The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.

Microsoft is fast-tracking patches for two Exchange Server zero-day vulnerabilities reported overnight, but in the meantime, businesses should be on the lookout for attacks. The computing giant said in a Friday update that it's already seeing "limited targeted attacks" chaining the bugs together for initial access and takeover of the email system.

The flaws specifically affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that face the Internet, according to Microsoft. However, it's worth noting that security researcher Kevin Beaumont says that Microsoft Exchange Online Customers running Exchange hybrid servers with Outlook Web Access (OWA) are also at risk, despite the official advisory stating that Online instances aren't impacted. The team at Rapid7 echoed that assessment.

The bugs are tracked as follows:

*   CVE-2022-41040 (CVSS 8.8), a server-side request forgery (SSRF) vulnerability giving access to any mailbox in Exchange;
*   CVE-2022-41082 (CVSS 6.3), which allows authenticated remote code execution (RCE) when PowerShell is accessible to the attacker.

Importantly, authenticated access to the Exchange Server is necessary for exploitation, Microsoft's alert pointed out. Beaumont added, "Please note exploitation needs valid non-admin credentials for any email user."

**Patches & Mitigations for CVE-2022-41040, CVE-2022-41082**

So far, there's no patch available, but Microsoft has triaged the bugs and is fast-tracking a fix.

"We are working on an accelerated timeline to release a fix," according to Microsoft's Friday advisory. "Until then, we're providing the mitigations and detections guidance."

The mitigations include adding a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns; and the company included URL rewrite instructions in the advisory, which it said it "confirmed are successful in breaking current attack chains."

Also, the alert noted that "since authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082, blocking the ports used for Remote PowerShell can limit the attacks."

**Blindsiding-Bug Disclosure**

The flaws were disclosed in a blog post from Vietnamese security company GTSC, which noted that it submitted bug reports to Trend Micro's Zero Day Initiative last month. While typically this would have resulted in a responsible vulnerability disclosure process in which Microsoft would have 120 days to patch before the findings were made public, GTSC decided to publish after seeing in-the-wild attacks, it said.

"After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability," GTSC researchers noted in its Thursday blog post. "To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming to those organizations who are using Microsoft Exchange email system."

It also offered detail analysis of the bug chain, which is similar under the hood to the ProxyShell group of Exchange Server vulnerabilities. This prompted Beaumont (@gossithedog) to dub the chain "ProxyNotShell," complete with its own logo.

He said in his analysis on Friday that while many attributes of the bugs are exactly like ProxyShell, the ProxyShell patches don't fix the issue. He also noted that in terms of attack surface, "near a quarter of a million vulnerable Exchange servers face the internet, give or take."

He characterized the situation as "pretty risky" in a Twitter feed, noting that exploitation seems to have been going on for at least a month, and that now that the flaws are public, things could "go south pretty quickly." He also called into question Microsoft's mitigation guidance.

"My guidance would be to stop representing OWA to the internet until there is a patch, unless you want to go down the mitigation route ... but that has been known about for a year, and, eh — there's other ways to exploit Exchange for RCE without PowerShell," Beaumont tweeted. "For example, if you have SSRF (CVE-2022-41040) you are god in Exchange, and can access any mailbox via EWS — see the prior activity. So, I'm not sure that mitigation will hold."

Microsoft did not immediately respond to a request for comment by Dark Reading.

Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet

The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way.

_The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way._

FROM THE EDITOR

**Securing your edge infrastructure**

Edge security is becoming increasingly important as more organizations turn to edge computing to benefit from the flexibility of hybrid cloud computing and deliver faster, more reliable services at a lower cost.

