Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.
"It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to

Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.

"It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions," Microsoft 365 Defender Research Team said in a new report.

Skimming attacks, such as those by Magecart, are carried out with the goal of harvesting and exporting users' payment information, such as credit card details, entered into online payment forms in e-commerce platforms, typically during the checkout process.

This is achieved by taking advantage of security vulnerabilities in third-party plugins and other tools to inject rogue JavaScript code into the online portals without the owners' knowledge.

As skimming attacks have increased in number over the years, so have the methods employed to hide the skimming scripts. Last year, Malwarebytes disclosed a campaign wherein malicious actors were observed delivering PHP-based web shells embedded within website favicons to load the skimmer code.

Then in July 2021, Sucuri uncovered yet another tactic that involved inserting the JavaScript code within comment blocks and concealing stolen credit card data into images and other files hosted on the breached servers.

The latest obfuscation techniques observed by Microsoft overlap is a variant of the aforementioned method of using malicious image files, including regular images, to incorporate a PHP script with a Base64-encoded JavaScript.

A second approach relies on four lines of JavaScript code added to a compromised webpage to retrieve the skimmer script from a remote server that's "encoded in Base64 and concatenated from several strings."

Also detected is the use of encoded skimmer script domains within spoofed Google Analytics and Meta Pixel code in an attempt to stay under the radar and avoid raising suspicion.

Unfortunately, there's not a lot online shoppers can do to protect themselves from web skimming other than ensuring that their browser sessions are secure during checkout. Alternatively, users can also create virtual credit cards to secure their payment details.

"Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources," Microsoft said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Web Skimmers Mimicking Google Analytics and Meta Pixel Code

An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

**The campaigns**

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

**1\. Interactive map of Ukraine**

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

**2\. Log4j patch**

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

A spear phishing email from an unknown APT group claims to have “urgent vulnerability fixes”

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

A PDF attachment tries to build trust with security advice and instructions on how to run the fake Log4j patch

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

The PDF attachment links to a VirusTotal entry for an unrelated file

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

The rostec.digital website  

The rostec.digital facebook account

The rostec.digital Instagram account

**3\. Build Rostec**

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

**4\. Saudi Aramco job**

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:\ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

A malicious job advert urges Russian readers to enable macros

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%\Documents\AdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%\Documents\D5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

Macros embedded in the remote template

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

Deobfuscated HelpCenterUpdater.vbs

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

Deobfuscated UpdateRunner.vbs

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

The attack chain for the Saudi Aramco-themed APT campaign

The malware, which is common to all four campaigns, is explained in detail in the next section.

**Payload analysis**

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

The DLLMain function from GE40BRmRLP.dll

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

**Anti-analysis techniques****Control Flow Flattening**

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

Control Flow Flattening used by the malware

**String obfuscation**

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

The decode_string function from GE40BRmRLP.dll

**Command and control**

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

*   GetFileAttributesA on the C:\Windows directory
*   GetComputerNameA
*   GetVolumeInformationA on the C:\ drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

Deriving the ID

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=_data_, where _data_ contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

HTTPS GET request

Based on the response to the above request, the malware decides which of command to execute:

1.  **getcomputername**. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
2.  **upload**. This receives a file name and file contents from the C2 which it writes to the local file system.
3.  **execute**. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
4.  **exit**. This is used to terminate the malware process.
5.  **ls**. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.

The upload command

The List Files command

**Attribution**

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Infrastructure overlap between Sakula RAT and the malware analzed in this article

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

**IOCs****C2 Domains**

windowsipdate\[.\]com  
microsoftupdetes\[.\]com  
mirror-exchange\[.\]com

**C2 IPs**

168.100.11.142  
192.153.57.83  
45.61.137.211  
206.188.197.35

**Download Domain**

fatobara\[.\]com

**Download IP**

91.210.104.54

****Hashes****

Name

Hash

Final payload

cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541  
86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e  
917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95  
22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e  
12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a  
3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb  
f5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909  
ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d  
bac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093  
5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be

patch\_Log4j.tar.gz

4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7

PDF attachment

f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488

Emails

0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541 0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d 111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec 1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02 1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07 27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad 310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811 3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01 3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd 3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403 3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33 3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94 44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067 4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121 4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b 4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9 5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f 5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b 5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e 5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8 7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2 80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9 810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54 811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4 81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655 ac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22 b63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031 b99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f c9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596 cd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161 d4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0 e19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e e444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad f15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7 fa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb fc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015

