Attackers are harvesting credentials from compromised systems. Here's how some commonly used tools can enable this.

The majority of cyberattacks rely on stolen credentials — obtained by either tricking employees and end-users into sharing them, or by harvesting domain credentials cached on workstations and other systems on the network. These stolen credentials give attackers the ability to move laterally within the environment as they pivot from machine to machine — both on-premises and cloud — until they reach business-critical assets.

In the Uber breach back in September, attackers found the credentials in a specific PowerShell script. But there are plenty of less flashy, yet just as damaging, ways attackers can find credentials that would allow them access to the environment. These include common local credentials, local users with similar passwords, and credentials stored within files on network shares.

In our research, we faced the question of what kind of information can be extracted from a compromised machine — without exploiting any vulnerabilities — in order to move laterally or extract sensitive information. All the tools we used here are available on our GitHub repository.

Organizations rely on several tools to authenticate to servers and databases using SSH, FTP, Telnet, or RDP protocols — and many of these tools save credentials in order to speed up authentication. We look at three such tools — WinSCP, Robomongo, and MobaXterm — to show how an attacker could extract non-cleartext credentials.

**WinSCP: Obfuscated Credentials**

When a domain controller is not available, a user can access system resources using cached credentials that were saved locally after a successful domain logon. Because the user previously was authorized, the user can log into the machine using the domain account via cached credentials even if the domain controller that authenticated the user in the past is not available.

WinSCP offers the option to save the credential details used to connect to remote machines via SSH. While the credentials are obfuscated when saved in the Windows registry (Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions), they are not encrypted at all. Anyone who knows the algorithm used to obfuscate can gain access to the credentials.

Since WinSCP's source code is available on GitHub, we were able to find the obfuscation algorithm. We used a tool that implemented the same algorithm to de-obfuscate the credentials, and we gained access to the credentials in cleartext.

Implementing an obfuscation algorithm to secure credentials stored is not best practice, as it can be easily reversed and lead to credentials theft.

**Robomongo: Not a Secret Key**

Robomongo (now Robo 3T) is a MongoDB client used to connect to Mongo database servers. When you save your credentials, they are encrypted and saved in a _robo3t.json_ JSON file. The secret key used to encrypt the credentials is also saved locally, in cleartext, in a _robo3t.key_ file.

That means that an attacker who gains access to a machine can use the key saved in cleartext to decrypt the credentials.

We looked at Robomongo's source code on GitHub to understand how the key is used to encrypt the password and learned that it uses the SimpleCrypt lib from Qt. While Robomongo uses encryption to securely store credentials, the fact that the secret key is saved in cleartext is not best practice. Attackers could potentially read it, because any user with access to the workstation can decrypt the credentials. Even if the information is encoded in a way that humans cannot read, certain techniques could determine which encoding is being used, then decode the information.

**MobaXterm: Decrypting the Password**

MobaXterm is a powerful tool to connect to remote machines using various protocols such as SSH, Telnet, RDP, FTP, and so on. A user who wants to save credentials within MobaXterm will be asked to create a master password to protect their sensitive data. By default, MobaXterm requests the master password only on a new computer.

That means that the master password is saved somewhere, and MobaXterm will retrieve it to access the encrypted credentials. We used Procmon from the Sysinternals Suite to map all the registry keys and files accessed by MobaXterm, and we found the master password saved in the Windows registry (Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\Mobatek\\MobaXterm\\M). Credentials and passwords are saved in the C and P registry keys, respectively.

Initially, we were unable to decrypt the master password, which was encrypted using DPAPI. We eventually figured out that the first 20 DPAPI bytes, which are always the same when using DPAPI, had been removed. When we added the first 20 bytes, we were able to decrypt the DPAPI cipher to obtain the SHA512 hash of the master password. This hash is used to encrypt and decrypt credentials.

Here, the encryption key used to securely store the credentials is saved using DPAPI. That means that only the user who saved the credentials can access them. However, a user with administrator access, or an attacker who gains access to the victim's session, can also decrypt the credentials stored on the machine.

**Know the Risks**

Developers, DevOps, and IT use various tools to connect to remote machines and manage these access details. Vendors have to store this sensitive information in the most secure way. However, encryption is always on the client side, and an attacker can replicate the tool behavior in order to decrypt the credentials.