When we surveyed IT decision makers in 2021 for our 2022 Global Tech Outlook report about what emerging technologies they were most likely to consider using in the next year, or are currently using, 28% said edge computing (up from 25% in 2020). Furthermore, a July 2022 report from 451 Research reveals that "large organizations will significantly expand edge computing infrastructure in two years."1

In edge computing, an increase in data and processing outside the traditional datacenter creates potential risk to organizations. Reduced physical security, a limited compute footprint, lower cost expectations and remote management are often compounded by a lack of IT personnel. These issues combine to create relaxed standards for security and policy and expand the attack surface.

However, there are ways edge resources can improve security. For example, IDC says "63% of organizations report using edge resources to enhance cybersecurity through monitoring networks." IDC also says "replicating data \[using edge resources\] across multiple locations" can "reduce \[the\] impact of ransomware attacks."2

Red Hat provides trusted open source software that helps organizations implement a layered security approach across infrastructure, the application stack and the life cycle for better security on site, in cloud environments or at edge sites.

In this issue of Red Hat Shares, learn about security considerations for edge implementations, key edge security issues for CIOs, how Red Hat helped a customer reduce its edge deployment time while enhancing its infrastructure security and more. Plus, just for fun, we threw in a video from our "In the Clouds" series about how edge computing is being used to solve problems on the International Space Station.

1.  451 Research. "Security tops the priorities for edge computing infrastructure – Highlights from VotE: Edge Infrastructure & Services," 25 July 2022. 
2.  Huang, Cathy, and Jennifer Cooke. "Securing the Edge: How Edge Is Architected Will Determine How Security Is Designed." IDC, Feb. 2022.

**5 security considerations for edge implementations**

Learn about some of the primary security threats edge deployments face and how Red Hat technologies can help mitigate them.

**Edge computing: 4 key security issues for CIOs to prioritize**

The Enterprisers Project suggests considering the expert advice in this article to address security concerns before implementing an edge computing strategy.

_You may also be interested in "Beat these common edge computing challenges."_

**A deep dive on edge and security**

Global analyst firm Futurum Research addresses common edge computing security challenges, Red Hat’s approach to security at the edge and more.

**Boost security, flexibility, and scale at the edge with Red Hat Enterprise Linux**

Find out how Red Hat Enterprise Linux can help you extend your datacenter capabilities to the edge with confidence.

_You may also be interested in "What’s new in Red Hat Enterprise Linux 9 for edge computing."_

CUSTOMER SPOTLIGHT

**Edge computing flexibility enables critical defense and security advantages**

See how Red Hat helped Mamram―the Israel Defense Forces’ central computing system unit―reduce its edge deployment time from weeks to hours while enhancing its infrastructure security and compliance.

**In the Clouds: Edge Computing in Space**

In this episode of our video series, IBM Distinguished Engineer and CTO Space Tech Naeem Altaf explains how, together with NASA, cloud and edge computing services and technologies are being used to solve problems on the International Space Station.

_You may also be interested in "Edge computing in action: Space."_

**AnsibleFest: Shape the present and future of automation**

Oct. 18-19, 2022

Chicago, Illinois

Get discounted pricing through Oct. 17.

_Did you miss our special July edition recapping Red Hat Summit 2022? Check it out. Or browse all past issues of Red Hat Shares._

_Questions or comments about Red Hat Shares? It’s your turn to share. Email us._

Red Hat Shares ― Edge computing: Security

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

August has ended the summer in style with multiple patches issued by Microsoft, Google Chrome, and its competitor Firefox to fix serious issues, some of which are being used in attacks.

While there was no Apple iPhone update at the time of writing, some major enterprise fixes were released during the month. These include patches for exploited flaws in Ivanti products, as well as fixes for vulnerabilities in SAP and Cisco software.

Read on for everything you need to know about the patches issued in August.

Microsoft

Microsoft’s August Patch Tuesday saw the software giant fixing dozens of vulnerabilities, including two already being used in real-world attacks. The first is a Defense in Depth update to CVE-2023-36884, a remote code execution (RCE) flaw in Windows Search that could allow attackers to bypass Microsoft’s Mark of the Web security feature. If it sounds familiar, that’s because Microsoft already fixed the vulnerability in July. But installing the latest update “stops the attack chain” leading to the issue, Microsoft said.