Unknown APT group has targeted Russia repeatedly since Ukraine invasion

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of …
  New Research Paper: Pre-hijacking Attacks on Web User Accounts Read More »

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated _account pre-hijacking_ – a new class of attacks affecting websites and other online services.

Similarly to classic account hijacking attacks, the attacker’s goal is to gain access to the victim’s account. However, if the attacker can create an account at a target service using the victim’s email address _before_ the victim creates an account, the attacker could then use various techniques to put the account into a _pre-hijacked_ state. After the victim has recovered access and started using the account, the attacker could regain access and takeover the account.

The full details of this work are available in our research paper, which will be presented at the 31st USENIX Security Symposium in August. In this paper, we describe five types of account pre-hijacking attacks, and we show that a significant number of websites and online services may be vulnerable to these attacks. Our primary motivation for publishing this research is therefore to raise awareness of these attacks and to help organizations defend against them.

**Challenges in User Account Creation**

User accounts are a ubiquitous feature of websites and other online services, and have therefore become a valuable target for attackers. Account hijacking is a well-known threat in which the attacker attempts to gain unauthorized access to the victim’s user account.

Organizations rightly invest significant resources to defend against account hijacking. However, one aspect that has received less attention is the process of _user account creation_, and the corresponding security implications. With the move towards federated identity and Single Sign-On (SSO), many services now support (at least) two different routes for users to create accounts: the classic route of providing a username and password and the federated route using an Identity Provider (IdP) e.g. Sign in with Microsoft. Once the account has been created, some services also offer the possibility to link an IdP account, so that the user can either sign in directly or authenticate via the IdP.

Previous academic research has discussed a “preemptive account hijacking attack“, where an attacker gains control of a victim’s IdP account and uses it to create user accounts at services for which the victim has not yet signed up. Inspired by this attack, we demonstrate that there exists an entire class of such attacks, which we call account pre-hijacking attacks. In contrast to prior work, none of our attacks require the attacker to compromise the victim’s IdP account.

The distinguishing feature of an account pre-hijacking attack is that the attacker performs some action _before_ the victim creates an account at the target service. The unsuspecting victim might subsequently regain access to this account and start using it, potentially adding personal information, payment details, or any other type of private information. After some time, the attacker completes the attack by gaining access to the victim’s account – essentially achieving the same objective as an account hijacking attack.

In the research paper, we describe five types of pre-hijacking attacks:

**1\. Classic-Federated Merge Attack:** This exploits a potential weakness in the interaction between the classic and federated routes for account creation. The attacker uses the victim’s email address to create an account via the classic route, and the victim subsequently creates an account via the federated route, using the same email address. If the service merges these two accounts insecurely, this could result in both the victim and the attacker having access to the same account.

**2\. Unexpired Session Identifier Attack:** This exploits a vulnerability in which authenticated users are not signed out of an account when the user resets the password. The attacker creates an account using the victim’s email address and then maintains a long-running active session. When the victim recovers the account, the attacker might still have access if the password reset did not invalidate the attacker’s session.

**3\. Trojan Identifier Attack:** This exploits the possibility for the attacker to link an additional identifier to an account created using the classic username and password route. The attacker creates an account using the victim’s email address and then adds a trojan identifier (e.g. the attacker’s federated identity or another attacker-controlled email address or phone number) to the account. When the victim resets the password, the attacker can use the trojan identifier to gain access the account (e.g. by resetting the password or requesting a one-time sign in link).

