CYBERSECURITY WEEKLY NEWS
1. Hackers Exploit Windows Search Feature To Spread Malware
2. Top 10 Most Critical Pentest Findings of 2024 and What You Need to Know
3. Apple enters the competitive password manager game
4. New Linux malware is controlled through emojis sent from Discord
5. How Hackers bypass 2FA with OTP bots
1. Hackers abuse Windows search functionality to deploy malware
Cyber security firm Trustwave SpiderLabs has discovered a low-volume attack that enables hackers to use the Windows search functionality embedded in HTML to deploy malware, steal data, and increase privileges. This form of social engineering exploits everyday tasks, leveraging users’ everyday habits.
It all starts with a phishing email, containing an attachment mostly pretending to be an invoice, which looks like a normal document, but has a malicious file embedded in it. It carries a .ZIP archive of an HTML file.
This obfuscation makes it easier for transmission and evade the system security. According to Microsoft,” Once opened the HTML file abuses standard web protocols and it opens up the browser and forcefully interacts with Windows Explorer search function. The explorer is tasked with searching for items labelled as “Invoice” in a specific directory, a server tunnelled via Cloudflare.
The search is renamed to “Downloads” tricking the victims into thinking they were looking at the file they downloaded and not the .ZIP archive."
Humans still remain the weakest link in security and user education and extra security measures are key in countering such threats
2. Top 10 Critical Pentest Findings 2024: What You Need to Know
Pentests provide great insights into a company’s security posture. According to Vonahi Security, here are the top 10 critical pentest findings 2024 and recommendations
1. Multicast DNS (MDNS) Spoofing
Multicast DNS (mDNS) is a protocol used in small networks to resolve DNS names without a local DNS server. It sends queries to the local subnet, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with the IP address of their own system.
Recommendations:
The most effective method for preventing exploitation is to disable mDNS altogether if it is not being used. Depending on the implementation, this can be achieved by disabling the Apple Bonjour or Avahi-daemon service
2. NetBIOS Name Service (NBNS) Spoofing
NetBIOS Name Service (NBNS) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, and any system can respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of NBNS Spoofing attacks:
Configure the UseDnsOnlyForNameResolutions registry key in order to prevent systems from using NBNS queries (NetBIOS over TCP/IP Configuration Parameters). Set the registry DWORD to Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options, network adapter settings, or a registry key
3. Link-local Multicast Name Resolution (LLMNR) Spoofing
Link-Local Multicast Name Resolution (LLMNR) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
- The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order to prevent systems from using LLMNR queries.
- Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast Name Resolution = Enabled (To administer a Windows 2003 DC, use the Remote Server Administration Tools for Windows 7)
- Using the Registry for Windows Vista/7/10 Home Edition only:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient \EnableMulticast
4. IPV6 DNS Spoofing
IPv6 DNS spoofing occurs when a rogue DHCPv6 server is deployed on a network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use the DHCPv6 server if available. During an attack, an IPv6 DNS server is assigned to these clients, while they keep their IPv4 configurations. This allows the attacker to intercept DNS requests by reconfiguring clients to use the attacker's system as the DNS server.
Recommendations:
Disable IPv6 unless it is required for business operations. As disabling IPv6 could potentially cause an interruption in network services, it is strongly advised to test this configuration prior to mass deployment. An alternative solution would be to implement a DHCPv6 guard on network switches. Essentially, DHCPv6 guard ensures that only an authorized list of DHCP servers are allowed to assign leases to clients
5. Outdated Microsoft Windows Systems
An outdated Microsoft Windows system is vulnerable to attacks as it no longer receives security updates. This makes it an easy target for attackers, who can exploit its weaknesses and potentially pivot to other systems and resources in the network.
Recommendations:
Replace outdated versions of Microsoft Windows with operating systems that are up-to-date and supported by the manufacturer.
6. IPMI Authentication Bypass
Intelligent Platform Management Interface (IPMI) allows administrators to manage servers centrally. However, some servers have vulnerabilities that let attackers bypass authentication and extract password hashes. If the password is default or weak, attackers can obtain the cleartext password and gain remote access.
Recommendations:
- Since there is no patch available for this particular vulnerability, it is recommended to perform one or more of the following actions.
- Restrict IPMI access to a limited number of systems - systems that require access for administration purposes.
- Disable the IPMI service if it is not required for business operations.
- Change the default administrator password to one that is strong and complex.
