A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.

A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.

Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes.

The clever trick takes advantage of a key difference in how email inboxes and browsers read URLs, according a Monday report by Perception Point.

The attacker crafted an unusual link using an “@” symbol in the middle. Ordinary email security filters interpreted it as a comment, but browsers interpreted it as a legitimate web domain. Thus the phishing emails successfully bypassed security, but when targets clicked on the link inside, they were directed to a fake landing page nonetheless.

**A Lame Phishing Attempt**

On May 2, Perception Point’s incident response (IR) team flagged a hasily-designed phishing email trying to pass itself off as a Microsoft notice. “You have new 5 held messages,” it read, directing the recipient to follow a “Personal Portal” hyperlink.

The link directed to a website masquerading as an Outlook login page. Again the hacker’s design choices were poor, and the domain name for this supposed Outlook page was, in fact, “storageapi.fleek.co,” followed by a long series of random characters.

In theory, if a user had overlooked all of these red flags, and submitted their Microsoft credentials, those credentials would’ve gone to the attacker.

So here’s the mystery: how did such a low-effort phishing attempt make it past email security filters, which are trained to spot much more sophisticated frauds than this?

The key was in the email link.

**Some Background on Links**

Pause here for a moment, and open up another webpage in your browser.

Type “https://” into your address bar, then any string of characters you want. Next, type an @ symbol, followed by any web domain. For example:

https\[://\]abc123@www\[.\]threatpost.com

Depending on what browser you’re using, that text before the @ will either return an error message, or disappear without a trace. Why?

Well, some browsers enable you to automatically send authentication information to the website you want to visit. The syntax is as follows:

http(s)://username\[:\]password\[@\]server/resource\[.\]ext

Browsers that support this feature will interpret the string before the @ sign as login credentials. Browsers that don’t will simply ignore the string and execute whatever follows the @. Either way, the domain following @ is where you’ll be going.

In January, Microsoft removed this feature from Internet Explorer because of how easily hackers can use it to mask malicious websites as legitimate ones. They explained how:

For example, the following URL appears to open http://www\[.\]wingtiptoys\[.\]com but actually opens http://example\[.\]com:

http://www\[.\]wingtiptoys\[.\]com@example\[.\]com

Which brings us to the crux of today’s news…

The Hacker’s Trick

The URL embedded in the phishing emails from our story was:

As we’ve established, browsers will read this as a URL. But email services read the @ symbol in the middle very differently.

“It is common knowledge that an @ sign will be ignored by email security systems when used within the text of an email, and there are many instances of this being used legitimately,” Motti Elloul, vice president of customer success and incident response at Perception Point, told Threatpost via email, “For example, it can be used to refer to user information within the body of the message.” For this reason, the IR team wrote in their report, “most email detection platforms cannot recognize this address as a URL, and instead see it as a comment.”

The @ symbol is a cover: to an email security filter it’s a comment, but underneath it’s a regular old malicious link.

**The Impact**

Our hacker – unknown but for an IP address 202\[.\]172.25\[.\]42, coming from Japan – went after “a wide range of targets, including telecom, web services and financial organizations,” said Elloul. None of their emails managed to trick any targets before they were discovered.

Despite the failure of this particular campaign, Elloul told Threatpost, “the technique has the potential to catch on quickly, because it’s very easy to execute.” As a proof of concept, at least, it proved rather effective.

“In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

Novel Phishing Trick Uses Weird Links to Bypass Spam Filters

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

  

*   Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
*   As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
*   Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.

**Executive Summary**

Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.

This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Such surveillance campaigns could allow the threat actors to access the organization's confidential information and give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.

**Bitter threat actor**

Bitter, also known as T-APT-17, is a suspected South Asian threat actor. They have been active since 2013, targeting energy, engineering and government sectors in China, Pakistan and Saudi Arabia. In their latest campaign, they have extended their targeting to Bangladeshi government entities.

Bitter is mainly motivated by espionage. The adversary typically downloads malware onto compromised endpoints from their hosting server via HTTP and uses DNS to establish contact with the command and control. Bitter is known for exploiting known vulnerabilities in victims' environments. For example, in 2021, security researchers discovered that the adversary was exploiting the zero-day vulnerability CVE-2021-28310, a security flaw in Microsoft's Desktop Manager. Bitter is known to target both mobile and desktop platforms. Their arsenal mainly contains Bitter RAT, Artra downloader, SlideRAT and AndroRAT.