The second flaw, CVE-2023-38180 is an issue in .NET and Visual Studio that could allow an adversary to perform denial of service.

Six of the issues fixed in August’s Patch Tuesday are rated as critical, including CVE-2023-36895—an RCE flaw in the Outlook email client. Meanwhile, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 are RCE issues in the Microsoft Message Queuing service, according to the Security Update Guide.

The fifth and sixth critical issues fixed by Microsoft in August are CVE-2023-29328 and CVE-2023-29330, both of which are RCE flaws in Teams.

Google Chrome

August kicked off with a slew of updates for Chrome 115 including nine rated as having a high impact. The 17 patches include three type-confusion flaws in V8: CVE-2023-4068, CVE-2023-4069, and CVE-2023-4070. And CVE-2023-4071 is a heap buffer overflow issue in Visuals and CVE-2023-4076 is a use-after-free flaw in WebRTC.

A couple of weeks later, Google issued Chrome 116 to patch 26 vulnerabilities, eight of which are rated as having a high impact. The most serious issues include CVE-2023-2312—a use-after-free bug in Offline—and CVE-2023-4349, a use-after-free flaw in Device Trust Connectors. A third, CVE-2023-4350, is an inappropriate implementation bug in Fullscreen.

Then, on August 23, Google released the first of its more regular weekly security updates, patching five flaws. The four vulnerabilities rated as having a high impact include two use-after-free bugs and two out-of-bounds memory access issues.

Firefox

Google Chrome’s privacy-focused competitor Firefox also had a hectic August, fixing more than a dozen vulnerabilities in Firefox 116. The issues patched by Firefox owner Mozilla include CVE-2023-4045, an issue in Offscreen Canvas rated as high, and CVE-2023-4047, a bug in popup notifications delay calculation that could allow an attacker to trick a user into granting permissions.

The update also patches memory safety bugs tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058. The flaws fixed in the latest update “showed evidence of memory corruption,” Mozilla said. “We presume that with enough effort, some of these could have been exploited to run arbitrary code.”

Google Android

Google has issued 40 updates for its Android operating system including patches for serious flaws in the Framework, System, and Kernel. Tracked as CVE-2023-21273, the most severe bug fixed in August is a critical security vulnerability in the System component that could lead to RCE with no additional execution privileges needed. User interaction is not required for exploitation, Google said in its Android Security Bulletin.

Meanwhile, CVE-2023-21282 is an RCE flaw in the Media Framework also marked as having a critical impact. Another critical issue in the Kernel, tracked as CVE-2023-21264, could lead to local escalation of privilege, although System execution privileges are needed.

Google Fixes Serious Security Flaws in Chrome and Android

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

****SUMMARY****

*   **Targeted Campaign**: SmokeLoader malware attacks Taiwanese industries, including manufacturing, healthcare, and IT.

*   **Phishing Emails**: The campaign uses phishing emails exploiting MS Office vulnerabilities (CVE-2017-0199, CVE-2017-11882).

*   **Credential Theft**: Plugins target browsers, email clients, and FTP software to steal credentials and sensitive data.

*   **Advanced Techniques**: SmokeLoader employs evasion tactics like code obfuscation, anti-debugging, and sandbox evasion.

*   **Preventative Measures**: FortiGuard Labs blocked the malware, offering antivirus signatures and IPS rules for protection.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a series of new malware attacks targeting companies in Taiwan. The attacks, which have been linked to the **SmokeLoader malware**, have impacted industries ranging from manufacturing and healthcare to IT and beyond.

SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data.

According to research by FortiGuard Labs, the attacks began with phishing emails containing malicious attachments, which were designed to exploit vulnerabilities in Microsoft Office. These included **CVE-2017-0199**, enabling malicious documents to automatically download and execute harmful payloads, and **CVE-2017-11882**, exploiting a vulnerability in Microsoft Office’s equation editor for remote code execution.

