Threat Actors Adapt to New Changes

Summary: Microsoft has begun to block Macros XL4 and VBA Macros for Office users. Normally, threat actors use macros to target users to infect their system. Microsoft’s decision to disable the macros was initially created to help users from falling prey to phishing attempts. According to ProofPoint, the change has since been shown to have effectively dropped the use of macros as a method of attack by 66%.

The change by Microsoft has since shown to have changed the deliverable by the threat actors. An increase of “.iso”, “.rar”, “.zip”, and “.img” file types have been used to bypass the phishing attempts. Normally, Microsoft scans files to determine if they come from the web through a Mark-of-the-Web “Zone.Identifier”. Attackers have bypassed the scan by using container files which will have the identifier, but the macro files contained inside will not.

Why it matters: Phishing is one of the most common attacks used by malicious actors. Similarly, Microsoft Office products are common file formats that are commonly transmitted through email. The proliferation of macro based attacks through emails have been a regular form of attack by malicious actors. These attacks are commonly involved in breaches which can cost companies plenty of money. The implementation of blocking macro scripts from running has prevented the most common deliverable for malicious attacks. However, it has only delayed threat actors as they find new ways to circumvent the newly added protections by Microsoft as they have with the containerized files. It is important to note that as autorun of macro files are no longer the default, users would have to actively engage the file or host settings to run the macro virus.

Popular Phishing Sites Favorite Brand

Summary: An increase of phishing attacks has been detected, within the past year, according to researchers at Vade. The research shows that attacks have preferred brands to use for credential harvesting. These are normally delivered through fake messages. These fake messages are commonly used to convince the target users to click on malicious links that are connected to phishing sites.

The study by Vade shows that the attackers prefer Microsoft and Facebook as the two most impersonated websites. These two companies are commonly chosen due to the size of the userbase which gives phishers a large set of data and targets; however, the number one industry for phishers are banks which could provide attackers direct access to finances.

Why it matters: Phishing is one of the most common forms of social engineering and one of the most important ones due to the target. Rather than targeting systems, phishing targets the users. The leakage of personal credentials to malicious actors can allow those actors access to not only have access to the users’ accounts. These accounts could be personal or even business accounts. It is further evidence of the importance of training users to detect phishing attacks and to not click on links, as well as being able to identify phishing websites.

Windows 11 New Ransomware Countermeasures

Summary: Windows 11 is the new version of Windows that is supposed to replace the current Windows 10 system. This new replacement comes as part of Window’s history of major versions, each coming with major improvements and changes to the user experience and system performance. More importantly, each version addresses security concerns previous versions have.

Ransomware has been a growing concern over recent years given the extortion capabilities it possesses. To combat this, Windows 11 has improved its built-in Windows Defender to combat ransomware. It does so by improving the program’s ability to identify and intercept ransomware and other advanced attacks.

Why it matters: Windows is the dominant Operating System in the world, accounting for over 70% of all computers. This operating system is used for both personal and business purposes. Due to the sheer volume of users, they are more likely affected by attacks. The danger ransomware produces is that it separates the file owner(s) from the files. Doing so could be at great personal cost to the user or the affected company. Its ability affects the daily lives of users and could disrupt the business operations of a company. Unlike most malware attacks, ransomware extorts money through targets and thus a financial threat to a company. Microsoft’s announcement did not provide any more information on how the update works; however, the announcement is a strong indicator of the company’s security strategy and a strong incentive for users to upgrade their system to the new version of Windows.

Slack Exposes Hashed Passwords

Summary: The popular messaging service Slack has been showing encrypted, hashed passwords of Slack users. Encrypted hashed passwords are not the standard cleartext that people use daily. Instead of the password as they are typed out, they are the calculated mathematical equivalent of the password which is calculated during login. This means that although the passwords are not exposed, the mathematical equivalences could be calculated by attackers to discover the user’s passwords.