**4\. Unexpired Email Change Attack:** This exploits a potential vulnerability where the service fails to invalidate email-change capability URLs when the user resets their password. The attacker creates an account using the victim’s email address and begins the process of changing the account’s email address to be the attacker’s own email address. As part of this process, the service will typically send a verification URL to the attacker’s email address, but the attacker does not yet confirm the change. After the victim has recovered the account and started using it, the attacker completes the change-of-email process to take control of the account.

**5\. Non-Verifying IdP Attack:** This attack is the mirror image of the Classic-Federated Merge Attack. The attacker leverages an IdP that does not verify ownership of an email address when creating a federated identity. Using this non-verifying IdP, the attacker creates an account with the target service and waits for the victim to create an account using the classic route. If the service incorrectly combines these two accounts based on the email address, the attacker will be able to access the victim’s account.

For all these attacks, the attacker needs to identify services at which the victim does not yet have an account but is likely to create one in future. Although success is not guaranteed, there are several ways an attacker might go about this. For example, at an individual level, the attacker might already know which services a specific victim uses, and opportunistically pre-hijack accounts at other similar or related services. More broadly, the attacker might learn that a whole organization (e.g., a university department) plans to use a particular service and could pre-hijack accounts for any publicly known email addresses from that organization. Alternatively, the attacker might observe a general increase in popularity of a service (e.g., a video conferencing service when people are required to work from home) and pre-hijack accounts for that service using email addresses found through website scraping or credential dumps. There is usually no risk to the attacker if the victim has already created an account at the service.

**Empirical Evaluation**

To ascertain the prevalence of vulnerable services, we analyzed 75 of the most popular websites and online services, and found that at least 35 of these were vulnerable to one or more pre-hijacking attacks, including widely-used cloud storage, social and professional networking, blogging, and video conferencing services. Following the principle of Coordinated Vulnerability Disclosure (CVD), we reported these vulnerabilities to the affected organizations between March and September 2021. However, it is highly likely that other websites and online services, beyond the 75 we analyzed, will also be vulnerable to these attacks. We are therefore publishing this research to shed light on this class of vulnerabilities, so that any organization operating a website or other service can take action to protect their user accounts.

Concurrently with our work, other researchers have demonstrated similar attacks (sometimes called “Pre-Account Takeover” attacks). Some examples include: reverse-engineering insecure email confirmation URL parameters \[e.g. craighayes\] or finding services that insecurely merge accounts created via the classic and federated routes, if they use the same (potentially unverified) email address \[e.g. hackerone, hbothra22\]. These examples illustrate how widespread these vulnerabilities are likely to be.

**Root Cause and Mitigation**

Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account. Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.

All the attacks described above could be mitigated if the service sent a verification email to the user-provided email address and required the verification to be completed before allowing any further actions on the account. A similar approach could be used to verify ownership of other types of identifiers, such as using text messages or automated voice calls to confirm ownership of phone numbers. If the service uses an IdP, it should check whether the IdP performs this verification or perform its own additional verification.

**Defense in Depth**

Recognizing that it might take time to implement strict identifier verification in all services, we also identified a set of defense-in-depth security measures for account creation, which would also have mitigated the above attacks.

**Password resets:** When the account password is reset, the service must perform the following actions:  
1) Sign out all other sessions and invalidate all other authentication tokens for that account to mitigate the Unexpired Session attack.  
2) Cancel all pending email change actions for that account to mitigate the Unexpired Email Change attack.  
3) Notify the user of which federated identities, email addresses, and phone numbers are linked to the account, and ask the user to select any identifiers they do not recognize (i.e., retain by default), or more preferably, to select which ones to retain (i.e., unlink by default).

**Merging accounts:** When a service merges an account created via the classic route with one created via the federated route (or vice-versa), the service must ensure that the user currently controls both accounts. For example, when the user attempts to create an account via the federated route but a classic account already exists for the same email address, the user should be required to provide or reset the password for the classic account. This would mitigate the Classic-Federated Merge and Non-verifying IdP attacks.

**Email change confirmations:** When the service sends a capability to confirm a change of email address (e.g., a code or a URL with an embedded authentication token), the validity period of this capability should be as low as possible, within the constraints of usability, to minimize the window of vulnerability for the Unexpired Email Change attack. However, this will not prevent the attacker from continuously requesting new capabilities, so the service should limit the number of times a new capability can be requested for an unverified identifier.