The emails, as per FortiGuard Labs’ **blog post** shared with Hackread.com heard of this publishing on Monday, written in native Taiwanese, were convincing but contained inconsistencies, such as different font and colour schemes, that suggested the text had been copied from elsewhere.

Once the malicious attachment was opened, the SmokeLoader malware was downloaded and executed, allowing it to communicate with its command and control (C2) server. From there, the malware downloaded various plugins, each designed to target specific applications and extract sensitive information.

The plugins used by SmokeLoader were found to target popular web browsers, email clients, and file transfer protocol (FTP) software, including Internet Explorer, Firefox, Chrome, Opera, Outlook, Thunderbird, and FileZilla. The malware was able to extract login credentials, auto-fill data, and even email addresses from these applications.

One of the plugins, known as Plugin 4, was designed to clear cookies from targeted browsers, forcing victims to re-enter their login credentials. Another plugin, Plugin 8, was used to inject keylogging code into explorer.exe, allowing the malware to capture keyboard inputs and clipboard content.

The SmokeLoader malware was also found to use advanced techniques to evade detection, including code obfuscation, anti-debugging, and sandbox evasion. Its modular design allows it to adapt to different attack scenarios, making it a formidable threat to organizations.

The attack flow and phishing emails used in the attack (Via: Fortinet’s FortiGuard Labs)

FortiGuard Labs has detected and blocked the malware, assigning it a severity level of “High.” The company has also provided protections for its customers, including antivirus signatures and IPS rules to detect and prevent malware.

In a comment to Hackread.com, **Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity suggests the use of SmokeLoader aligns with a broader global pattern of cyber actors preparing for future attacks by infiltrating systems in advance.

_“_Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs) and the use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world._“_

****What can you do to protect yourself?****

To avoid falling victim to the SmokeLoader malware, it’s important to stay cautious with emails from unknown or suspicious sources. Don’t click on links or download attachments, especially if they prompt you to enable macros or run files.

If you’re unsure about an email, even from a familiar source, check its content carefully. Scan links, files, and attachments using tools like VirusTotal or your system’s security software to ensure they’re safe.

1.  **Fickle Stealer Exploits Software Flaws, Steals Browser Data**
2.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security**
3.  **Malware Bypasses Microsoft Defender, Steals $24,000 in Crypto**
4.  **SteelFox Malware Posing as Popular Software, Steal Browser Data**
5.  **Facebook Malvertising Attack Spreads Malware via Fake Bitwarden**

SmokeLoader Malware Exploits MS Office Flaws to Steal Browser Credentials

Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.
"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.
The cybersecurity

Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.

"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.

The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking.

The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating a OneDrive page and displays an error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually."

The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS.

However, clicking "How to fix" prompts the user to follow a series of steps, which includes pressing "Windows Key + X" to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly fix the issue.

"The command \[...\] first runs ipconfig /flushdns, then creates a folder on the C: drive named 'downloads,'" Pena explained. "Subsequently, it downloads an archive file into this location, renames it, extracts its contents ('script.a3x' and 'AutoIt3.exe'), and executes script.a3x using AutoIt3.exe."

The campaign has been observed targeting users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.

The disclosure builds upon similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks employing this technique – also tracked as ClickFix – are becoming increasingly prevalent.

The development comes amid the discovery of a new email-based social engineering campaign distributing bogus Windows shortcut files that lead to the execution of malicious payloads hosted on Discord's Content Delivery Network (CDN) infrastructure.

Phishing campaigns have also been increasingly observed, such as sending Microsoft Office Forms from previously compromised legitimate email accounts to entice targets into divulging their Microsoft 365 login credentials by clicking on a seemingly innocuous link.

"Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links within the forms," Perception Point said. "These forms are then sent to targets en-masse via email under the guise of legitimate requests such as changing passwords or accessing important documents, mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer."

What's more, other attack waves have utilized invoice-themed lures to trick victims to sharing their credentials on phishing pages hosted on Cloudflare R2 that are then exfiltrated to the threat actor via a Telegram bot.

It's no surprise that adversaries are constantly on the lookout for different ways to stealthily smuggle malware past Secure Email Gateways (SEGs) so as to increase the likelihood of success of their attacks.

According to a recent report from Cofense, bad actors are abusing how SEGs scan ZIP archive attachments to deliver the Formbook information stealer by means of DBatLoader (aka ModiLoader and NatsoLoader).

Specifically, this involves passing off the HTML payload as an MPEG file to evade detection by taking advantage of the fact that many common archive extractors and SEGs parse the file header information but ignore the file footer that may contain more accurate information about the file format.

"The threat actors utilized a .ZIP archive attachment and when the SEG scanned the file contents, the archive was detected as containing a .MPEG video file and was not blocked or filtered," the company noted.

"When this attachment was opened with common/popular archive extraction tools such as 7-Zip or Power ISO, it also appeared to contain a .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file is (correctly) detected as being a .HTML \[file\]."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script

MediaTek microchips, as used in NETGEAR devices through 2021-12-13 and other devices, mishandle attempts at Wi-Fi authentication flooding.

Was this article helpful?   Yes     No | 11 people found this helpful in last 30 days

Associated CVE ID: CVE-2021-41788

First published: 2021-12-13

NETGEAR is aware of industry-wide WiFi authentication flooding security vulnerabilities on products containing MediaTek microchips.

NETGEAR is working with MediaTek and plans to release firmware updates that fix these authentication flooding vulnerabilities for all products that are within the security support period, which we will release as they become available.

**Workarounds**

No workarounds are available for this vulnerability.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. NETGEAR reserves the right to change or update this document at any time. NETGEAR expects to update this document as new information becomes available.

The WiFi authentication flooding vulnerabilities remain if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

**Acknowledgements**

MediaTek

**Common Vulnerability Scoring System**

Rating: Medium

Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

**Best Practices for Updating Firmware**

We recommend that you keep your NETGEAR devices up to date with the latest firmware. Firmware updates contain security fixes, bug fixes, and new features for your NETGEAR products.

If your product is supported by one of our apps, using the app is the easiest way to update your firmware:

*   Orbi products: NETGEAR Orbi app
*   NETGEAR WiFi routers: NETGEAR Nighthawk app
*   Some NETGEAR Business products: NETGEAR Insight app (firmware updates through the app are available only for Insight subscribers)

If your product is not supported by one of our apps, you can always update your firmware manually by following the instructions in your product’s user manual, firmware release notes, or product support page. For more information, see Where can I find information about my NETGEAR product?.

**Contact**

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit https://bugcrowd.com/netgear. 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com. 

For all other issues, visit http://www.netgear.com/about/security/. 

**Revision History**

2021-12-13: Published advisory

Last Updated:12/13/2021 | Article ID: 000064369

**Was this article helpful?**Yes No

**This article applies to:**

How to Find Your Model Number

**Looking for more about your product?**

Get information, documentation, videos and more for your specific product.

**Need to Contact Support?**

With NETGEAR’s round-the-clock premium support, help is just a phone call away.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home Users**

GearHead Support is a technical support service for NETGEAR devices and all other connected devices in your home. Advanced remote support tools are used to fix issues on any of your devices. The service includes support for the following:

*   Desktop and Notebook PCs, Wired and Wireless Routers, Modems, Printers, Scanners, Fax Machines, USB devices and Sound Cards
*   Windows Operating Systems (2000, XP or Vista), MS Word, Excel, PowerPoint, Outlook and Adobe Acrobat
*   Anti-virus and Anti-Spyware: McAfee, Norton, AVG, eTrust and BitDefender

Learn More

**ProSUPPORT Services for Business Users**

NETGEAR ProSUPPORT services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSUPPORT services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2021-41788: Security Advisory for WiFi Authentication Flooding Vulnerabilities on Multiple Products, PSV-2021-0299 & PSV-2021-0301 | Answer

With 80% of companies using cloud collaboration tools, cybercriminals are using multichannel phishing attacks to exploit security gaps in the hybrid work model.

