CVE-2024-30080 is the only critical issue in Microsoft's June 2024 Patch Tuesday update, but many others require prompt attention as well.

Source: SuPatMaN via Shutterstock

Microsoft has issued fixes for a total of 49 vulnerabilities in its Patch Tuesday security update for June, including a critical bug in Microsoft Message Queuing (MSMQ) technology that could open vast swathes of companies to remote code execution (RCE) and server takeover.

The issue (CVE-2024-30080, CVSS score of 9.8 out of 10) is remotely exploitable, with low attack complexity, requires no privileges, and takes no user interaction; and it carries high impacts on confidentiality, integrity, and availability, according to Microsoft. Attackers can use it to completely take over an affected server by sending a specially crafted malicious MSMQ packet. To check vulnerability, confirm users should whether the 'Message Queuing' service is running and if TCP port 1801 is open on the system. The bug affects all versions of Windows starting from Windows Server 2008 and Windows 10.

Its impact could be felt in the threat landscape sooner rather than later, so patching quickly is a must: "A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for 'msmq'," said Tyler Reguly, associate director security R&D at Fortra, in an emailed statement. "Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future."

This is the only bug that Microsoft has rated as critical this month, but there are several others in the update that merit prompt attention as well, according to security analysts.

**High-Priority Microsoft Bugs for June 2024**

Among the high-priority bugs to put at the top of the patching list are: CVE-2024-30103, a remote code execution (RCE) vulnerability in Microsoft Outlook in which the Preview Pane is an attack vector; CVE-2024-30089, a vulnerability in Microsoft Streaming Services that gives attackers a way to gain system level access; CVE-2024-30085, a privilege escalation bug in Windows Cloud Files Mini Filter Driver that Microsoft has identified as more likely to be exploited; and CVE-2024-30099, an elevation-of-privilege (EoP) vulnerability in Windows Kernel Driver that attackers can abuse to take over an affected system.

In all, Microsoft categorized 11 of the 49 vulnerabilities in this month's update as flaws that threat actors were more likely to exploit because of factors like low attack complexity and the fact that adversaries need no special privileges or user interaction to take advantage of them.

**RCE Bugs to Prioritize**

This month's collection of noteworthy RCE bugs include CVE-2024-30101, a use-after-free bug in Microsoft Office that requires active user interaction for an attack to succeed; CVE-2024-30104 in Microsoft Office; and the previously mentioned CVE-2024-30103 in Microsoft Outlook, which an attacker can trigger via the Preview Pane in an email.

The latter is potentially especially dangerous because an attacker can use it to bypass Outlook registry block lists and enable the creation of malicious DLL files.

"This Microsoft Outlook vulnerability can be circulated from user to user, and doesn't require a click to execute," Morphisec researchers said in a blog. "Rather, execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook’s auto-open email feature."

Microsoft itself has assessed the flaw as something that attackers are less likely to exploit.

**High Number of Elevation-of-Privilege Bugs**

Somewhat unusually, there were more EoP flaws this time around than there were RCE bugs, accounting for nearly half of the CVEs patched.

Satnam Narang, senior staff research engineer at Tenable, pointed to CVE-2024-30089, the bug in Microsoft Streaming Services, as one of the privilege escalation flaws that organizations need to prioritize the most.

"These types of flaws are notoriously useful for cybercriminals seeking to elevate privileges on a compromised system," Narang said. "When exploited in the wild as a zero-day, they are typically associated with more advanced persistent threat (APT) actors or as part of targeted attacks."

CVE-2024-30089 is one of two EoP vulnerabilities in Streaming Service that Microsoft disclosed this month. The other is CVE-2024-30090, which also gives attackers a way to gain system-level privileges but is harder to exploit.

In prepared comments, Kev Breen, senior director threat research at Immersive Lab, identified CVE-2024-30085 as another EoP flaw that will likely draw attacker interest. The bug in Windows Cloud Mini Files Driver allows for system level privileges on a local machine.

"This type of privilege-escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like Mimikatz," for lateral movement and further compromise, he said. Microsoft's description of the flaw suggests it is identical to CVE-2023-36036, a zero-day bug in Cloud Files Mini Filter that attackers actively exploited last year, Breen said.

CVE-2024-30099 is another EoP vulnerability that Microsoft has listed in its more category of more exploitable bugs. What makes the bug especially noteworthy is that it exists in the NT OS kernel. The vulnerability allows an attacker that can trigger — and win — a race condition within the kernel to take over an affected system. However, the Windows Message Queuing Service must be enabled for an attacker to be successful.