As always, there isn't a magic solution that can solve every problem we've discussed here. Organizations might, however, begin by examining the services they are now using. They can construct an accurate risk matrix and be better prepared for data breaches by having a stronger understanding of the types of sensitive data and credentials they are storing.

Extracting Encrypted Credentials From Common Tools

Gentoo Linux Security Advisory 202212-6 - Multiple vulnerabilities have been found in OpenSSH, the worst of which could result in arbitrary code execution. Versions less than 9.1_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2022  
     Bugs: #874876, #733802, #815010  
       ID: 202212-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in OpenSSH, the worst of which  
could result in arbitrary code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/openssh           < 9.1_p1                    >= 9.1_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.1_p1"

References  
=========  
[ 1 ] CVE-2020-15778  
      https://nvd.nist.gov/vuln/detail/CVE-2020-15778

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-06

Gentoo Linux Security Advisory 202212-7 - An integer overflow vulnerability has been found in libksba which could result in remote code execution. Versions less than 1.6.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libksba: Remote Code Execution  
     Date: December 28, 2022  
     Bugs: #877453  
       ID: 202212-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
An integer overflow vulnerability has been found in libksba which could  
result in remote code execution.

Background  
=========  
Libksba is a X.509 and CMS (PKCS#7) library.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/libksba           < 1.6.3                      >= 1.6.3

Description  
==========  
An integer overflow in parsing ASN.1 objects could lead to a buffer  
overflow.

Impact  
=====  
Crafted ASN.1 objects could trigger an integer overflow and buffer  
overflow to result in remote code execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libksba users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/libksba-1.6.3"

References  
=========  
[ 1 ] CVE-2022-3515  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3515  
[ 2 ] CVE-2022-47629  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47629

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-07

By Deeba Ahmed
An EarSpy attack is a proof of concept of a new type of attack on Android devices that exposes users to eavesdropping.
This is a post from HackRead.com Read the original post: EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

A technical paper titled “EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear Speakers” has revealed how snoopers can exploit motion sensors installed inside **Android** cellphones can help adversaries eavesdrop on the user’s conversations.

**Startling Facts About Motion Sensors**

A team of researchers from different universities, including Rutgers University, Texas A&M University, Temple University, New Jersey Institute of Technology, and the University of Dayton, conducted the research.

The research team comprised Ahmed Tanvir Mahdad, Cong Shi, Zhengkun Ye, Tianming Zhao, Yan Wang, Yingying Chen, and Nitesh Saxena.

Dubbing this side-channel attack EarSpy, researchers noted that motion sensors could be used for registering ear speaker reverberations so that the attacker can determine caller identity and gender and listen to their private conversations.

This research has substantiated the assumption that eavesdropping through capturing motion sensor data is possible.

**How does EarSpy Attack help in Snooping?**

Researchers wrote that the **study** (PDF) was based on the belief that smartphones’ built-in motion sensors can let attackers collect data on indoor locations and touchscreen inputs along with listening to audio conversations without needing explicit permissions before collecting raw data.

Initially, they thought generating powerful vibrations through ear speakers to eavesdrop on user conversations wasn’t possible. But during their research, the team realized that modern smartphones have high-quality stereo speakers and highly sensitive sensors that can detect finer vibrations.

Hence, they finally determined the ideal environment for successful eavesdropping using various devices and techniques. They used multiple pre-recorded audio files, a 3rd party application for capturing sensor data as they simulated calls, and a machine learning algorithm for results interpretation.

**Research Findings**

The team found that gender detection was 98.6%, and speaker detection was up to 92.6% accurate. Moreover, they found speech detection up to 56.42% accurate. This proved the existence of differentiating between speech features in the accelerometer data that attackers can exploit for spying. EarSpy focused on gender recognition using data collected at 20 Hz, which indicates a lower sampling rate can allow attackers to determine the user’s gender.

Overview of ear speaker eavesdropping

**How to Prevent Eavesdropping?**

Researchers recommended limiting permissions to counter eavesdropping via sensor data so that 3rd party applications cannot record sensor data without the user’s permission. It is worth noting that Android 13 doesn’t allow sensor data collection at 200 Hz without the user’s permission to prevent accidental data leaks.