**Unverified account pruning:** Regularly deleting unverified accounts would reduce the window of vulnerability for most pre-hijacking attacks (except the Non-verifying IdP Attack). However, this will not prevent an attacker from creating new accounts with the same identifiers. The service should therefore monitor and potentially limit the number of times a new account can be created for the same unverified identifier. However, this could be used to mount a Denial-of-Service (DoS) attack by exhausting the account creation quota of legitimate users’ identifiers. Therefore, the service could instead reduce the pruning threshold for unverified accounts and leverage bot-detection frameworks to limit the rate at which the attacker can automatically create new accounts.

**Multi-factor authentication (MFA):** Users can protect themselves from pre-hijacking attacks by activating MFA on their accounts as soon as possible. Correctly implemented MFA will prevent the attacker from authenticating to a pre-hijacked account after the victim starts using this account. The service must also invalidate any sessions created prior to the activation of MFA to prevent the Unexpired Session attack.

**Conclusion**

In conclusion, we hope that this research will help to shed light on this potentially widespread class of vulnerabilities and assist organizations in implementing effective mitigation strategies.

– Avinash Sudhodanan (Independent Researcher) & Andrew Paverd (MSRC)

New Research Paper: Pre-hijacking Attacks on Web User Accounts

By ghostadmin
SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database.…
This is a post from HackRead.com Read the original post: How to Optimize Your Database Storage in MySQL

SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database. The language is applied in multiple relational database systems, including Postgres, Oracle, MySQL, and SQL Server, among others. Using SQL statements, developers can handle functional database operations like updating, creating, and deleting data.

With increasing data and technology becoming complex, it is crucial now to optimize MySQL databases to lower your infrastructure costs and deliver the best end-user experience. By optimizing your database storage, professionals will quickly identify bottlenecks, eliminate guessing games, and target insufficient operations by reviewing query execution plans.

Below are a few ways of optimizing your database storage in MySQL.

**Profile the server workload**

To fully understand how your server works, you should first review its workload. This will reveal the most expensive and slowest queries so you can optimize them. Remember that your most important metric in MySQL is time because you want the completion of a query to be almost instant when issued against your server.

**Understand your crucial resources**

All databases rely on four crucial resources; CPU, memory, network, and disk. Overwhelming any of these resources will create an inconsistent and weak server that leads to performance lags and issues. It is crucial to choose high-performing resources from the get-go because no amount of optimization of MySQL will make up for bad hardware. When checking the performance of your four resources, distinguish whether they are performing slowly or simply overloaded. This allows you to rectify performance issues quickly.

**Use the STaaS model**

STaaS (storage as a service) denotes a business model where a service provider will rent you storage resources through a subscription. With this alternative, you only pay for the storage you need when needed. This is an inexpensive option because it negates the capital expenses for new storage equipment and allows upgrading your storage according to your needs. Some of the major cloud storage providers using the STaaS model are Microsoft Azure, Oracle Cloud, Google Cloud, and Amazon Web Services.

**Do not use MySQL as your queue**

Your applications can be infiltrated by queues and access patterns looking like queues without you noticing. For instance, when you establish a status during web development, you might have accidentally created a queue.

A common instance of creating queues is when you mark emails as unsent, then send them and mark them as sent. Queues will keep tasks from running in parallel since workloads are serialized, and they generate tables detailing work in progress. Both issues will slow down your MySQL.

**Index all columns in ‘group by,’ ‘where,’ and ‘order by’ clauses**

Other than guaranteeing distinct, identifiable records, an index on MySQL allows the server to get faster results from a database. It is crucial when you want to sort your records. In some cases, an index on MySQL takes up a lot of space and might reduce performance on updates, deletes, and inserts. Nonetheless, when you have tables with more than ten rows, an index can reduce the execution time of your query.