"This vulnerability should be on everyone's patch list due to it being so central to the operating system," said Ben McCarthy, lead cyber security engineer at Immersive Labs, in emailed comments.

There are several other kernel-related EoP vulnerabilities that organizations would do well to prioritize, McCarthy noted. These include CVE-2024-35250, CVE-2024-30084, CVE-2024-30064, CVE-2024-30068, and CVE-2024-35250.

"These sorts of vulnerabilities are often what attackers will try to weaponize after the patch day," he said. "So, it is always wise to patch kernel-related vulnerabilities because successful exploitation of these vulnerabilities mean they get complete access to a computer's resources and run as SYSTEM privileges."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical MSMQ RCE Bug Opens Microsoft Servers to Complete Takeover

Microsoft today released updates to fix more than 50 security vulnerabilities in Windows and related software, a relatively light Patch Tuesday this month for Windows administrators. The software giant also responded to a torrent of negative feedback on a new feature of Redmond's flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

**Microsoft** today released updates to fix more than 50 security vulnerabilities in **Windows** and related software, a relatively light Patch Tuesday this month for Windows users. The software giant also responded to a torrent of negative feedback on a new feature of Redmond’s flagship operating system that constantly takes screenshots of whatever users are doing on their computers, saying the feature would no longer be enabled by default.

Last month, Microsoft debuted **Copilot+ PCs**, an AI-enabled version of Windows. Copilot+ ships with a feature nobody asked for that Redmond has aptly dubbed **Recall**, which constantly takes screenshots of what the user is doing on their PC. Security experts roundly trashed Recall as a fancy keylogger, noting that it would be a gold mine of information for attackers if the user’s PC was compromised with malware.

Microsoft countered that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data. But that claim rang hollow after former Microsoft threat analyst **Kevin Beaumont** detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

“I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade,” Beaumont said on Mastodon.

In a recent Risky Business podcast, host **Patrick Gray** noted that the screenshots created and indexed by Recall would be a boon to any attacker who suddenly finds himself in an unfamiliar environment.

“The first thing you want to do when you get on a machine if you’re up to no good is to figure out how someone did their job,” Gray said. “We saw that in the case of the SWIFT attacks against central banks years ago. Attackers had to do screen recordings to figure out how transfers work. And this could speed up that sort of discovery process.”

Responding to the withering criticism of Recall, Microsoft said last week that it will no longer be enabled by default on Copilot+ PCs.

Only one of the patches released today — CVE-2004-30080 — earned Microsoft’s most urgent “critical” rating, meaning malware or malcontents could exploit the vulnerability to remotely seize control over a user’s system, without any user interaction.

CVE-2024-30080 is a flaw in the **Microsoft Message Queuing** (MSMQ) service that can allow attackers to execute code of their choosing. Microsoft says exploitation of this weakness is likely, enough to encourage users to disable the vulnerable component if updating isn’t possible in the short run. CVE-2024-30080 has been assigned a CVSS vulnerability score of 9.8 (10 is the worst).

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said a saving grace is that MSMQ is not a default service on Windows.

“A Shodan search for MSMQ reveals there are a few thousand potentially internet-facing MSSQ servers that could be vulnerable to zero-day attacks if not patched quickly,” Breen said.

CVE-2024-30078 is a remote code execution weakness in the **Windows WiFi Driver**, which also has a CVSS score of 9.8. According to Microsoft, an unauthenticated attacker could exploit this bug by sending a malicious data packet to anyone else on the same network — meaning this flaw assumes the attacker has access to the local network.

Microsoft also fixed a number of serious security issues with its **Office** applications, including at least two remote-code execution flaws, said **Adam Barnett**, lead software engineer at **Rapid7**.

“CVE-2024-30101 is a vulnerability in **Outlook**; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition,” Barnett said. “CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.”

Separately, Adobe released security updates for **Acrobat**, **ColdFusion**, and **Photoshop**, among others.

As usual, the SANS Internet Storm Center has the skinny on the individual patches released today, indexed by severity, exploitability and urgency. Windows admins should also keep an eye on AskWoody.com, which often publishes early reports of any Windows patches gone awry.

Patch Tuesday, June 2024 “Recall” Edition

Lacework has been looking for a buyer for some time. The deal gives Fortinet a boost in the cloud security space.

Fortinet announced Monday its plans to acquire cloud security firm Lacework to enhance its secure access service edge (SASE) offerings with cloud-native security services.

Lacework integrates cloud-native application protection platform services to safeguard what's happening inside the cloud infrastructure. The data-powered cloud security platform collects and analyzes data from across cloud environments so that customers can manage and secure their cloud workflows. The platform identifies and shares details about abnormal or unexpected activities that could indicate a security problem. Lacework offers artificial intelligence and machine-learning technology, data collection capabilities, a data lake, and code security tools, wrote John Maddison, chief marketing officer at Fortinet, in a blog post announcing the acquisition.

Fortinet plans to integrate capabilities from Lacework's cloud-native application protection platform into its SASE portfolio. According to Maddison, combining Lacework with Fortinet's firewall and Web application and API protection (WAAP) capabilities will allow customers to protect what's happening inside the cloud application, as well as what's happening between the application and outside the network.

Back in 2021, Lacework was valued at $8.3 billion. Earlier this year, there were reports that Wiz was in talks with Lacework for a small fraction of the company's valuation. The terms of Fortinet's deal, expected to be completed in the second half of the year, were not disclosed.

**About the Author(s)**

Fortinet Plans to Acquire Lacework

PRESS RELEASE

TEL AVIV, Israel, June 06, 2024 (GLOBE NEWSWIRE) -- Backslash Security, today unveiled expansive new platform capabilities. With a broad roster of new on-premises integrations, security team workflow integrations and automation features, CI/CD integrations, and bolstered language support, Backslash now serves the full software development lifecycle and further supports the application security needs of large enterprises.

“There are two core elements that make AppSec teams successful – one is cutting through the noise to prioritize truly reachable and exploitable vulnerabilities; the other is building confidence with our developers to trust that the risks we flag are real, and worth their effort to investigate and fix,” said Shane Garoutte, Head of Security & Compliance at Capital Rx. “Backslash’s focus on reachability analysis enables us to achieve both, and with the platform’s expanded capabilities, we can also work seamlessly with DevOps to integrate security throughout the software development lifecycle.”

Backslash combines SCA, SAST, SBOM, VEX, and secrets detection to replace outdated legacy SAST and SCA tools with a single, enterprise-ready platform that uncovers the most critical risks through reachability analysis. Newly released enhancements to the Backslash platform include:

Extended support for large enterprise use cases: 

*   Integrations with Github Enterprise On-Premise, Github Enterprise Server, Gitlab On-Premise and Bitbucket On-Premise enable seamless connection to enterprise on-premises codebases.
    
*   Extended language support adds C, C++, Ruby, Rust and Scala to Backslash’s existing language portfolio to serve diverse technology stacks and secure the entire codebase, including third party libraries and dependencies.
    
*   Role-based access controls enable enterprises to easily manage access to the Backslash platform for large and varied user bases across the organization.
    

Security team workflow enhancements: New automation policies and actions features enable Backslash users to specify security workflows and automatically create tickets and notifications with the following collaboration platforms: Jira, Monday.com, ServiceNow, Slack and Microsoft Teams.

CI/CD integrations for DevSecOps support: Integrations with Gitlab Pipelines, Github Actions and Azure Pipelines enable DevOps teams to implement DevSecOps processes and prevent new issues from being introduced in the pull request and CI/CD stages.

Reachability analysis enhancements:

*   Phantom packages are packages not defined or controlled by the app developer but introduced by a transitive one, escaping the developer's control and potentially introducing vulnerable versions into the application. Backslash detects these phantom packages in OSS code, even if they are not declared in manifest files.
    
*   Backslash Security’s reachability analysis identifies vulnerable transitive packages, helping developers understand which vulnerabilities are actually in use and therefore exploitable within their codebase, allowing them to prioritize what to fix.
    
*   New UI features bolster reachability evidence by showing code references for each reachable path.
    

"Backslash enables enterprises to prioritize truly critical code risks and facilitate trust among the many teams and stakeholders within the software development lifecycle," said Yossi Pik, co-founder and CTO of Backslash Security. "These latest enhancements automate key AppSec tasks, ensure issues are handled according to the correct priorities, and integrate smoothly into organizational workflows, all while strengthening our reachability analysis to provide enterprise security teams with incomparable results."

Start a free trial with full access to the Backslash platform via a pre-configured demo environment that includes SAST, SCA, phantom packages, VEX, SBOM, secrets, and more, now available at backslash.security/trial.