Furthermore, experts suggested that mobile device manufacturers must be cautious about designing more powerful speakers and instead focus on maintaining a similar sound pressure during audio conversations as was maintained by old-generation phones ear speakers.

Lastly, positioning motion sensors as far from the ear speaker as possible could minimize the phone speaker’s vibrations and diminish spying chances.

1.  **5 Tips for Protecting Your Phone from Malware**
2.  **10 Android Educational Apps That Collect Most User Data**
3.  **SSID Stripping flaw lets hackers mimic real wireless access points**
4.  **Hackers could access photos, videos without unlocking your phone**

EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. Hotpatching was introduced a year ago as a new way to install updates on supported Windows Server Azure Edition virtual machines (VMs) without requiring a reboot after installation.

Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. Hotpatching was introduced a year ago as a new way to install updates on supported Windows Server Azure Edition virtual machines (VMs) without requiring a reboot after installation. Based on customer feedback, all 2022 and future SUG entries will display hotpatch and security updates as alternative updates for the same impacted product.

Previously, hotpatch updates had different product row than the normal security update package (Figure 1). Following today’s change, hotpatch updates will now be displayed as an alternative update for the same product, similar to the way represent the difference between **Monthly Rollup** and **Security Only** updates for Windows 8.1 and older versions of Windows. (Figure 2)

Figure 1

Figure 2

Thank you to all the SUG users who have shared your input. We value your feedback and continue to incorporate it to make the SUG a better experience for all.

Lisa Olson  
Microsoft Security Response Center

Security Update Guide Improvement – Representing Hotpatch Updates

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

**Published Firmwares in 2022**

**V2.01 : 11.11.2022**

2304

Bug fix

Moxa Real TTY driver update

2397

Security

OpenSSL: fix CVE-2020-1971

2406

Security

PAM: fix 'Empty Password improper authentication' (CWE-287)

2424

Bug fix

DA-820 and DA-820C: fix 'empty slot' command

2438

Bug fix

DA-820C: fix network error messages at bootup

2442

Security

sudo: fix CVE-2021-3156

2455

Security

OpenLDAP: fix multiple CVE

2464

Bug fix

Cellular modems: fix USB disconnect/connect problem

2470

Security

OpenSSL: fix multiple CVE (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2482

Bug fix

Postgres: fix the running state view

2491

Bug fix

Firmware update: improved the management of the postgresql service

2556

Add-on

Virtual: VirtIO NIC driver added for some KVM based hypervisors

2560

Add-on

DA-820C: support for I350-T4 and CP102U cards added

2561

Bug fix

DA-820C: fix comment update on slot 2

2590

Bug fix

Mono: moved "ApplicationData" and "CommonApplicationData" folders to /opt partition

2620

Bug fix

DA-820C: improvement of the firmware update (TPM related)

2743

Add-on

APU2: support for additional serial ports from P3

2812

Bug fix

IG2: fix EtherCAT driver for ARM64.

2857

Security

DA-820C: SysRq commands disabled

2858

Bug fix

Boot process, automatically fix potential mount errors

2873

Bug fix

NTP Server, fix the 'jump backwards in time

2878

Security

rsyslog: fix CVE-2022-24903

2897

Security

Force password change during the first login (CVE-2022-4780)

2940

Security

Virtual, open-vm-tools: fix CVE-2022-31676

2951

Bug fix

OpenLDAP: files integrated into the backup

2970

Bug fix

RADIUS: files integrated into the backup

 

Add-on

IG2: support for digital inputs/outputs

 

Security

RADIUS Integration

 

Security

Firmware Integrity Check integration

 

Security

Manage rate limiting (avoid DoS)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup 6.05.00 (StreamConfig: version 35 of the parameters)

**V2.00d - 22.04.2022 (only for CX9020)**

2825

Add-on

Staging: images for 2GB and 4GB SD cards.

 

Bug fix

StreamX Setup v6.04.25 of 07.04.2022 (StreamConfig: version 34 of the parameters)

**V2.00c - 24.02.2022 (only for CX9020)**

 

Add-on

earlyoom: memory watchdog to protect EtherLAB from an 'out of memory'.