The modern workforce is hybrid, and remote work is here to stay. With 80% of companies using cloud or hybrid cloud collaboration tools, it's fertile ground for a cybercriminal to expand the threat surface. Multichannel phishing is becoming the preferred way to deliver these attacks as threat actors exploit security gaps in the hybrid work model. While organizations focus on protecting email from phishing and malware, there are gaps in defenses for other channels. In a recent report on how to respond to the cyberthreat landscape, Gartner warns of the use of multichannel phishing approaches that combine social engineering, vishing, smishing, email, and Web phishing attacks in a single campaign.

Today, 91% of all cyber breaches include a phishing attack because these types of attacks often succeed. Cybercriminals are so successful because these attacks are increasingly sophisticated, zero-hour spear-phishing threats designed specifically to slip past traditional security controls Threats to the mobile channel continue to grow with malicious apps, as well as malicious SMS messages with and without malicious links, spear-phishing, and malicious Web content. Mobile devices are an excellent opportunity because they are less protected, URL inspection is harder on mobile devices, phones have smaller screens than computers, and content is often truncated. Cybercriminals take advantage of distracted users who conduct quick work tasks and transactions, which offers the perfect environment for launching multichannel attacks.

Cybercriminals are capitalizing on digital channels that aid the productivity of remote workers like SMS/text, Slack, LinkedIn, Zoom, Microsoft Teams, Google Meet, and WhatsApp. These channels are less protected and provide an easy way to trick users, steal credentials, and ultimately exfiltrate data from an organization. A growing trend for cybercriminals is to use WhatsApp and SMS to send malicious URLs that appear identical to a Microsoft Teams meeting invite, which they use to harvest Microsoft 365 credentials. This benign invite contains a malicious URL that takes the user to a landing page asking them to enter their Microsoft 365 credentials, and, just like that, a user has given up their login credentials. These credentials now enable the cybercriminal to take over an account and continue to deliver phishing attacks from legitimate services like AWS, Azure, Outlook, and SharePoint.

In most cases, these attacks will bypass most phishing detection tools. SlashNext Threat Labs saw a 57% increase in phishing attacks from trusted services from the fourth quarter of 2021 to the first months of 2022. The trusted reputation of these domains enables cybercriminals to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers use shared services to get around domain reputation technologies with increased frequency. Using mainstream, legitimate commercial infrastructure sites to avoid detection has been a successful tactic, and the growth in these threats continues in 2022.

It's long been known that phishing attacks are getting through gaps in current defenses like secure email gateways, advanced threat protection, and identity graph technology. In addition, some users are accessing corporate tools outside of all security defenses. It should be on every cybersecurity leader's list to address multichannel phishing in 2022. So, how do you know if multichannel phishing is a problem in your organization? Start by assessing the phishing attack surface in your organization. Here are a few questions to get started: Where are your employees protected from phishing? Are they protected when accessing URLs on their browser or their mobile device? Are your users protected from zero-hour threats in real time? Answering no to these questions can indicate that your users and the organization are at risk.

A cyber readiness plan to protect against multichannel phishing should include people, processes, and tools. Ensure the plan includes educating users about the risk of multichannel phishing. Communicate about preventative strategies for how to identify social engineering tactics and suspected compromises. Implement an abuse inbox, and enable alerts for suspicious activity, such as foreign logins. Install security tools that leverage AI and computer vision to detect and block malicious zero-hour threats across email, Web, and mobile.

**About the Author**

    

Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.