- Only use secure protocols, such as HTTPS and SSH, on the service to limit the chances of an attacker successfully obtaining this password in a man-in-the-middle attack.
7. Microsoft Windows RCE (BlueKeep)
Systems vulnerable to CVE-2019-0708 (BlueKeep) were identified during testing. This Microsoft Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is commonly exploited and could result in significant access, it should be remediated immediately.
8. Local Administrator Password Reuse
During the internal penetration test, many systems were found to share the same local administrator password. Compromising one local administrator account provided access to multiple systems, significantly increasing the risk of a widespread compromise within the organization.
Recommendations:
Use a solution such as Microsoft Local Administrator Password Solution (LDAPS) to ensure that the local administrator password across multiple systems is not consistent.
9. Microsoft Windows RCE (EternalBlue)
Systems vulnerable to MS17-010 (EternalBlue) were identified during testing. This Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is commonly exploited and could result in significant access, it should be remediated immediately.
10.Dell EMC IDRAC 7/8 CGI Injection (CVE-2018-1207)
Dell EMC iDRAC7/iDRAC8 versions before 2.52.52.52 are vulnerable to CVE-2018-1207, a command injection issue. This allows unauthenticated attackers to execute commands with root privileges, giving them complete control over the iDRAC device.
Recommendations:
Upgrade the firmware to the latest possible version.
Source: Vonahi Security
3. Apple makes a password manager play in a heavily targeted market
Apple launched its password manager at its WWDC, the Passwords app, similar to LastPass and 1Password. This feature is only available to Apple devices running iOS 18, iPadOS 18, and macOS Sequoia. It is also available on Windows on the iCloud Windows app
The solution comes to manage multiple logins and protect online accounts
With a basic and user-friendly layout, Apple hopes that the app will help make password management more convenient, even for users who have never used a password manager before
The app allows users to view saved passwords, passkeys, saved verification codes, saved wifi passwords, and other passkeys. There is also an alert feature where the users get alerts about compromised passwords in data leaks.
Stored credentials can be accessed from any signed-in Apple device or on Windows via the iCloud for Windows app.
4. New Linux malware is controlled through emojis sent from Discord
Disgomoji is the Linux malware that takes advantage of Discord’s emoji-based protocol, where the attacker sends commands to the malware by sending emojis to the command channel
To gain access, the hackers distribute the malware through phishing emails, and once activated it downloads additional payloads, takes system information, and abuses Discord’s emoji-based protocol to receive commands from the attackers.
The malware maintains persistence on the Linux device by using the @reboot cron command to execute the malware on boot
This attack was aimed at Indian government agencies, believed to be from Pakistani threat actors to steal credentials
Here are the emojis used as symbols for commands to execute on a compromised device.
1. Man-running emoji - which is used to run a command on the device. This command receives an argument, which is the command to execute
2. Camera with flash emoji - which takes a screenshot and uploads it to the c2 server
3. Index finger pointing up emoji - which uploads a file to the victim’s device
4. Backhand index pointing left emoji - which uploads a file from a victim’s device to a remote file-sharing service (transfer.sh)
5. Backhand pointing down emoji - which downloads files from the victim’s device and uploads them to a command channel as attachments respectively
6. Backhand pointing right emoji - which uploads a file from a victim’s device to a remote file storage service(Oshi)
7. Fire emoji - which finds and sends all files matching a pre-defined extension list that are in the victims’s device
8. Fox emoji - which zips all Firefox profiles on the device to be retrieved by an attacker later
9. Skull emoji - which is used to end the session
Credits to bleepingcomputer.com
5. How Hackers bypass 2FA with OTP bots
Is two-factor authentication now useless? Hackers are bypassing 2FA with the use of OTP with OTP bots. The bots are designed with the intent of stealing one-time passwords(OTPs) The main method used is to call the target and use social engineering to persuade the target to give out the OTP
Here is how the bots work:
- Once the attacker has obtained the victim’s login credentials, he/she scammer logs into the victim’s account and is asked to enter an OTP.
- The victim receives the OTP on their phone.
- The OTP bot calls the victim and, using a pre-recorded social engineering script asks them to enter the received code.
- The unsuspecting victim keys in the code right there on their phone during the call.
- The code is relayed to the attacker’s Telegram bot.
- The scammer gains access to the victim’s account.
Additional details can be found here: https://www.kaspersky.com/blog/when-two-factor-authentication-useless/51434/
