exploit

TWiC | Phishing Kits, FBI Shuts Down Credential Site, WordPress Critical Vulnerability, and Cobalt Strike

In this edition of This Week in Cybersecurity, we will discuss how phishers are using Telegram to sell phishing kits and lure in inexperienced phishers. We will also cover the recent seizure of Genesis Market, a major marketplace for stolen credentials, by the FBI and international law enforcement. Additionally, we will discuss the critical vulnerability in the Elementor Pro website builder plugin for WordPress that has been exploited by unknown attackers. Finally, we will take a look at Microsoft’s legal action to seize domains related to criminal activity involving Cobalt Strike, a popular security testing application that is often abused by cybercriminals. Continue reading to learn more about these important topics and how they may impact your organization’s security posture.

Telegram Used to Sell Phishing Kits

There has been a continued growth of the use of Telegram by phishers to offer a variety of phishing services in the past few years. Phishers use Telegram channels to promote their services to anyone willing to pay. These services can range from creating automated phishing bots, generating phishing pages, collecting data and distributing phishing links. Within this black market, free content for aspiring phishers is also offered, along with free phishing kits and users’ personal data. The reason behind these free offers is to recruit an unpaid workforce or bait inexperienced phishers to bite.

In addition, paid offers for phishers on Telegram include access to phishing tools, guides for creating customized phishing pages, and phishing-as-a-service (PhaaS) subscriptions. nGuard’s wide range of security assessments include Social Engineering. It is important for an organization to test their employees with social engineering techniques to identify potential vulnerabilities and educate them on how to recognize and respond to real-world attacks, ultimately improving the overall security posture of the organization.

FBI and International Law Enforcement Shut Down Stolen Credential Site

Genesis Market, a major marketplace for stolen credentials of all types, was seized by law enforcement as part of Operation Cookie Monster. The marketplace was offering both consumer and corporate account identities, and the admins have not been identified or caught yet. Genesis Market was one of the most popular online shops for account credentials, device fingerprints, and cookies, and it provided access to a wide list of services with user accounts from all over the world. The seizure was possible due to international law enforcement and private sector coordination. Although some of the infrastructure has been taken offline, the platform’s site on the dark web is still reachable. The bot deployed would reside on the compromised computer and send the harvested information in real-time to its buyer. The platform provided access to a wide list of services with user accounts from all over the world and the customers of the market turned a pretty penny from using the stolen digital identities.

Users can check if their accounts were compromised and sold on Genesis Market through a portal from the Dutch Police specifically built for this purpose. During nGuard’s external and internal penetration testing we always check databases for known, leaked credentials and attempt to access user’s accounts and infrastructure should we discover any.

WordPress Site Builder Elementor Pro Has Critical Vulnerability Exploited

Unknown attackers are exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. Versions 3.11.6 and earlier are affected, with the flaw described as a case of broken access control. The issue was addressed in version 3.11.7, which was released on March 22. Successful exploitation of the high-severity flaw enables an authenticated attacker to take over a WordPress site with WooCommerce enabled. After doing so, a malicious user can set the default user role to administrator, creating an account that has administrator privileges. The attackers are also likely to redirect the site to a malicious domain or upload a malicious plugin or backdoor to further exploit the site. Users are urged to update to 3.11.7 or 3.12.0.

WordPress is one of the most popular Content Management Systems (CMS) used by millions of websites worldwide. However, it is also one of the most targeted platforms for cyber-attacks. While WordPress is a powerful and flexible platform, it requires careful maintenance and attention to security best practices to keep it secure. nGuard commonly tests WordPress sites during external penetration testing, continuously monitors them with ongoing vulnerability management scans, and collecting logs through our managed event collection and correlation service. Regular penetration testing and vulnerability scanning, and log analysis can help ensure the ongoing security and integrity of a WordPress site, protecting against data breaches, financial losses, and reputational damage.

Microsoft Taking Down Illegal Versions of Cobalt Strike

Microsoft’s Digital Crimes Unit and the Health Information Sharing & Analysis Center have taken legal action to seize domains related to criminal activity involving cracked copies of the security testing application, Cobalt Strike. In January of 2021, nGuard wrote a detailed advisory on what Cobalt Strike is and what it is capable of. The tool is often abused by cybercriminals to carry out attacks ranging from financially motivated cybercrime to high-end state-aligned attacks. The court order names a range of entities and groups the companies allege misuse their technologies, including the LockBit and Conti ransomware groups, as well as a series of cybercrime operations. The legal order targets 16 anonymous “John Doe” actors engaged in a range of criminal behavior, from ransomware activity to malware distribution and development. This action builds on Microsoft’s pioneering use of domain seizure to disrupt the technical infrastructure malicious hackers rely on. It is likely only a first step to challenge illicit use of the hacking tool, as malicious actors will likely be able to retool their infrastructure. To simulate the same attacks executed by these malicious groups, nGuard’s Red Team Testing also uses tools like Cobalt Strike on network and system defenses. Having a Red Team assessment conducted will help enable better security by allowing your security teams to identify vulnerabilities and improve their defenses against potential attacks.