**Infrastructure**

The actor's infrastructure consists of the C2 server (helpdesk\[.\]autodefragapp\[.\]com) and several domains that host the adversary's malware, which is outlined below.

 _Domains hosting Bitter APT malware._

The SSL thumbprints are unique for each domain's certificate. We compiled a list of these SSL thumbprints in the IOCs section of the report. The timeline below shows the various domains based on their certificate creation date.

The C2 host is helpdesk\[.\]autodefragapp\[.\]com. Its WhoIs record indicates that the domain autodefragapp\[.\]com registered it in November 2020, and later updated it on Nov. 3, 2021. We have seen the actor use this C2 in previous campaigns.

The C2 domain resolved to 99\[.\]83\[.\]154\[.\]118 during the period of the campaign. This is a legitimate IP address for the AWS Global Accelerator networking service. Usually, the AWS Global Accelerator provides static IPs to the registrant, which allows the user to redirect traffic to their application or host for improved performance. In this case, we believe that the actor is using the AWS Global Accelerator to redirect traffic to their actual C2 host, which is parked behind the legitimate AWS service. We believe that the actor has employed this technique to conceal their identity.

**Attribution**

We assess with moderate confidence that this campaign is operated by Bitter based on the use of the same C2 IP address from previous campaigns and similarities in the decrypted strings of the payload, such as module names, payload executable name, paths and the constants.

The 99\[.\]83\[.\]154\[.\]118 IP also hosts mswsceventlog\[.\]net, according to Cisco Umbrella, a domain that was previously reported as Bitter's C2 server in a campaign against Pakistani government organizations.

**The campaign**

Cisco Talos observed an ongoing campaign operated by the Bitter APT group since August 2021 targeting Bangladeshi government personnel with spear-phishing emails. The email contains a maldoc attachment and masquerades as a legitimate email. The sender asks the target to review or verify the attached maldoc, which is either a call data record (CDR), a list of phone numbers, or a list of registered cases. We have seen the actor use these themes in phishing emails in the past.

The maldocs are an RTF document and Microsoft Excel spreadsheets. Examples of the specific subjects of the phishing emails are below.

*   Subject: CDR
*   Subject: Application for CDR
*   Subject: List of Numbers to be verified
*   Subject: List of registered cases

The maldocs' file names are consistent with the phishing emails' themes, as seen in the list of file names below:

*   Passport Fee Dues.xlsx
*   List of Numbers to be verified.xlsx
*   ASP AVIJIT DAS.doc
*   Addl SP Hafizur Rahman.doc
*   Addl SP Hafizur Rahman.xlsx
*   Registered Cases List.xlsx

Below are two spear-phishing email samples of this campaign.

  
_Phishing email sample 1_

  
_Phishing email sample 2_

The actor is using JavaMail with the Zimbra web client version 8.8.15\_GA\_4101 to send the emails. Zimbra is a collaborative software suite that includes an email server and a web client for messaging.

  
_Phishing email header information._

The originating IP address and header information indicates the emails were sent from mail servers based in Pakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani government organizations. The actor exploited a possible vulnerability in the Zimbra mail server. By modifying the Zimbra mail server configuration file, a user can send emails from a non-existing email account/domain. We have compiled a list of fake sender email addresses from this campaign:

*   cdrrab13bd@gmail\[.\]com
*   arc@desto\[.\]gov\[.\]pk
*   so.dc@pc\[.\]gov\[.\]pk
*   mem\_psd@pc\[.\]gov\[.\]pk
*   chief\_pia@pc\[.\]gov\[.\]pk
*   rab3tikatuly@gmail\[.\]com
*   ddscm2@pof\[.\]gov\[.\]pk

**The infection chain**

The infection chain begins with the spear-phishing email and either a malicious RTF document or an Excel spreadsheet attachment. When the victim opens the attachment, it launches the Microsoft Equation Editor application to execute the equations in the form of OLE objects and connects to the hosting server to download and run the payload.

 _Malicious RTF infection chain summary._

In the case of a malicious Excel spreadsheet, when the victim opens the file, it launches the Microsoft Equation Editor application to execute the embedded equation object and launches the task scheduler to configure two scheduled tasks. One of the scheduled tasks downloads the trojan "ZxxZ" into the public user's account space, while the other task runs the "ZxxZ".

 _Malicious Excel infection chain summary._

The payload runs as a Windows security update service on the victim's machine and establishes communication with the C2 to remotely download and execute files in the victim's environment.