When you know what dictates the performance of your database, you can reduce your costs and avoid overprovisioning. Hopefully, you have gathered a few facts on how MySQL works and how best to optimize it from the above article. Though it can be challenging, you can use phpMyAdmin to ease your database’s optimization. This is a free software tool that handles the web-based administration of MySQL.

Remember that optimization is iterative. With data growth and changes in workloads, new optimization opportunities will arise, so it is best to always be prepared for database optimization.

**More SQL and Database Topics**

1.  How to repair suspect database in SQL Server
2.  Whitehat hacker bypasses SQL injection filter for Cloudflare
3.  Hackers mining Monero on Microsoft SQL databases for the last 2 years
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  SQL Injection Allowed Hacker to Steal Data of 237,000 Users from Adult Site

How to Optimize Your Database Storage in MySQL

Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239088 CVSS redefinitions A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in […]

Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239088

A fairly common problem: we have a CVE without an available CVSS vector and score. For example, this was the case with CVE-2022-1364 Type Confusion in V8 (Chromium). This vulnerability does not exist in NVD.

The CVSS for this vulnerability is not available on the Microsoft website. Although this vulnerability itself exists for the Edge browser.

But on the other hand, CVSS can be found on other sites, such as White Source.

Therefore, I decided to add the ability to manually set the CVSS value for some vulnerabilities in data\_redefinitions.py. And this value will be used in the report.

This allows you to correctly assess vulnerabilities even if there are some problems in the main data sources.

**Bulk adding Microsoft products from MS CVE data**

The second problem is that I still edit the product description file **data/classification/products.json** manually. This file is used to detect the names of vulnerable products based on the description of the vulnerabilities.

When I do the Microsoft Patch Tuesday reports every month, there are new products that are not covered in the file. They appear in the report as Unknown Products. I have to manually add them to the file.

It’s annoying. In addition, there may be products containing the word “Windows” in their name. If there is no separate detection for them, they will be detected as Windows Kernel. And this is not right.

Therefore, I added functions to automatically edit **products.json**. I download all Microsoft CVEs from Vulners.com, extract software names from titles, and add new softwares to products.json.

Those products that have the word Windows in their name are added with the comment “Windows component” and a criticality of 0.8. The remaining products are added with an average criticality of 0.5 and without comment.

It is expected that they will be edited manually if necessary. For all products, the vendor “Microsoft” is set.

I had 358 manually added products, I received 821 candidates for addition. As a result, I got 861 products in the **products.json** file. Big progress without much effort. Now it will be enough to run **update\_products\_file\_from\_vulners\_ms\_cves()** function periodically and this will eliminate problems with manually adding products for MS Patch Tuesday.

In case of duplication, simply add an additional name to **additional\_detection\_strings**. Also, of course, you can freely change the prevalence and detection\_priority and they will not be overwritten.

New improvements can be evaluated in the next episode about Microsoft Patch Tuesday.

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

Vulristics May 2022 Update: CVSS redefinitions and bulk adding Microsoft products from MS CVE data

Analysts have seen a massive spike in malicious activity by the XorDdos trojan in the last six months, against Linux cloud and IoT infrastructures .

Cybercriminal use of the Linux Trojan known as XorDdos is on the rise, according to a new report, which found a 254% increase in malicious activity against Linux endpoints using the malware over the last six months. 

It was first discovered in 2014, and the Microsoft 365 Defender Research Team explained in a recent blog post that the XorDdos Trojan targets Linux cloud and Internet of Things (IoT) endpoints, and deploys botnets to carry out distributed denial-of-service (DDoS) attacks. 

The team added that the attacks fit a wider trend of attacks targeting Linux-based systems. 

"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks," the team wrote in describing the rise of the XorDdos Trojan. "DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Trojan XorDdos Attacks Surge, Targeting Cloud, IoT

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

  

Pwn2Own Vancouver closed its doors on Friday (May 20), with more than $1 million being awarded to celebrate 15 years of the annual hacking event.

Held by Trend Micro’s Zero Day Initiative (ZDI), the contest saw hackers from across the world compete both in person and virtually to find bugs in products from a wide range of vendors, including Microsoft, Mozilla, and Apple’s Safari browser.