Beware: New Zero-Touch Exploit Targeting Microsoft Outlook Users

Microsoft Outlook users should be aware of a new critical vulnerability that has been discovered by Microsoft Threat Intelligence analysts. CVE-2023-23397 is a privilege elevation/authentication bypass vulnerability that affects all versions of Outlook for Windows. The vulnerability has a 9.8 CVSS rating and is considered a zero-touch exploit, meaning that it requires low complexity to abuse and does not require any user interaction.

According to security researchers, threat actors are exploiting this vulnerability by sending malicious emails, which do not even need to be opened. The vulnerability is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share on a threat actor-controlled server on an untrusted network.

The attacker remotely sends a malicious calendar invite represented by .msg — the message format that supports reminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using “PidLidReminderFileParameter” (the custom alert sound option for reminders).

Once the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s NTLM negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication. This could result in a NTLM relay attack to gain access to other services or even a full compromise of domains if the compromised users are admins.

It is important to note that all supported versions of Microsoft Outlook for Windows are affected by this vulnerability. Other versions of Microsoft Outlook, such as Android, iOS, Mac, as well as Outlook on the web and other M365 services, are not affected as they do not support NTLM authentication.

Security experts are warning that this vulnerability is trivial to deploy and “will likely be leveraged imminently by actors for espionage purposes or financial gain.” The earliest evidence of exploitation, attributed to Russian military intelligence, dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey.

To mitigate the risk of exploitation, Microsoft has released a patch as part of their March 2023 Monthly Security Update, and users are advised to apply the patch immediately. Additionally, security administrators can reduce the risk of exploitation by blocking TCP 445/SMB outbound from their network, disabling the WebClient service, adding users to the Protected Users Security Group, and enforcing SMB signing on clients and servers to prevent a relay attack.

If you are concerned about your organization’s security, we recommend running the Microsoft-provided PowerShell script to scan emails, calendar entries, and task items for the “PidLidReminderFileParameter” property. This will help you locate problematic items that have this property and subsequently remove or delete them permanently.

In light of this critical vulnerability, it is important for organizations to take proactive measures to safeguard their systems and data. nGuard offers a range of cybersecurity services that can help organizations stay ahead of emerging threats like CVE-2023-23397. Our Penetration Testing services can help identify vulnerabilities in your systems and provide recommendations for patching and securing them. Our Strategic Assessment services can assist with patch management, ensuring that your systems are up to date with the latest security patches and updates. Don’t wait until it’s too late to protect your organization from cyber threats. Contact nGuard today to learn how we can help you secure your systems and data.

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.

Microsoft Zero-Day with No Patch!

Overview
CVE-2022-30190, known as Follina, was released by Microsoft on Monday, May 30th, 2022. The vulnerability resides within the Microsoft Support Diagnostics Tool (MSDT), which may allow an attacker to run arbitrary code with the privileges of the calling application. Microsoft Office applications use MSDT to troubleshoot and collect diagnostic information when something goes wrong.

This vulnerability was discovered by the independent cybersecurity researchers at nao_sec after they noticed a strange word document posted to VirusTotal. Using the Remote Template feature in Microsoft Word, an HTML file was pulled from a remote web server. It then made use of the “ms-msdt://” URI scheme to run a malicious payload. Experts are now saying this vulnerability is being exploited by attackers in the wild. Some security researchers have demonstrated execution of the malicious code merely by previewing the document in Windows File Explorer or Outlook.

Exploit
The video below demonstrates how easily this vulnerability can be exploited. Exploit code is now publicly available, making this process trivial. We will outline the steps taken in this video below:

An attacker downloads exploit code from GitHub.
This exploit code is then utilized to create the malicious Word document and stand up a web server to serve up the HTML file. In the video below, this Word document is called “sploit.docx.”
Once the user opens the Word document, you see the MSDT tool also fire off. MSDT is also commonly referred to as “Program Compatibility Troubleshooter.”
The producer of this video then shows you that both a cmd.exe process and powershell.exe process have been launched on the system. At this point, the document can be closed, but the malicious process is still running.
The demo then shows a Cobalt Strike window. Cobalt Strike is a command-and-control framework used for maintaining persistent access on compromised systems. You can see in the video that a “beacon” has been launched on the system. A beacon is an agent on the system that allows an attacker to maintain persistent access and run arbitrary code.
At this point the producer of this video runs “whoami” on the system itself to show you which user account launched the Word document. They then flip back to Cobalt Strike and run “whoami” from the interactive beacon. This displays the same user account. Persistent remote code execution achieved.

What To Do?
At this point in time, Microsoft has not released an official fix for this vulnerability. They are recommending that the MSDT URL protocol be disabled in order to protect systems from this vulnerability. That guidance can be found here. nGuard offers a bevy of services that can help prevent and identify these types of attacks. Both Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks. Internal Penetration Testing can boost the overall security posture of your internal network. If a machine on your network does become compromised, you have assurance that the adversary won’t make it very far. Lastly, Managed Event Collection & Correlation gives you 24×7 monitoring from advanced log analysis tools and nGuard professionals who are trained to detect suspicious activity.