Security
Headlines
HeadlinesLatestCVEs

Headline

Empower Your Security Operations Team to Combat Emerging Threats

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

DARKReading
#vulnerability#web#mac#windows#microsoft#js#intel#auth#zero_day

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system’s behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.

Use Case: Qbot Malware Delivered via Follina and Malspam

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider’s security controls is the Email Security Assessment.

About the Author

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Related news

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The

Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities

Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]

Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws

August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild.

New Woody RAT Malware Being Used to Target Russian Organizations

An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190)

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

Microsoft Office Word MSDTJS Code Execution

This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel