outlook zero-click flaw patch
Read Time:45 Second
Microsoft fixed a new vulnerability this week that could be used to bypass defenses the company put in place in March for a critical vulnerability in Outlook that Russian cyberspies exploited in the wild. That vulnerability allowed attackers to steal NTLM hashes by simply sending specifically crafted emails to Outlook users. The exploit requires no user interaction.
The new vulnerability, patched Tuesday and tracked as CVE-2023-29324, is in the Windows MSHTML Platform and can be used to trick a security check used as part of the March Outlook vulnerability patch to think that a path on the internet is a local one, therefore evading trust zone checks. Microsoft rated the new vulnerability with 6.5 out of 10 (medium) severity score, but the security team from Akamai who found the vulnerability think it should have been rated higher.
USN-6072-1: Linux kernel (OEM) vulnerabilities
Read Time:1 Minute, 20 Second
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
It was discovered that a race condition existed in the Xen transport layer
implementation for the 9P file system protocol in the Linux kernel, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (guest crash) or expose sensitive information (guest
kernel memory). (CVE-2023-1859)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
TP-Link Archer AX-21 Command Injection Vulnerability (CVE-2023-1389) Exploited in the Wild
Read Time:1 Minute, 27 Second
What is TP-Link Archer AX21 (AX1800)?
TP-Link Archer AX21 (AX1800) is a line of consumer-oriented Wi-Fi routers.
What is the attack?
A command injection vulnerability exists in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 that allows an unauthenticated attacker to inject commands and obtain root access via a POST request. The issue has been assigned CVE-2023-1389. The vulnerability has a CVSS base score of 8.8 and is rated HIGH.
Why is this significant?
This is significant because attackers have reportedly started to exploit CVE-2023-1389 in real time attacks. Furthermore, proof-of-concept (PoC) code is publicly available, and various reports have stated that the Mirai malware was deployed to vulnerable TP-Link Archer AX21 devices. CISA added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog on May 1st, 2023. As such, patches should be applied as soon as possible.
What is the vendor solution?
According to the TP-Link Advisory, The Archer AX21, if linked to a TP-Link ID, will automatically receive update notifications in the web administration interface and Tether application. TP-Link strongly recommends that you download and update to the latest firmware for this product model as soon as possible.
What FortiGuard Coverage is available?
FortiGuard Labs has the following IPS signature in place for CVE-2023-1389:
TP-Link.Archer.AX21.Unauthenticated.Command.Injection
FortiGuard Labs has the following AV signatures in place for the reported Mirai malware variants that were deployed as a result of successful exploitation of CVE-2023-1389:
ELF/Mirai.A!tr
ELF/Mirai.BL!tr
BASH/Mirai.4C55!trLinux/Redis.TSU!tr
Network IOCs related to the Mirai variants are blocked by Webfiltering..
Elevation of Privilege Vulnerability in Win32k Exploited in the Wild (CVE-2023-29336)
Read Time:59 Second
What is Win32k?
Win32k is a system component in Microsoft Windows OS that controls graphic and UI functions at the kernel level. Win32k is responsible for rendering fonts, icons, buttons, and other graphical elements in Windows. It is integral to the OS and any issues affecting Win32k may cause system instability or crashes.
What is the Attack?
An Elevation of Privilege (EoP) vulnerability exists in Win32K kernel that allows an attacker to obtain SYSTEM privileges. The issue has been assigned CVE-2023-29336. No further details are available from Microsoft. The vulnerability has a CVSS base score of 7.8 and is rated HIGH.
Why is this Significant?
This is significant because attackers have reportedly started to exploit CVE-2023-29336 in real time attacks. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on May 9th, 2023. As such, patches should be applied as soon as possible.
What is the Vendor Solution?
Microsoft has issued a patch for this on May 9th, 2023.
What FortiGuard Coverage is available?
FortiGuard Labs has the following IPS signature in place that will prevent exploitation of CVE-2023-29336: MS.Windows.Win32k.CVE-2023-29336.Elevation.of.Privilege