About Backslash  
Backslash's fusion of SAST and SCA empowers enterprise AppSec teams to focus on fixing only the reachable, exploitable code vulnerabilities. By identifying authentic attack paths pointed at reachable code, Backslash empowers security teams to focus on rectifying only the code and open-source software (OSS) components that are actively in use and accessible to potential attackers. Thanks to this precision, Backslash enables teams to fix only the vulnerable code and OSS that indeed needs addressing – the reachable, exploitable components.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, Backslash has been deployed across leading technology organizations and Fortune 100 companies. Learn more at https://www.backslash.security/.

Backslash Unveils Enterprise-Grade Capabilities to its Reachability-Based AppSec Platform

The two jurisdictions will work together to investigate the credential-stuffing attack that put the personal data of millions at risk.

Source: michelmond via Alamy Stock Photo

Authorities in Canada and the UK have launched a joint investigation into a 23andMe data breach that occurred last October. 

That's when a threat actor posted on the Dark Web claiming possession of 23andMe profile information, ultimately releasing roughly 4 million company records. 23andMe launched an investigation, discovering that the breach was a credential-stuffing attack that affected around 7 million people.

The discovery of the attack led the company to blame the victims of the breach, saying they were negligent in reusing their passwords that had previously been exposed in past data breaches.

The joint investigation now seeks to protect the "fundamental right to privacy of individuals across jurisdictions," as 23andMe is considered to be "a custodian of highly sensitive personal information" such as genetic history, health, ethnic background, and biological relationships. 

The countries will investigate the scope of the breached information, whether 23andMe had safeguards in place to protect that sensitive information, and whether the notifications the company provided to the regulators was adequate.

"People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place," said UK Information Commissioner John Edwards. "This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Edwards and Canadian Privacy Commissioner Philippe Dufresne will be jointly investigating the breach.

Canada &amp; UK Partner in Joint 23andMe Data Breach Investigation

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-3656

**Keycloak's admin API allows low privilege users to use administrative functions**

High severity GitHub Reviewed Published Jun 11, 2024 in keycloak/keycloak • Updated Jun 11, 2024

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

< 24.0.5

Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

**Acknowledgements:**  
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

**References**

*   GHSA-2cww-fgmg-4jqc
*   keycloak/keycloak@d9f0c84

Published to the GitHub Advisory Database

Jun 11, 2024

Last updated

Jun 11, 2024

GHSA-2cww-fgmg-4jqc: Keycloak's admin API allows low privilege users to use administrative functions

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-35255

**Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability**

Moderate severity GitHub Reviewed Published Jun 11, 2024 to the GitHub Advisory Database • Updated Jun 11, 2024

**Package**

npm @azure/identity (npm)

**Affected versions**

< 4.2.1

npm @azure/msal-node (npm)

nuget Azure.Identity (NuGet)

nuget Microsoft.Identity.Client (NuGet)

maven com.azure:azure-identity (Maven)

maven com.microsoft.azure:msal4j (Maven)

gomod github.com/Azure/azure-sdk-for-go/sdk/azidentity (Go)

**Description**

Published to the GitHub Advisory Database

Jun 11, 2024

Last updated

Jun 11, 2024

GHSA-m5vv-6r4h-3vj9: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

The lone critical security issue is a remote code execution vulnerability due to a use-after-free issue in the HTTP handling function of Microsoft Message Queuing.

Tuesday, June 11, 2024 13:46

Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products and software.  

Of those there is only one critical vulnerability. Every other security issues disclosed this month is considered "important."

The lone critical security issue is CVE-2024-30080, a remote code execution vulnerability due to a use-after-free (UAF) issue in the HTTP handling function of Microsoft Message Queuing (MSMQ) messages.  

An adversary can send a specially crafted malicious MSMQ packet to an MSMQ server, potentially allowing them to perform remote code execution on the server side. Microsoft considers this vulnerability “more likely” to be exploited. 

There is also a remote code execution vulnerability in Microsoft Outlook, CVE-2024-30103. By successfully exploiting this vulnerability, an adversary can bypass Outlook registry block lists and enable the creation of malicious DLL (Dynamic Link Library) files. However, the adversary must be authenticated using valid Microsoft Exchange user credentials. Microsoft has also mentioned that the Outlook application Preview Pane is an attack vector. 

The company also disclosed a high-severity elevation of privilege vulnerability in Azure Monitor agent (CVE-2024-35254). An unauthenticated adversary with read access permissions can exploit this vulnerability by performing arbitrary file and folder deletion on a host where the Azure Monitor Agent is installed. However, this vulnerability does not disclose confidential information, but it could allow the adversary to delete data that could result in a denial of service. 