 

Bug fix

StreamX Setup v6.04.17 of 18.02.2022 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2021**

**V2.00 : 24.02.2021**

1279

Bug fix

Fix StreamView HTML serialization errors

1715

Bug fix

Fix StreamDaemon is no more responding on ARM architectures

1867

Bug fix

Fix general Mono memory leaks

1980

Bug fix

Mono: major upgrade to version 6.10.0.104

2135

Security

Sudo: fix potential vulnerability (CVE-2019-18684)

2157

Security

Fix CVE-2019-14899 : Inferring and hijacking VPN-tunneled TCP connections

2175

Bug fix

EtherCAT: etherlab stack update

2189

Bug fix

CX9020: fix speed of second LAN which was sometimes fixed at 10 Mbit/s

2283

Bug fix

Virtual: open-vm-Tools produces no more messages continuously.

2297

Add-on

Support of stunnel for all hardwares

2298

Add-on

CX9020: support of the LEDs TC, FB1, FB2

2327

Add-on

Backup of Postgresql configuration files

2332

Add-on

Postgresql: log file rotate mechanism

2340

Bug fix

Network: fix manual lan won't goes up at boot

2343

Bug fix

APC910: fix lan1 detection on TS17.04

2362

Security

OpenLDAP: fix CVE-2020-25709 and CVE-2020-25710

2382

Add-on

APC910: support for USB1 to USB4 ports added for model TS17

2429

Bug fix

Cellular modems: fix the enable/disable NMEA feature

 

Add-on

First integration of the hardware Elvexys IG2

 

Add-on

CX9020: bootloader version 5 for kernel compatibility

 

Security

CX9020: StreamBridge is no more executed with root account (least privilege)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup v6.02.90 of 10.02.2021 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2020**

**V1.99 : 17.06.2020**

1827

Add-on

Cellular: PPP as default gateway is now listed into the network section in StreamConsole

1880

Add-on

Virtual hardware: OVF file compatibility for ESX 5.5

1893

Security

PostgreSQL: fixed multiple vulnerabilities

1897

Add-on

Virtual hardware: changed from generic to Intel network adapter

1906

Security

StrongSwan: upgrades to fix CVE-2018-16151 / CVE-2018-16152

1908

Security

Kernel: upgrades to fix CVE-2018-14634

1931

Bug fix

Cellular: fix for the configuration migration

1939

Bug fix

Cellular: fix USAN management when receiveing a SMS

1940

Bug fix

Fix to no more generate duplicate paths after a firmware migration

1954

Security

OpenSSL: fix multiple vulnerabilities

1984

Bug fix

LEDs: swapped the management of Storage and SNMP Agent

1985

Bug fix

Firmwares files with special chars are now possibles

2002

Bug fix

LEDs: no more turned off after a long period of time

2023

Bug fix

Bonds on B&R APC910 are now working as expected

2060

Add-on

CX9020: compatibility with HW rev. 3

2088

Security

Kernel: upgrades to fix CVE-2019-11477 (SACK Panic)

2095

Add-on

Virtual hardware: drivers for VMXNET3 added

2106

Bug fix

Cellular: fix infinite loop in ppp restart Under certain conditions

2112

Security

SysRq commands over serial ports is now disable for all hardware

2127

Security

Sudo: fix CVE-2019-14287 Potential bypass of Runas user restrictions

2138

Security

Unable to use SCP anymore

2142

Bug fix

APC910: fix the use of lan2 without the additional 4 lans board

2150

Add-on

Firmware update: error codes 24 and 25 added

2151

Bug fix

Default Gateway no more lost after changing the IP on the interface binded to the default gateway

2165

Security

OpenSSL : fix CVE-2019-1551

2167

Bug fix

SSL Certificates for StreamX applications are now backuped

2180

Add-on

Beckhoff CX9020: support of the new HW revision of TOSIBOX 4G modem (based on Quectel EC25 chip)

2199

Add-on

Firewall: extend ports range for StreamX services.

2218

Add-on

Fsck package added (File System Consistency Check)

2269

Bug fix

Moxa DA-820, fix the receive mechanism on serial ports P1 and P2 when used in RS485 2 wires mode.

 

Bug fix

PFC100/PFC200: use Wago BSP v. 2.8.35

 

Add-on

First integration of the hardware B&R APC910

 

Add-on

First integration of the hardware APU4

 

Add-on

First integration of the hardware Moxa DA-820C

 

Add-on

APU2 and APU4: support for the LEDs and the dual power boards

 

Add-on

APU2: support for two dual LAN mPCIe boards

 

Add-on

APU4: support for one dual mPCIe board

 

Add-on

UC-8112: first LEDs management

 

Add-on

Support of PRP for Moxa DA-820 and Moxa DA-820C from StreamConsole

 

Add-on

Support of stunnel for Virtual hardware

 

Add-on

Firewall: added UDP port 123 for NTP server

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup of 08.05.2020 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2018**

**V1.98 : 05.07.2018**

1738

Security

Kernel: upgrades to fix Meltdown and Spectre vulnerabilities

1826

Security

Moxa DA-820, fix the process to disable physical USB ports

 

Add-on

PostgreSQL, migration process updated for future major upgrades

 

Add-on

First integration of virtual hardware (VMWare) with the configinit tool

 

Bug fix

Moxa DA-681A, fix the RS485

 

Bug fix

Moxa DA-720, fix the RS485 2 wires mode on P2

 

Add-on

Moxa UC-8100, new bootloader for Linux kernel 4.1

 

Bug fix

All libraries: update to the latest stable version

 

Security

Improving hardening like using ASLR and Stack Smaching Protection

 

Bug fix

Cellular: fix the use of CTS and DTS signals

 

Bug fix

StreamX Setup of 22.06.2018 (StreamConfig: version 32 of the parameters)

**V1.97 : 05.03.2018 (only for DA-681A, DA-720, UC-81xx and APU2)**

1743

Security

Moxa Nport: the owner of the remote serial ports is now the group streamx\_apps instead of root

1729

Bug fix

WD Cellular: prevent rebooting the system if a firmware upgrade is in progress

1782

Bug fix

WD Cellular: don't block anymore in case of huge system time changes

 

Add-on

WD Cellular: the RSSI and the cellular antenna ID are now published in memory files for other programs

1748

Add-on

DHCP Client: new default settings for interoperability with slow DHCP servers

 

Add-on

First integration of the hardware Moxa DA-720

 

Bug fix

StreamX Setup of 27.02.2018 (StreamConfig: version 32 of the parameters)

CVE-2022-4780: ISOS release notes - Elvexys SA

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

CVE-2022-4779: StreamX release notes - Elvexys SA

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.
Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Malware / Windows Security

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.

Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.

These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.

To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector.

While this blockade only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors have been experimenting with alternative infection routes to deploy malware.

One such method turns out to be XLL files, which is described by Microsoft as a "type of dynamic link library (DLL) file that can only be opened by Excel."

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Cisco Talos researcher Vanja Svajcer said in an analysis published last week.

The cybersecurity firm said threat actors are employing a mix of native add-ins written in C++ as well as those developed using a free tool called Excel-DNA, a phenomenon that has witnessed a significant spike since mid-2021 and continued to this year.

That said, the first publicly documented malicious use of XLL is said to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the technique to inject its backdoor payload into memory via process hollowing.

Other known adversarial collectives include TA410 (an actor with links to APT10), DoNot Team, FIN7, as well as commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.

The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, noting that it "may indicate a new trend in the threat landscape."

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," Svajcer said.

**Malicious Microsoft Publisher macros push Ekipa RAT**

Ekipa RAT, besides incorporating XLL Excel add-ins, has also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to drop the remote access trojan and steal sensitive information.

"Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing \[of\] the file, which makes them interesting initial attack vectors from the threat actor's point of view," Trustwave noted.

It's worth noting that Microsoft's restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, making them a potential avenue for attacks.

"The Ekipa RAT is a great example of how threat actors are continuously changing their techniques to stay ahead of the defenders," Trustwave researcher Wojciech Cieslak said. "The creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Tag

#mac