**RTF document**

The Malicious RTF document is weaponized to exploit the stack overflow vulnerability CVE-2017-11882, which enables arbitrary code execution on victims' machines running vulnerable versions of Microsoft Office. Our previous blog outlines how this particular exploit works in the victim's environment.

 _Malicious RTF document sample._

The RTF document is embedded with an OLE object with the class name "Equation 3.0." It contains the shellcode as an equation formula created using Microsoft Equation Editor.

 _Embedded Microsoft Equation object._

When the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes the equation formula containing the Return-Oriented Programming (ROP) gadgets. The ROP loads and executes the shell code located at the end of the maldocs in an encrypted format that connects to the malicious host olmajhnservice\[.\]com and downloads the payload from the URL hxxp\[:\]//olmajhnservice\[.\]/nxl/nx. The payload is downloaded in the folder "C:\\$Utf" created by the shellcode and runs as a process on the victim's machine.

 _Download URL captured during runtime of the maldoc._

**Excel spreadsheet**

The malicious Excel spreadsheet is weaponized to exploit the Microsoft Office memory corruption vulnerabilities CVE-2018-0798 and CVE-2018-0802.

When the victim opens the Excel spreadsheet, it launches the Microsoft Equation Editor application to execute the embedded Microsoft Equation 3.0 objects.

 _Malicious Excel spreadsheet._

Once the Microsoft Equation Editor service executes the embedded objects, it invokes the scheduled task service to configure the task scheduler with the commands shown below:

Task 1: Rdx

Task 2: RdxFac

The actor creates the folder "RdxFact '' in the Windows tasks folder and schedules two tasks with the task names "Rdx '' and "RdxFac '' to run every five minutes. When the first task runs, the victim's machine attempts to connect to the hosting server through the URL and, using the cURL utility, downloads the "RdxFactory.exe" into the public user profile's music folder. RdxFactory.exe is the trojan downloader.

After five minutes of execution of the first task, "Rdx,", the second task, "RdxFac,"runs to start the payload.

Based on other related samples we discovered, the actor also uses different folder names, tasks names and dropper file names in their campaigns.

We noticed that the actor is using the cURL command-line utility to download the payload in the Windows environment. Systems running Windows 10 and later have the cURL utility, which the actor abuses in this campaign.

**The payload**

The payload is a 32-bit Windows executable compiled in Visual C++ with a timestamp of Sept. 10, 2021. We named the trojan "ZxxZ" based on the name of a separator that the payload uses while sending information to the C2. This trojan is a downloader that downloads and executes the remote file. The executables were seen with the filenames "Update.exe", "ntfsc.exe" or "nx" in this campaign. They are either downloaded or dropped into the victim's "local application data" folder and run as a Windows Security update with medium integrity to elevate the privileges of a standard user.

The actor uses common encoding techniques to obfuscate strings in the WinMain function to hide its behavior from static analysis tools.

 _WinMain function snippet._

The decryption function receives the encrypted strings and decrypts each character with the XOR operation and stores the result in an array that will be returned to the caller function.

 _Decryption function._

The malware searches for the Windows Defender and Kaspersky antivirus processes in the victim's machine by creating the snapshot of running processes using CreateToolhelp32Snapshot and iterates through each process using API Process32First and Process32Next.

  
_WinMain() snippet showing antivirus process detection._

The information-gathering function gathers the victim's hostname, operating system product name, and the victim's username and writes them into a memory buffer.

  
_Information-gathering function._

The C2 communicating function at offset 401C50 is called from the two other requests making functions to send the victim's information with the decrypted strings "xnb/dxagt5avbb2.php?txt=" and "data1.php?id=" to C2 and receive the response.

The received response is a remote file saved into the "debug" folder and executed with the API "ShellExecuteA". In our research debugging environment, the remote file is similar to the trojan.

 _Requests making function 1 at offset 00401E00._

 _Requests making function 2 at offset 00402130._

**C2 communication**

For C2 communication, first, the trojan sends the victim's computer name, user name, a separator "ZxxZ" and the Windows version pulled from the registry. The server responds back with data in the format <id><user>:"<Program name">.

Next, the malware requests the program data. The server sends back the data of the Portable Executable effectively matching the pattern:<zero or more bytes>ZxxZ<PE data minus the MZ>. It then saves the file to %LOCALAPPDATA%\\Debug\\<program name>.exe and tries to execute it.

 _Request sent to C2._

If the download is successful, the server sends back the request with the opcode DN-S and, in case of a failure, the opcode RN\_E in their response. Based on our analysis, the opdoce DN-S means "download successful" and RN\_E stands for run error. If failed, the malware attempts to download the program data 225 times, and after that, it will launch itself and exit.