CVE-2024-30077, a high-severity remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding), could also be triggered if an adversary tricks an authenticated user into attempting to connect to a malicious SQL server database via a connection driver (OLE DB or OLEDB). This could result in the database returning malicious data that could cause arbitrary code execution on the client.  

The Windows Wi-Fi driver also contains a high-severity remote code execution vulnerability, CVE-2024-30078. An adversary can exploit this vulnerability by sending a malicious networking packet to an adjacent system employing a Wi-Fi networking adapter, which could enable remote code execution. However, to exploit this vulnerability, an adversary must be near the target system to send and receive radio transmissions.  

CVE-2024-30063 and CVE-2024-30064 are high-severity elevation of privilege vulnerabilities in the Windows Distributed File System (DFS). An adversary who successfully exploits these vulnerabilities could gain elevated privileges through a vulnerable DFS client, allowing the adversary to locally execute arbitrary code in the kernel. However, an adversary must be locally authenticated to exploit these vulnerabilities by running a specially crafted application.  

Talos would also like to highlight a few more high-severity elevation of privilege vulnerabilities that Microsoft considers are “more likely” to be exploited. 

CVE-2024-30068, an elevation of privilege vulnerabilities in the Windows kernel, exists that could allow an adversary to gain SYSTEM-level privileges. By exploiting this vulnerability from a low-privilege AppContainer, an adversary can elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. However, the adversary should first login to the system and then run a specially crafted application that could exploit the vulnerability and take control of an affected system.  

There are three high-severity elevation of privilege vulnerabilities — CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091 — in Win32K kernel drivers that exist because of an out-of-bounds (OOB) issue. An adversary who exploits CVE-2024-30082 could gain SYSTEM privileges and exploiting CVE-2024-30087 and CVE-2024-30091, would gain the rights of the user that is running the affected application. Microsoft considers these vulnerabilities “more likely” to be exploited. 

CVE-2024-30088 and CVE-2024-30099 are two high-severity, and more “likely exploitable” elevation of privilege vulnerabilities in NT kernel drivers. Successful exploitation of these vulnerabilities would provide the local user and SYSTEM privileges to an adversary, respectively.  

Mskssrv, a Microsoft Streaming Service kernel driver, also contains two elevation of privilege vulnerabilities: CVE-2024-30089 and CVE-2024-30090. An adversary successfully exploiting these vulnerabilities could gain SYSTEM privileges.   

CVE-2024-30084 and CVE-2024-35250 are two more likely exploitable, high-severity elevation of privilege vulnerabilities in the Windows Kernel-Mode driver. An adversary could gain SYSTEM privileges by successfully exploiting these vulnerabilities. However, they must first win a race condition. 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63581 - 63591, 63596 and 63597. There are also Snort 3 pre-processor rules 300937 - 300940.

Only one critical issue disclosed as part of Microsoft Patch Tuesday

The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. It's poised to evolve into a bigger threat, researchers warn.

Source: Weyo via Alamy Stock Photo

A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.

Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of phishing emails starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in a blog post today.

While the malware itself isn't particularly sophisticated — it's mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — "it shouldn't be taken lightly as it's actively being used and impacting organizations at a global scale," Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.

The backdoor's code overlaps with a sample that was previously reported by eSentire, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.

"While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality," he wrote. "Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.

**Targeting Specific Appetites**

Phishing lures that use job recruitment are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions. North Korean APT Lazarus is among attackers that has been particularly active with this tactic.

The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets' current employers attempt to lure them with a type of position that might pique their interest, "enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description," Stepanic wrote.

In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an "exciting opportunity" in the form of a new position open with one of the recruiter's clients. The message includes a "View Position Details" link which eventually leads to the process for deploying WarmCookie.

If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a CAPTCHA challenge. The landing pages used in the campaign resemble previous campaigns discovered by Google Cloud's security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.

Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.

To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74\[.\]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, "the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages," Stepanic noted.

**How the Cookie Crumbles**

WarmCookie is a two-stage "lightweight backdoor" that ultimately provides "relatively straightforward" functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.

In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. "A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection," Stepanic noted. "The task name (RtlUpd) is scheduled to run every 10 minutes every day."

The malware's second stage contains the backdoor's core functionality and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.

Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which "the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string," Stephanic wrote. Developers also made the "interesting" choice not always to rotate the RC4 key between the encrypted strings.

WarmCookie also uses dynamic API loading to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes "based on logic for checking the active number of CPU processors and physical/virtual memory values," he added.

**Evolving Recipes for Malware**

Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.

"Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims," Stepanic wrote.

The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the backdoor — including its Powershell download and execution and Scheduled Task creation — to provide insight on how to detect this activity on an organization's network.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

June 11, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

When a company gets hacked, the real costs often land on consumers. The company's stock price typically rebounds quickly, but end users are left with their identities stolen, accounts locked, money lost, or children exposed to harm.

The consumers who are harmed from breaches rightfully expect our governments to protect us. The contract between people and their governments is simple: We contribute some of our wealth and you keep us safe. That model has worked pretty well for centuries.

But things have gotten a lot more complicated in the Internet age. Our digital fingerprints are held in the hands of private companies. In the name of personal privacy, we don't want our governments to have that level of access to and control of that information. So, the government can't solely protect us, and companies aren't properly incented to do it either. It's a unique catch-22: No single entity has the power to protect us on the Internet.

Something must give, which is why we're experiencing a movement toward regulation by enforcement. The trend has been developing over the past decade, since the Obama administration developed a policy instructing prosecutors to expand enforcement actions against "responsible corporate officers,” on the theory that the best way to encourage better corporate behavior is to bring actions directly against executives.

The Biden administration has now taken that approach to cyberspace. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Realizing it cannot stop cyber harm by asking for voluntary cooperation from companies, it is also using the enforcement tools it believes it has under existing law to force changes in behaviors. A current example is the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was sued personally.

**Why the CEO Is Next**

Inside every major company is a security team full of smart, technically savvy professionals dedicated to fighting criminals and despotic governments to protect their customers. Most are understaffed and push hard for more investments to make their jobs easier. Leading those teams are senior security practitioners, many of whom are not given the title of chief information security officer (CISO). And recently, our government has turned its enforcement eye toward those team leaders.

As the government digs into these types of cases more deeply, it's inevitable it will conclude it was a mistake to target the greatest champion for the public inside a company. The current focus on security leaders is flawed because it assumes that rather than delivering security at the highest standards, these leaders have instead chosen to mislead. In response, nearly every CISO I talk to is worried about being held personally accountable for a lack of corporate investment. Some great CISOs are now stepping out of the role because their desire to help others is losing out to their desire for self-preservation.

With very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

The government's attention has already started to shift toward the CEO. At the final hearing in the case in which I was charged with covering up a security incident at Uber, the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court. The Federal Trade Commission (FTC) reached the same conclusion and entered into a settlement with the CEO of Drizly for failing to invest adequately in security. The Cybersecurity and Infrastructure Security Agency (CISA) now asks that CEOs, not CISOs, sign its pledge to use secure by design principles when selling software when selling software. And the SEC will see it when it peels back the layers and reviews what happened during budget time at SolarWinds. It will realize it is not enough to look at how a security team responded to an incident or tried to prevent it. To assign culpability, it must look at how the company allocated resources from the top down. Sen. Ron Wyden (D-Ore.), in his recent letter to the FTC and SEC, also asked them to focus on the CEO level when investigating the United Health Group over the Change Healthcare ransomware case.

Security leaders are starting to ask more forcefully for resources. When they fail to receive them, they are documenting those budget decisions clearly. They are also pushing forward policies that bring CEOs and other executives more directly into cyber-incident response processes and deploying new products like those from BreachRx (full disclosure: I've recently joined the company as a senior advisor) that document how security incidents are handled in a cross-functional manner. All these steps will make it easier to show that the security leader wasn't standing alone or, in many cases, even involved in the decisions that led to consumers getting hurt.

Ultimately, the only way the CEO avoids being the target of government enforcement actions is if he or she takes a personal interest in ensuring that the corporation invests properly in cybersecurity.

**About the Author(s)**

CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

Joe Sullivan provides security, AI safety, and leadership advice to executives across various industries and serves as the CEO of Ukraine Friends, a nonprofit providing humanitarian aid to Ukrainian children in a war zone. Joe spent eight years with the US Department of Justice, including as the first federal prosecutor dedicated to prosecuting technology-related crimes. He then spent seven years in senior roles at eBay and PayPal, before joining Facebook in 2008 as its chief security officer, building its safety and security team from a handful of people to hundreds. In 2015, he joined Uber as its first CSO, and in 2018, Cloudflare as its first CSO, helping it blossom from pre-IPO to a thriving public company. Joe has advised many companies, including AirBnB, DoorDash, and Whoop, and currently advises nine pre-IPO companies. He has testified before global government bodies, and served on President Obama’s Commission on Enhancing National Cybersecurity.

Tag

#auth