Malicious Microsoft OneNote Files

Summary: Attackers have begun using OneNote files to infect victims with malware to combat Microsoft’s Mark-of-the-Web flag and the disabling of autorun for macros on malicious emails. For a long time, threat actors have used macro-enabled Microsoft Office files, particularly Word and Excel, to spread malware on a system. The ability for macros to run automatically upon opening the file allows viruses to quickly spread across the system or network. Microsoft has since disabled the ability of macros to automatically run upon opening.

OneNote files are rapidly taking the place of the Word and Excel files that have been the eminent hosts of macros for the last several years. Rather than hosting macros on the files, threat actors create templates and hide embedded files underneath buttons that instruct users to click. The files are usually VisualBasic or PowerShell scripts that download malware including Remote Access Trojans. These trojans can then infect a system or network. Normally, these files are prevented from running by Microsoft by providing users with a warning. However, a user could still click “continue” and allow the malicious file to run.

Why it matters: Phishing is still one of the largest attack methods for threat actors. This method of infecting a system with malware is commonly taught to people as part of their Cybersecurity Training. However, it is important to note that familiarity with one malicious medium should not limit people to those mediums only. OneNote files may be less used than Excel and Word, but they are sent to victims the same way as traditional phishing emails. Luckily, it is possible to block “.one” file extensions and disable embedded files on OneNote. These group policies can help prevent users from accidentally or unknowingly opening malicious files.
Microsoft starts blocking Office macros by default, once again

OneNote Documents Increasingly Used to Deliver Malware

OneNote: A Growing Threat for Malware Distribution

3CX Supply Chain Attack

Summary: Threat actors have successfully performed a supply chain attack on the 3CX desktop app to target the company’s customers. 3CX is a company that created the “3CX Phone System” desktop app that is used by over 600,000 companies. The attack by suspected North Korean group Labyrinth Collima affects both Windows and macOS systems and involves digitally signed malicious applications including signed .msi files to convince users that they are safe to download.

The attack starts with the download of the program or an update to an already existing version of the program occurs. During that process, malicious DLL files will be downloaded onto their machines which can then harvest system and browser credentials. Additionally, the most common post-exploitation activity was the generation of an interactive command shell. The detected connections and activity sourcing from these attacks show that infected devices are attempting to reach massive adversary infrastructure which have been active since February 2022.

Why is it important: Digitally signing applications is normally a way to help users validate that the downloaded applications and programs are safe and legitimate. A supply chain attack such as the one performed on 3CX undermines the security that digital signatures possess. Although the desktop application currently has no fix as of the time of this writing, one can uninstall the program and instead use the Progressive Web Application for the time being. Although a fix is planned, it is important to follow the advice to protect the safety and security of the customers and their data.

 3D character holding chain together - isolated over a white background

Active Intrusion Campaign Targeting 3CX DesktopApp

Preventing and Detecting Attacks Involving 3CX Desktop App

 CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

Modern communication technology illustration with mobile phone and high tech background

Exynos Modem Vulnerabilities

Summary: Google’s Project Zero announced on March 16, 2023 that they discovered eighteen 0-day vulnerabilities in Samsung Exynos modems. Four of the vulnerabilities allow attackers to compromise a user’s phone with only knowing the victim’s phone number. Project Zero believes that the vulnerable devices are:

  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
  • The Pixel 6 and Pixel 7 series of devices from Google; and
  • any vehicles that use the Exynos Auto T5123 chipset.

Google normally follows a 90-day policy prior to public disclosure of vulnerabilities to allow the affected companies to remediate the issues. The blog states “Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.” These vulnerabilities will vary in patch times due to the different manufacturers. In the meantime, Project Zero recommends that affected users turn off Wi-Fi calling and Voice-over-LTE and update their devices as soon as possible.

Why it matters: Due to the nature of the vulnerability being hardware-based, the affected vulnerabilities affect phones across multiple manufacturers. More importantly, Samsung and Google are the 2nd and 4th largest phone manufacturers in the USA respectively. The affected devices also affect phones within a large price range. Thus, these vulnerabilities likely affect a significant number of the population. Given that phones hold personal data for many people, a remote compromise can have a great effect in user privacy and security. Although patches for the Pixel 6 and 7 have been rolled out, at the time of writing, the other devices have not yet been patched. These vulnerabilities are a reminder for users to update their phones and follow the suggestions provided by Project Zero while waiting for patches to be released.

Google says Exynos chip flaw puts several phones at security risk

Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets

Google warns users of Samsung Exynos zero-day vulnerabilities

BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11

Summary: BlackLotus is the first malware that is actively exploiting Windows’ Secure Boot mechanism which allows it to disable security protections built into the operating system. Unified Extensible Firmware Interface (UEFI) is the software that connects the operating system with the hardware that runs it. The malware has the ability to impair BitLocker’s data protection features, as well as disabling Microsoft Defender, and the Hypervisor-protected Code Integrity (HVCI) – also known as the Memory Integrity feature that protects against attempts to exploit the Windows Kernel.

The malware only needs 80 KB of storage space to run, and a license from its developers only costs $5,000 USD. The malware functions by leveraging a vulnerability identified in June 2022 as CVE-2022-21894. Security researchers from ESET confirmed the malware performs exactly as the publisher claims it does and bypasses Secure Boot, which allows the malware to live on a system indefinitely, as it is installed in a place that cannot be scanned by antivirus.

Why it matters: Persistence on machines with UEFI Secure Boot enabled is achieved after initial reboot by exploiting CVE-2022-21894 and enrolling the attacker’s Machine Owner Key (MOK). The self-signed UEFI bootkit is launched after another reboot and the malicious kernel driver and the HTTP downloader are deployed to complete the malware installation. This proof of concept has been publicly available since August 2022, with no details from Microsoft on when this vulnerability should be patched.

 Modern notebook computer with future technology media symbols
BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11

CVE-2022-21894

Microsoft FAIL: ‘BlackLotus’ Bootkit Breaks Secure Boot
illustration of set of hazardous symbol on grey background

Security Defects in TPM 2.0 Spec Raise Alarm

Summary: The vulnerabilities, tracked as CVE-2023-1017 and CVE-2023-1018, provide pathways for an authenticated, local attacker to overwrite protected data in the Trusted Platform Module (TPM) firmware and launch code execution attacks. The first vulnerability identified by CERT is an out-of-bounds write vulnerability exists in TPM2.0’s Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

The two vulnerabilities both exploit an out-of-bounds event in TPM2.0’s Module Library. One of the vulnerabilities, CVE-2023-1017, concerns an out-of-bounds write (which can create a denial of service or execute arbitrary code), while the other, CVE-2023-1018, is described as an out-of-bounds read (which can view, or access, sensitive data stored in the TPM).

Why it matters: TPM is a hardware-based solution (i.e., a crypto-processor) that’s designed to provide secure cryptographic functions and physical security mechanisms to resist tampering efforts. “The most common TPM functions are used for system integrity measurements and for key creation and use,” Microsoft says in its documentation. “During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM.” Users are recommended to apply current patches to TPM 2.0 for all affected systems.
 

New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices

CVE-2023-1017

CVE-2023-1018

Security Tip of the Month – Avoid Useless Downloads

Summary: Downloads are among the top ways that malicious actors use to gain access to computers, phones, and networks. It’s always a good idea to ask yourself the question “Do I really need this?” before clicking the download button. It’s also important to read each screen when installing new software, as attackers try to hide their malicious code as free downloads or part of a bundle. Also, it’s important to obtain software from a reputable source, such as the software owner’s site or a company repository. It’s very important to not click on links in suspicious emails. If necessary, type the URL of a trusted site directly in your browser to avoid fictitious links.

Web browsers typically come with built-in checks for some malicious pages, and it’s important to heed those warnings. Pop-up ads are also something to be wary of, as malicious actors use “warnings” about system performance to entice users to download malicious applications. Be conscious of plugging in unknown USB devices into computers as well, as these are an easy way for adversaries to infect them with malware that can typically bypass a computer’s antivirus as these need to be manually scanned.

Why it matters: Useless downloads do more than just take up memory space on devices; they can also lead to one of the biggest ways that malicious actors can gain access to our devices. It’s good cyber security to be skeptical of anything being downloaded and being cautious of where those downloads come from. Users are part of the onion that makes up defense in depth, and each layer is just as important as all the others. Users who are aware of what they are doing and how their actions affect the security of their systems, as well as having up to date AV and firewall protections are all good ways to protect ourselves and each other from adversaries who are trying to steal data and resources from computing devices and networks.

 A pile of cardboard boxes ready for moving house

How To Avoid Malware

Top Personal Cyber Security Tips and Best Practices

The risk of downloading software from the Internet