By Deeba Ahmed
Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware. Learn how to protect yourself!
This is a post from HackRead.com Read the original post: 7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Cybersecurity firm Deep Instinct has discovered that attackers are using the Cobalt Strike loader to deploy old zero-day exploits, a relatively new trend. Let’s delve deeper into this.

Deep Instinct Threat Lab has discovered a targeted operation against Ukraine in which hackers are using an old zero-day vulnerability, CVE-2017-8570, as the initial vector and a custom loader for Cobalt Strike Beacon, a professional pen-testing tool designed for evaluating computer security by red teams. However, in this attack, hackers have used a cracked version with no legitimate user. 

They’ve exploited CVE-2017-8570, an old Microsoft Office vulnerability identified in 2017, to launch the Cobalt Strike Beacon, targeting Ukraine’s systems. They used a malicious PPSX (PowerPoint Slideshow) file disguised as an old US Army instruction manual for mine-clearing tank blades, bypassing traditional security measures and allowing them to hide the payload and complicate analysis. The file used a “script:” prefix before the HTTPS URL to hide the payload and complicate analysis. 

> _“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk(.)space and petapixel(.)fun are disguised as an obscure generative art site (weavesilk(.)com) and a popular photography site (petapixel(.)com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”_
> 
> Deep Instinct

The use of the Cobalt Strike loader, a malicious, versatile toolset commonly employed in targeted attacks, suggests a sophisticated approach by the attackers. Cobalt Strike allows adversaries to deploy malware, steal data, and maintain persistence on compromised systems. In the context of Ukraine, it is used as a delivery mechanism for these zero-day exploits, maximizing their impact.

Deep Instinct’s research indicates that attackers are actively leveraging zero-day exploits, which are vulnerabilities unknown to security software vendors. This makes them particularly dangerous as traditional defences may not be able to detect and block them.

Researchers couldn’t attribute the attacks to any known threat actor or rule out the possibility of a red team exercise. Evidence indicates the sample was uploaded from Ukraine, the second stage was hosted under a Russian VPS provider, and the Cobalt beacon C&C was registered in Warsaw, Poland.

_“_Given the n-day exploitation trends against > 12-month-old edge device and email server CVEs we’ve seen over the past 4 years, seeing a threat actor exploit a Wine vulnerability from 2017 is weirdly refreshing,_“_ stated Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd

_“_The use of undocumented low-level WinAPI calls is unusual as well. I can understand why threat analysts are having difficulty with attribution, it’s an esoteric and somewhat nerdy kill chain._“_ Casey explained.

“Aside from the technical pieces, the fact that it’s not Russia is noteworthy, and the TTPs suggest a previously unknown player. Cobalt Strike usage as a C2 is fairly commonplace and the key takeaway here is that old vulnerabilities in easily forgotten software still matter._“_

**How to Stay Safe?**

Deep Instinct’s research suggests that traditional security solutions may not be enough for zero-day exploits. Organizations should adopt advanced threat detection through behavioural analysis and machine learning. Vigilance is also crucial, especially for cyber threats targeting Ukraine, and a proactive defence strategy combining firewalls and antivirus software.

1.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
2.  5 year old vulnerability used for Monero mining on Linux servers
3.  Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
4.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
5.  17-year-old “wormable” SigRed vulnerability found in Windows servers

7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike

Debian Linux Security Advisory 5674-1 - It was discovered that PDNS Recursor, a resolving name server, was susceptible to denial of service if recursive forwarding is configured.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5674-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 25, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pdns-recursorCVE ID         : CVE-2024-25583It was discovered that PDNS Recursor, a resolving name server, wassusceptible to denial of service if recursive forwarding is configured.For the stable distribution (bookworm), this problem has been fixed inversion 4.8.8-1.We recommend that you upgrade your pdns-recursor packages.For the detailed security status of pdns-recursor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pdns-recursorFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYqrogACgkQEMKTtsN8TjbKDg//bFtgtpr7H0WEGL6u5aHSqnIU5HNnKDW3rCy7OdHE6GHrnhADszvImyiH+IkLXb7uEdoL+Hy4A8ymr9KS+w2Ai90NYAjhYexWuTi4Kse0oKGkPYIEfAmeybf6zduxdsKJUU7x92VwnMybQN9E6g+a0b6c+UyFYPZpUAywTqU5aT4ZH1KwjwFeu1Ab1Uj0ySEWdd/qe/ZHS6rWB0SKWTjv15L+lx2IcO6dPDQtZA8B9SpOoTQWtIwroQtxeZrdH/V9O1D796TFFyrrr1afJCBb++nH7f191qDPrkLCaC7/EhVxEqKrbTHaVwqhOmsSR9kxvvC9wSA+FshgBfJEFSyPbX7TGOvBNjMBVGr1R/NpQeDY4L9Ta1fz6z0EUpTCuer+QU9bo5A1LMbC4sEwoGRD2/oSdmgiXSnBfJ7HXsrUUVqTeTmkMDSXwAd7WFI68awRnNuqC4CqOvynbLc19QeH8TDWNpB4dwVevrXjEdVgQANSAJmcOhN/dyynC5WoIDOXPHc9TNtGROxhP84Nj5gKgrkCh3bG5uEHycIT0S+PIWZDJvYAm6YoZKX46jZqgGSrz5/Foa0dvOlriQRFtVPpODsNSkVce8Uwvyonc1SxvytcNMugEjBP4ePGXruQ2wy+RZ4VXJvYNnQImrJ1Vvi0CCygRcK4e/4qaq8o3/fofvk==PwIZ-----END PGP SIGNATURE-----