Participants were offered the opportunity to earn both money and points, which would go towards being crowned ‘Master of Pwn’.

A team from Star Labs in Singapore, who were taking part virtually, were crowned this year’s champions with a total of 27 points.

Read more of the latest hacking news

Overall, prize payouts amounting to $1.2 million were awarded for the 27 vulnerabilities that were discovered during the event, which was celebrating its 15th year.

Sponsors including Tesla and VMWare also provided targets for the competition, with David Berard and Vincent Dehors from Synacktiv discovering two unique bugs leading to a sandbox escape on the Telsa Model 3 Infotainment System.

“The Synacktiv team was able to remotely take over the infotainment system, and they showed how they could stand outside the car and turn on the wipers, open the trunk, and flash the lights,” Dustin Childs, senior communications manager at Trend Micro’s ZDI, told The Daily Swig.

He added: “The attempt that failed still demonstrated some interesting research, and we were pleased to acquire through a standard program submission.”

DON’T MISS Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

Other notable discoveries include the zero-click exploit of two bugs, injection and arbitrary file write, on Microsoft Teams found by Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin of Star Labs, which earned the team $150,000, and an improper configuration against Microsoft Teams found by Hector “p3rr0” Peralta, also worth $150,000.

Childs said: “We’ve had an exciting event with more than $1,000,000 awarded to the contestants. With so many attempts in the category, we expected several bug collisions, but that hasn’t been the case. Almost everything demonstrated was unique and qualified for the maximum payout.

“It was interesting the see the variety of Microsoft Teams exploits demonstrated. We had three successful entries, and they were all different.

“The most interested – and most dangerous – was a zero-click entry that could be used to take over an entire organization. That’s one of the reasons we have this contest – to see the latest in exploit techniques and help get the patched before they are exploited in the wild.

“It’s been great to see the evolution of the program over the years. We’ve gone from a small, browser-focused event to awarded more than $1,000,000 two years in a row. We celebrated or 15th anniversary this year and can’t wait to see where the contest grows from here.”

Read about all of the entries and subsequent payouts via a blog post from ZDI.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Pwn2Own Vancouver: 15th annual hacking event pays out $1.2m for high-impact security bugs

Next I.T. is the sixth and largest acquisition to date for Valeo Networks.

ROCKLEDGE, Fla. and MUSKEGON, Mich., May 23, 2022 /PRNewswire/ -- Valeo Networks, a leading Managed Security Service Provider (MSSP), today announced the acquisition of Next I.T., a Michigan-based Managed Service Provider (MSP). Financial terms are not being released.

A recognized and highly respected MSP, Next I.T. is the sixth and largest acquisition to date for Valeo Networks and further supports its goal of building a national network of IT and cybersecurity experts to comprehensively support and protect its client base.

The company will continue to operate as DBA Next I.T. (A Valeo Networks Company), and maintain its current Michigan office locations in Muskegon, Kalamazoo, and Traverse City. The Next I.T. team consists of Microsoft Certified Engineers, Cisco Certified Engineers, and certified technicians in both HP and Dell. They specialize in providing IT solutions for clients across a wide range of industries, including manufacturing, non-profits, and healthcare.

"We are thrilled to welcome Next I.T. to the Valeo Networks family," said Travis Mack, CEO, Valeo Networks. "Their deep skill set and broad expertise will be an excellent fit within our organization, as we continue to advance our nationwide growth strategy. As with each of our divisions, we will partner with Next I.T. to strengthen resources and capabilities in cybersecurity, managed services, cloud solutions, and compliance."

"I am excited for Next I.T. to join Valeo Networks and be part of a larger organization," said Eric Ringelberg, CEO, Next I.T. "With as much as we have grown over the past twenty-one years and having robust IT services in place, this was the natural next step for our continued growth. The Valeo leadership team really stood out to me in offering a true partnership, holding the same values, and having a track record of keeping its acquired companies intact. I look forward to accelerating Next I.T.'s growth throughout the Midwest region with the resources, capital backing, and collaboration that Valeo Networks provides."