**Conclusion**

Organizations should be vigilant about the highly motivated threat actors who are known to conduct targeted attacks in their region. Threat actors usually emerge with smart techniques to accomplish their adversarial objectives and we have seen such an attempt in this campaign with the addition of a new variant to their arsenal.

In this current campaign, upon compromising the victim's machine and implanting the trojan ZxxZ - which has remote file execution capability - the adversary can deploy and run other tools from their arsenal to achieve their malicious objective.

Organizations should have a layered defense strategy with the implementation of the latest detection rules and behavioral protections in their endpoint defense solutions - not only with technical controls, but the organizations should have matured incident response plans and have the organization's security posture streamlined to protect their environment against the latest threats.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

  
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

The following ClamAV signatures have been released to detect this threat:

Ole2.Exploit.ZxxZDownloader-9944376-0  
Win.Downloader.ZxxZ-9944378-0

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  
Snort SIDs for this threat are 59736 and 300132.

**IOC****Domains**

olmajhnservice\[.\]com  
levarisnetqlsvc\[.\]net  
urocakpmpanel\[.\]com  
tomcruefrshsvc\[.\]com  
autodefragapp\[.\]com  
helpdesk\[.\]autodefragapp\[.\]com

**URLs**

http\[://\]autodefragapp\[.\]com/  
hxxp\[://\]olmajhnservice\[.\]com/updateReqServ10893x\[.\]php?x=035347  
hxxp\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-BKP&ct=BKP  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-2&ct=2  
hxxps\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php?dt=%25computername%25-ex-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp;ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-3&ct=3  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&amp;ct=1  
hxxp\[://\]levarisnetqlsvc\[.\]net/drw/drw  
hxxp\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/jig/gij  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php/?dt=%25computername%25-LT-2&ct=LT  
hxxp\[://\]urocakpmpanel\[.\]com/axl/ax  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername  
hxxp\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com:33324/  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php

**SSL Certificates Thumbprints**

0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b  
25092b60d972e574ed593a468564de2394fa008b  
4fbde39a0735d1ad757038072cf541dfdc65faa3  
5a972665b590cc77dcdfb4500c04acda5dc1cc4e  
530f597666afc147886f5ad651b5071d0cc894ba  
04a75df9b60290efb1a2d934570ad203a23f4e9c  
aeb02ac0c0f0793651f32a3c0f594ce79ba99e82

**Documents**

b0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82  
f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db  
490e9582b00e2622e56447f76de4c038ae0b658a022e6bc44f9eb0ddf0720de6  
b7765ff16309baacff3b19d1a1a5dd7850a1640392f64f19353e8a608b5a28c5  
ce922a20a73182c18101dae7e5acfc240deb43c1007709c20ea74c1dd35d2b12  
e4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8

**Payload**

fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92  
3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3  
69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61  
90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787

Bitter APT adds Bangladesh to their targets

In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft’s May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft has revealed 73 new patches for May’s monthly update of security fixes, including a patch for one flaw–a zero-day Windows LSA Spoofing Vulnerability rated as “important”—that is currently being exploited with man-in-the-middle attacks.

The software giant’s monthly update of patches that comes out every second Tuesday of the month–known as Patch Tuesday—also included fixes for seven “critical” flaws, 65 others rated as “important,” and one rated as “low.”

Given that Microsoft released a record number of patches in April, May’s patch tally is relatively low, but still includes a number of notable flaws that deserve attention, researchers said.  

“Although this isn’t a large number, this month makes up for it in severity and infrastructure headaches,” observed Chris Hass, director of security at security firm Automox, in an email to Threatpost. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.

The Windows LSA Spoofing Vulnerability, tracked as CVE-2022-26925, in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.

Moreover, the flaw—which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM–is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.

****Critical Infrastructure Vulnerabilities****

Of the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that’s fairly ubiquitous in many enterprise and/or cloud environments.

One is tracked as CVE-2022-29972 and is found in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider—something organizations should follow up on, Liska said.

CVE-2022-22012 and CVE-2022-29130 are RCE vulnerabilities found in Microsoft’s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable “if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.” That means that systems with the default value of this policy would not be vulnerable, the company said.

While “having the MaxReceiveBuffer set to a higher value than the default” seems an “uncommon configuration,” if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.

Another critical RCE, CVE-2022-26937, is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin.

At the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as “Exploitation More Likely,” as was the case with a similar vulnerability, CVE-2021-26432, an actively exploited zero day in the TCP/IP protocol stack in Windows server that was patched in August 2021.