Debian Security Advisory 5674-1

Red Hat Security Advisory 2024-2066-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2066.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:2066-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2066Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2066-03

Red Hat Security Advisory 2024-2064-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2064.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:2064-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2064Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The buildah package provides command line tool for creating Open Container Initiative (OCI) Images.Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2064-03

Red Hat Security Advisory 2024-2063-03 - An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2063.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: yajl security updateAdvisory ID:        RHSA-2024:2063-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2063Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2022-24795====================================================================Summary: An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Yet Another JSON Library (YAJL) is a small event-driven (SAX-style) JSON parser written in ANSI C, and a small validating JSON generator.Security Fix(es):* yajl: heap-based buffer overflow when handling large inputs due to an integer overflow (CVE-2022-24795)* yajl: Memory leak in yajl_tree_parse function (CVE-2023-33460)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-24795References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2072912https://bugzilla.redhat.com/show_bug.cgi?id=2221249

Red Hat Security Advisory 2024-2063-03

Caliptra 1.0 offers a blueprint for integrating security features directly into microprocessors.

Source: Alexmillos via Alamy Stock Vector

A consortium of top chip makers have finalized the first version of Caliptra, a specification to add zero-trust security features directly inside silicon.

The Caliptra 1.0 specification has hardware and software blocks providing multiple protection layers for encrypted data on chips.

"We believe Caliptra is a foundational aspect to the future of confidential computing and couldn't be more excited to reach our 1.0 milestone," says Andrés Lagar-Cavilla, a distinguished engineer at Google. Caliptra is currently being integrated by companies across the ecosystem into chips that will start to appear in the market in 2026.

Security-focused hardware exists, but usually as separate components on the hardware. At the moment, chips typically access security features that are available as separate hardware components on the motherboard. The Caliptra specification provides a blueprint to embed the security features into the chip instead of accessing those hardware cores.

For example, the Trusted Platform Module (TPM), which is required on all machines running Windows 11, is a secure processor carrying out cryptographic functions, such as Windows Hello authentication and BitLocker drive encryption. Caliptra could make possible an on-silicon version of TPM.

The specification was built around the concept of confidential computing, an emerging technology focused on building walls to protect data and programs during storage, transport, and execution. Users and code are verified before being allowed to enter the secure area, after which they can run programs.

**Caliptra-Spec Chips on the Way?**

The Caliptra specification aims to fend off cyberattacks and protect from vulnerabilities, such as Meltdown and Spectre, which exposed confidential user data to hackers.

Caliptra's protection layers on silicon include a root-of-trust block, in which code, users, and firmware are isolated, verified, and authenticated. The spec extends to protecting firmware and ROMs. The root-of-trust layer also detects and recovers data that may be corrupted.

The specification is now available for tape-in, which means it is also ready for testing for chips that may be going into production. Google's Lagar-Cavilla says the company is actively integrating Caliptra in first-party silicon designs and collaborating with suppliers to ensure their system-on-chips — across CPUs, GPUs, DPUs, BMCs, SSDs, and more — include Caliptra.

Caliptra is an open source technology, so chip makers can adopt and modify it for free.

A company called Antmicro is developing a Caliptra-based security core for an emerging chip architecture called RISC-V. The technology is an alternative to the dominant x86 and ARM instruction set architectures. RISC-V has a modular design that makes it easier to include technologies like Caliptra in production-level silicon.

Google is a lead developer of Caliptra, working alongside Advanced Micro Devices, Microsoft, Marvell, and NVIDIA. The Linux Foundation's CHIPS Alliance is managing the development of the specification.

Intel is one of the big names in chips missing from the group of companies developing Caliptra. Intel is pushing its own on-chip security technology to protect user data and chips from hackers.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Chip Giants Finalize Specs Baking Security Into Silicon

Ubuntu Security Notice 6743-3 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6743-3April 24, 2024linux-azure-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure-6.5: Linux kernel for Microsoft Azure cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - JFS file system;   - BPF subsystem;   - Netfilter;(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,CVE-2023-52603)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.5.0-1019-azure    6.5.0-1019.20~22.04.1   linux-image-6.5.0-1019-azure-fde  6.5.0-1019.20~22.04.1   linux-image-azure               6.5.0.1019.20~22.04.1   linux-image-azure-fde           6.5.0.1019.20~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6743-3   https://ubuntu.com/security/notices/USN-6743-1   CVE-2023-52600, CVE-2023-52603, CVE-2024-26581, CVE-2024-26589,   CVE-2024-26591Package Information:   https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1019.20~22.04.1

Ubuntu Security Notice USN-6743-3

Red Hat Security Advisory 2024-2055-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2055.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: buildah security updateAdvisory ID:        RHSA-2024:2055-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2055Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for buildah is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2055-03

Red Hat Security Advisory 2024-2045-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2045.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: unbound security updateAdvisory ID:        RHSA-2024:2045-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2045Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2022-3204====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.Security Fix(es):* unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack) (CVE-2022-3204)* unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30699)* unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30698)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-3204References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2116725https://bugzilla.redhat.com/show_bug.cgi?id=2116729https://bugzilla.redhat.com/show_bug.cgi?id=2128947

Red Hat Security Advisory 2024-2045-03

Red Hat Security Advisory 2024-2044-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2044.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:2044-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2044Issue date:         2024-04-25Revision:           03CVE Names:          CVE-2024-28834====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library,which implements cryptographic algorithms and protocols such as SSL, TLS, andDTLS.Security Fix(es):* gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28834References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2269228

Tag

#linux