Multichannel Phishing Concerns Cybersecurity Leaders in 2022

Researchers around the world are working to understand a new remote code vulnerability in Microsoft Office dubbed Follina.
The post Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) appeared first on Malwarebytes Labs.

Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt protocol URI scheme to load some code, and then execute some PowerShell.

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:

> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.

**Affected versions**

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.

Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.

**Mitigation**

There are a few things you can do to stop some or all of the “features” used in this type of attack.

**Unregister the ms-msdt protocol**

Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.

Copy and paste the text into a notepad document:

*   Click on **File**, then **Save As…**
*   Save it to your Desktop, then name the file disable_ms-msdt.reg in the file name box.
*   Click **Save**, and close the notepad document.
*   Double-click the file disable_ms-msdt.reg on your desktop.

Note, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.

*   A message will appear about adding information into the registry, click **Yes** when prompted
*   A prompt should appear that the information was added successfully

**Disable preview in Windows Explorer**

If you have the preview pane enabled, you can:

*   Open File Explorer.
*   Click on **View** Tab.
*   Click on **Preview Pane** to hide it.

**Enable Malwarebytes’ Block penetration testing attacks**

The Malwarebytes’ **Block penetration testing attacks** setting is an aggressive detection setting that will block this attack. It is not enabled by default because while enabling it provides additional blocking capabilities for Exploit Protection it can increase false positives, or result in other application conflicts.

To enable it:

*   Open **Settings**
*   Click **Security**
*   Choose **Advanced settings**
*   Tick **Block penetration testing attacks**

Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.
The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.

The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run unauthorized ads from hijacked business accounts.

"Threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," Meta said. "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware."

The social media giant said it has blocked several iterations of a multi-pronged malware campaign dubbed Ducktail over the years, adding it issued a cease and desist letter to individuals behind the operation who are located in Vietnam.

Trend Micro, in a series of tweets last week, detailed an information stealer that's disguised as a Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company said the malware shares similarities with Ducktail.

Besides ChatGPT, threat actors have also been observed shifting to other "hot-button issues and popular topics" like Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to dupe people into clicking on bogus links.

"These changes are likely an attempt by threat actors to ensure that any one service has only limited visibility into the entire operation," Guy Rosen, chief information security officer at Meta, said.

The attack chains are primarily engineered to target the personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook.

Besides using social media for propagating the ChatGPT-themed malicious URLs, the malware is hosted on a variety of legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.

Ducktail isn't the only stealer malware detected in the wild, for Meta disclosed that it uncovered another novel strain dubbed NodeStealer that's capable of plundering cookies and passwords from web browsers to ultimately compromise Facebook, Gmail, and Outlook accounts.

The malware is assessed to be of Vietnamese origin, with Meta noting that it "took action to disrupt it and help people who may have been targeted to recover their accounts" within two weeks of it being deployed in late January 2023.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Samples analyzed by the company show that NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames relating to marketing and monthly budgets. The files, when opened, deliver JavaScript code that's designed to exfiltrate sensitive data from Chromium-based browsers.

NodeStealer gets its name from the use of the Node.js cross-platform JavaScript runtime environment, which is bundled along with the main payload, to set up persistence and execute the malware. No new artifacts have been identified as of February 27, 2023.

"After retrieving the Facebook credentials from the target's browser data, the malware uses it to make several unauthorized requests to Facebook URLs to enumerate account information related to advertising," Meta said. "The stolen information then enables the threat actor to assess and then use users' advertising accounts to run unauthorized ads."

In an attempt to slip under the radar of the company's anti-abuse systems, the rogue requests are made from the targeted user's device to the Facebook APIs, lending a veneer of legitimacy to the activity.

To counter such threats, Meta said it's launching a new support tool that guides users to identify and remove malware, enable businesses to verify connected Business Manager accounts, and require additional authentication when accessing a credit line or changing business administrators.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Search

outlook iniciare sesión