“Given the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,” Liska noted.

****Another Important Flaw Fixed****

Of the other flaws, another “important” one to note is CVE-2022-22019, a companion vulnerability to three previously disclosed and patched flaws found in Microsoft’s Remote Procedure Call (RPC) runtime library.

The vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April–CVE-2022-26809, CVE-2022-24492 and CVE-2022-24528, he revealed in a blog post Tuesday. The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.

Akamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.

“During our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,” Barnea wrote in the post. “These 24 bytes are the size of a struct called ‘rpcconn\_request\_hdr\_t,’ which serves as the buffer header.”

The previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header–which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.

“The new patch adds another call to validate that the addition of 24 bytes does not overflow,” mitigating the problem, Barnea wrote.

Actively Exploited Zero-Day Bug Patched by Microsoft

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.
"The newly

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.

Called **Nerbian RAT** by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.

"The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," Proofpoint researchers said in a report shared with The Hacker News.

"It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis."

The messages, amounting to less than 100 in number, purport to be from the World Health Organization about safety measures related to COVID-19, urging potential victims to open a macro-laced Microsoft Word document to access the "latest health advice."

Enabling the macros displays COVID-19 guidance, including steps for self-isolation, while in the background, the embedded macro triggers an infection chain that delivers a payload called "UpdateUAV.exe", which acts as dropper for Nerbian RAT ("MoUsoCore.exe") from a remote server.

The dropper also makes use of the open-source Chacal "anti-VM framework" to make reverse engineering difficult, using it to carry out anti-reversing checks and terminating itself should it encounter any debuggers or memory analysis programs.

The remote access trojan, for its part, is equipped to log keystrokes, capture screenshots, and execute arbitrary commands, before exfiltrating the results back to the server.

While both the dropper and the RAT are said to have been developed by the same author, the identity of the threat actor remains unknown as yet.

Furthermore, Proofpoint cautioned that the dropper could be customized to deliver different payloads in future attacks, although in its current form, it can only retrieve the Nerbian RAT.

"Malware authors continue to operate at the intersection of open-source capability and criminal opportunity," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.
Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.
These encompass 24 remote code execution (RCE), 21 elevation of

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.

Chief among the resolved bugs is CVE-2022-26925 (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."

It's also worth noting that the CVSS severity rating of the flaw would be elevated to 9.8 should it be combined with NTLM relay attacks like PetitPotam, making it a critical issue.

"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows -

*   CVE-2022-29972 (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka SynLapse)
*   CVE-2022-22713 (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative affected users apply the updates as soon as possible.

Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Graphics (CVE-2022-26927), Windows Kernel (CVE-2022-29133), Remote Procedure Call Runtime (CVE-2022-22019), and Visual Studio Code (CVE-2022-30129).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting 30 of the 74 flaws, counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What's more, CVE-2022-22019 followed an incomplete patch for three RCE issues in the Remote Procedure Call (RPC) runtime library last month — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai said.

The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 and CVE-2022-29132) and two information disclosure (CVE-2022-29114 and CVE-2022-29140) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Google Chrome
*   HP
*   Intel
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric, and
*   Siemens

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

**Microsoft** today released updates to fix at least 74 separate security problems in its **Windows** operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “**Local Security Authority**” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.

**Greg Wiseman**, product manager for **Rapid7**, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.

“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”

Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”

“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.

Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.

Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the **Windows Network File System** (NFS). **Trend Micro’s Zero Day Initiative** notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.

“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s **Dustin Childs** wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”

Once again, this month’s Patch Tuesday is sponsored by **Windows Print Spooler**, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.

“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said **Satnam Narang**, staff research engineer at **Tenable**. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”

Other Windows components that received patches this month include **.NET** and **Visual Studio**, **Microsoft Edge** (Chromium-based), **Microsoft Exchange Server**, **Office,** **Windows Hyper-V**, **Windows Authentication Methods**, **BitLocker**, **Remote Desktop Client**, and **Windows Point-to-Point Tunneling Protocol**.

Also today, Adobe issued five security bulletins to address at least 18 flaws in **Adobe CloudFusion**, **Framemaker**, **InCopy**, **InDesign**, and **Adobe Character Animator**. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.

For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

Microsoft Patch Tuesday, May 2022 Edition

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

Microsoft Windows Media Foundation Remote Code Execution Vulnerability.

CVE-2022-29105

Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-29110.

Tag

#microsoft