The exposed passwords occurred when users created or revoked a link. During the link creation event, the link creator’s passwords were also transmitted to members of the workspace. This exposed hashed password has been active since April 17, 2017 and lasted until its discovery on July 17, 2022. Slack issued a password reset to all affected users which is approximately 0.5% of the Slack users. Slack also recommends all users including those who aren’t affected to turn on two factor authentication to further ensure the account’s security.

Why it matters: Slack is a widely used messaging app throughout different companies. The Shared Invite Links are commonly used to invite users to join workspaces. The use of Slack in work environments has been growing since its public launch in 2014. Slack’s integration into business communications has put into risk the security of the accounts in charge of creating the links. Although no report has been detected regarding exploitation via this vulnerability, it nevertheless highlights the importance of turning on multifactor authentication to further secure user accounts.

Critical Realtek Vulnerability Affecting Millions of Devices

Summary: During the DEFCON 2022 conference, two researchers from Faraday Security disclosed and demonstrated a proof-of-concept exploit for a vulnerability found in Realtek’s RTL819x chip systems. This Realtek chip is used in millions of networking devices, therefore, devices like routers, switches, repeaters, and access points are all left vulnerable for potential exploitation. The vulnerability can be exploited silently without any user interaction, making it difficult to detect.

The vulnerability, tracked as CVE-2022-27255, lies within Realtek’s software development kit (SDK) for the eCos operating system. The proof-of-concept, demonstrated by the researchers, on a Nexxt Nebula 300 Plus router, shows how a remote attacker could exploit the vulnerability to execute code, crash devices, establish backdoors, reroute and intercept network traffic.

On March 25th, 2022, the vulnerability was first disclosed by Realtek in a vulnerability report which listed the SDK versions rtl819x-eCos-v0.x Series and rtl819x-eCos-v1.x Series as affected versions. Realtek also released the patch “20220314_ecos_fix_crash_caused_by_vulnerability_of_sip_alg.rar” in response to the vulnerability. Despite the patch, researchers such as Johannes Ullrich, Dean of Research at SANS, says the vulnerability may still affect millions of devices due to vendors still using the vulnerable SDK.

Why it matters: The Realtek vulnerability affects potentially millions of devices since the Realtek SDK is used by several different network device manufacturers. Keeping track of vulnerability CVE-2022-27255 and installing the patch provided by Realtek may help better secure these devices; however, as mentioned some vendors are still using the vulnerable SDK and haven’t released a firmware update for their devices. Until all vendors release the appropriate firmware updates with the patched SDK it is important to monitor the vulnerable devices.

Security Tip of the Month

Summary: When it comes to security, human error is one of the weakest chains in the link. Attackers use all sorts of deceptive tactics to deceive users to allow them to perform malicious actions. This is often referred to as social engineering which is used by attackers through methods such as phishing and watering hole attacks.

A watering hole attack is an attack in which the attacker creates a malicious website that may attract a specific group of users in order to gain access to their credentials. This attack is carried out in two different ways:

  1. A website is created based on a topic which may attract the attention of certain users. The website prompts the user to create an account with a username and password in hopes that the user reuses credentials.
  1. An existing website is infected and compromised, users visiting the website are then redirected to a malicious web page instead and are prompted to login or malware is downloaded.

Attackers carrying out such attacks may use similar tactics in phishing emails, online advertisements, and social media websites. The following list includes red flags which can help in identifying a watering hole attack:

  • Emails from senders impersonating a trusted site
  • Frequent pop-up advertisements
  • Requests to download applications when visiting a website
  • Changes to browser settings

A recent example of a watering hole attack happened in 2021 when the “Live Coronavirus Data Map” John Hopkins Center for Systems Science and Engineering was used to infect users visiting the site with malware.

Why it matters: Understanding what a watering hole attack is, is an important step to protecting against credential compromise and malware infection. By being wary of what credentials are shared with what website, following safe web browsing, and password practices watering hole attacks can be prevented.