**About Next I.T.  
**Next I.T., an award-winning Managed Service Provider (MSP), specializes in industry-specific solutions that leverage technology, increase productivity, and reduce risk for small and medium-sized businesses. It offers a full line of computer hardware, telecommunication equipment, and the professional expertise with remote capabilities to install and service systems. Next I.T. is headquartered in Muskegon, MI, with additional branches in Kalamazoo and Traverse City. For more information, visit www.next-it.net.

**About Valeo Networks  
**Valeo Networks is a full-service, award-winning Managed Security Service Provider (MSSP) that serves State, County, Municipal markets; small-to-medium businesses (SMBs); and non-profit organizations. Firmly seated in the top 5% of revenue generating MSSPs nationwide—making it one of the largest MSSPs nationally—Valeo Networks provides solutions in the areas of cybersecurity, compliance, cloud, network infrastructure, and managed IT services. With over 20 years of industry experience, Valeo Networks is headquartered in Rockledge, FL, with additional locations nationwide. Learn more at www.valeonetworks.com.

Valeo Networks Acquires Next I.T.

IronKey Vault Privacy 80 External SSD safeguards against brute-force attacks and BadUSB with digitally-signed firmware.

_**Fountain Valley, CA – May 23, 2022 –**_ Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., a world leader in memory products and technology solutions, today announced the release of the newest addition to its encrypted lineup, **IronKey Vault Privacy 80 External SSD** (VP80ES). This marks Kingston’s first innovative OS-independent external SSD with **touch-screen** and **hardware-encryption** for data protection.

Using IronKey VP80ES is as innate as unlocking a smartphone and simple drag & drop file transfers. Featuring an intuitive color touch-screen and FIPS 197 certified with XTS-AES 256-bit encryption, VP80ES is designed to protect data while also being user-friendly. The drive is ideal to safeguard against Brute Force attacks and BadUSB with digitally-signed firmware for users from small-to-medium businesses (SMB) to content creators. Its military-grade security measures make it greatly superior over using the internet and Cloud services for securing important company information, documents, or high-res images and videos.

Along with its ease of use and hardware encryption, VP80ES offers additional features for data protection, like **Multi-Password (Admin/User) Option** with **PIN/Passphrase modes** and **Configurable Password Rules**. With Admin option, choose between numeric PIN or Passphrase modes, set Configurable Password Rules, or enable extended security options like maximum number of shared password attempts, minimum password length of 6-64 characters, alphanumeric password rules, auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase to ensure maximum protection of your important files. The Admin password can be used to restore data and access should the User password be forgotten. For additional peace of mind, VP80ES’ Brute Force attack protection crypto-erases the drive if the Admin and User passwords are entered incorrectly 15 times1 in a row by default.

Don’t fear forgetting your password, though: with the use of the ‘space’ character it can be easier to remember a passphrase as a list of words, a memorable quote, or lyrics from a favorite song. Otherwise, the PIN pad can be used to unlock VP80ES, just as you would on a mobile device. To reduce failed login attempts and frustration, tap the “eye” button to view the password as entered. VP80ES is bundled with a neoprene travel case and two USB 3.2 Gen 1 adapter cables to easily connect to USB Type-C®2 or Type-A supporting computers and other devices, making it the perfect companion that enables portable productivity and convenience when you need secured data and content on-the-go.

“As more and more people continue to work from home and outside of company firewalls, we want to provide higher capacity options of user-friendly military-grade security for small and medium businesses to complement our existing encrypted USB drives,” said Richard Kanadjian, encrypted business manager, Kingston. “IronKey Vault Privacy 80ES does just that. Between the color touch-screen, the myriad security features, and its small form factor, users can truly control their data in their own hands.”

Kingston IronKey Vault Privacy 80 External SSD is available in 480GB, 960GB, and 1920GB capacities and is backed by a limited three-year warranty, free technical support and legendary Kingston reliability.

For more information visit kingston.com.

**IronKey Vault Privacy 80 External SSD**

**Part Number**

**Capacity**

IKVP80ES/480G

480GB IronKey VP80ES

IKVP80ES/960G

960GB IronKey VP80ES

IKVP80ES/1920G

1920GB IronKey VP80ES

**Kingston IronKey Vault Privacy 80 External SSD Features and Specifications****:**

*   **Safeguard Important Data with FIPS 197 Certified XTS-AES 256-bit Encryption:** Built-in protections against BadUSB, Brute Force attacks and Common Criteria EAL5+ certified secure microprocessor.3
*   **Unique Intuitive Touch-screen:** Protecting your data is easy with the intuitive, user-friendly color touch-screen.
*   **Enable Multi-Password (Admin/User) Option with PIN/Passphrase modes:** Multi-Password Option for Data Recovery with Admin access.
*   **Configurable Password Rules:** Manage the number of password attempts, minimum password length of 6-64 characters, and numeric or alphabet password rules.
*   **Extended Security Options:** Adjustable auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase the drive to wipe out all passwords and encryption key.
*   Dual Read-Only (Write-Protect) Mode Settings: Defend against cybersecurity threats from compromised systems using two levels of Read-only protection
*   **Interface:** USB 3.2 Gen 1
*   **Connector:** Type-C
*   **Package Includes:** Neoprene travel case, USB 3.2 Gen 1 C-to-C cable,

USB 3.2 Gen 1 C-to-A cable

*   **Capacities4:** 480GB, 960GB, 1920GB
*   **Speed:** Up to 250MB/s read, 250MB/s write
*   **Dimensions:** 122.5 mm x 84.2 mm x 18.5 mm
*   **Operating Temperature:** 0°C to 45°C
*   **Storage Temperature:** \-20°C to 60°C
*   **Compatibility:** USB 3.0/USB 3.1/USB 3.2 Gen 1
*   **Warrant/Support5:** Limited 3-year warranty
*   **Compatible with:** OS-independent:

Microsoft Windows®, macOS®, Linux®, Chrome OS™ or any system that supports a USB mass storage device.

1 Brute Force attack protection crypto-erase adjustable from 10-30 password attempts

2 USB Type-C® and USB-C® are registered trademarks of USB Implementers Forum.

3 Hardware Certified with built-in protection mechanisms designed to defend against external tampering and physical attacks.

4 Some of the listed capacity on a flash storage device is used for formatting and other functions and thus is not available for data storage. As such, the actual available capacity for data storage is less than what is listed on the products. For more information, go to Kingston's Flash Memory Guide.

5 Limited 3-year warranty. See kingston.com/wa for details.

**Kingston can be found on**:

YouTube Instagram

Facebook LinkedIn

Twitter Kingston Is With You

**About Kingston Technology Company, Inc.**

From big data, to laptops and PCs, to IoT-based devices like smart and wearable technology, to design-in and contract manufacturing, Kingston helps deliver the solutions used to live, work and play. The world’s largest PC makers and cloud-hosting companies depend on Kingston for their manufacturing needs, and our passion fuels the technology the world uses every day. We strive beyond our products to see the bigger picture, to meet the needs of our customers and offer solutions that make a difference. To learn more about how Kingston Is With You, visit Kingston.com.

Kingston Digital Releases Touch-Screen Hardware-Encrypted External SSD for Data Protection

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”  
Indeed, attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats, according to researchers.

“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

Still, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.

****‘Unusual’ Campaign****

The HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf”—misspelling intended–as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.

“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt,” according to the post.

The.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “_document.xml.rels__”_ file that is not a legitimate domain found in Office documents, they said.

****17-Year-Old Bug Exploited****

Connecting to this URL leads to a redirect and then downloads an RTF document called “_f\_document\_shp.do__c._ This document contained two “not well-formed” OLE objects that revealed shellcode exploiting  CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is app installed by default with the Office suite that’s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.

It turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.

As the final act of the attack, researchers found shellcode stored in the “_OLENativeStream__”_ structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called _fresh.exe_ that loads the Snake Keylogger, researchers found.

Tag

#microsoft