Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Google May Owe You a Chunk of $100 Million

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 27 to June 3

The latest iteration of CMD-based ransomware is sophisticated and tricky to detect – and integrates token theft and worming capabilities into its feature set.

A new CMD-based ransomware variant is still under development, but researchers warn that its poisonous combination of multiple layers of obfuscation and the sneaky integration of legitimate service links into its attack make it a potentially formidable threat. 

YourCyanide traces its roots back to the GonnaCope ransomware family first discovered in April, a new report from the Trend Micro threat hunting team explains. It doesn't actually encrypt anything yet (researchers say that's likely coming soon), but it does rename all targeted files, steal information, and pilfer access tokens from popular applications like Chrome, Discord, and Microsoft Edge. It also self-propagates.

YourCyanide includes a few new tactics, including using PasteBin, Discord, and Microsoft links to download its payload in stages, and hiding behind Enable Delayed Expansion functionality, the analysts note. 

"While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework," the the ransomware variant report says. "It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

By Owais Sultan
In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects…
This is a post from HackRead.com Read the original post: Fake Updates Continue To Be A Digital Risk: What To Do?

In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects devices due to vulnerabilities unknown to people. However, it frequently comes as a direct consequence of users’ actions. For instance, entering that suspicious website promising exclusive content or software for free. Speaking of human error, one of the most popular techniques used by hackers is fake updates.

But what are fake updates? These are malicious software downloads masquerading as legitimate updates. This type of malware is often used to infect devices with ransomware. The recent development in this is Vidar Malware. What are its risks, and how to contain them?

**What is Vidar malware? **

The recent fake update was discovered impersonating a Windows 11 download portal. These portals ultimately caused a Vidar malware infection. The same malware was found to be spreading through the fake InterVPN website.

Vidar is a kind of info-stealing malware that may be utilized to monitor users. This malicious software can steal login credentials, take screenshots, bank details, etc. Besides general info stealing, Vidar was also discovered downloading and executing additional malware payloads. Moreover, the malware deletes itself from the system after completing its work.

Fake Windows 11 download website delivering Vidar malware

**How does Vidar work? **

It is being spread across the internet using phishing, fallout exploit kit, and pay-per-install PrivateLoader dropper. The email contains an attachment as a .iso disk image, which is misleadingly called “request.doc.” This ISO is mainly composed of two files:  an executable (app.exe) and a Microsoft Compiled HTML Help (CHM) file (pss10r.chm).

Here’s how it enters the systems: When a notorious CHM file is loaded, a JavaScript snippet executes the app.exe. The second stage downloads and decodes the Vidar malware, which is then performed on the system.

Then, the Vidar samples communicate with their C2 server via Mastodon and Telegram. After successful communication, user profile bio sections are examined, and C2 addresses are extracted from the profiles. The malware is then copied to the target system, where it sets up its configuration and begins collecting user data.

So, this is how it hides its presence in your system. But how to save our devices from such attacks?

**How to protect yourself?**

Now that you know how to identify fake updates, it’s time to take measures to protect yourself. Here are some tips:

**Use a firewall**

This security system helps screen out incoming and outgoing network traffic. Good firewalls can often prevent malware from contacting the Command & Control server. It is how ransomware works – it needs to contact the C&C server to get a key that can encrypt your files. If it can’t reach the C&C server, it can’t get the key and thus can’t do any harm.

**Protect internet connection**

Your computer is only a part of the defense strategy you must employ. Malware can exploit many vulnerabilities, including unsecured networks. Luckily, you can guarantee that each network you connect to is safe. 

All it takes is setting up a VPN for Windows on your laptop and enabling it whenever you use it outside the home. Public Wi-Fi can be extremely dangerous: outsiders can snoop on your activities or use security loopholes to infect your device. Therefore, remember never to connect your devices, be it a Windows laptop or an Android smartphone, to free Wi-Fi without a VPN. 

**Change your update settings**

We often have our update settings on auto-update. It will install itself as soon as an update is available. This option should be preferred as it ensures you can have a PC running the latest operating system. If you do not schedule automatic updates, you may delay updates indefinitely. 

**Say no to piracy**

Free software and games can be tempting but can be a source of cyberattacks. Therefore, use only licensed software. This way, you will be sure that your updates are from a trusted source. Additionally, stay away from alleged exclusive offers for programs on random websites. 

**Install an antivirus**

An antivirus program will scan all incoming and outgoing files for a malicious activity like ransomware or adware. If it detects anything suspicious, it will alert users and recommend removal. Of course, it is essential to get a trusted antivirus program. Many fake antivirus programs could warn you about fake threats because they wish you to buy premium versions. 

So, even if you accidentally click on a fake update, the antivirus will take care of it. Install updates only from official websites. It is the safest way to ensure that the update is legitimate. If you ever come across any pop-ups that look legitimate, don’t click on them. It is best to counter-check the update on the official website and then download it from there.

**Always keep your system updated**

The best way to know whether any update is fake is to keep your system up to date. Any unexpected update now will be quite suspicious. Moreover, updates often contain security patches that fix vulnerabilities in your system. So, it’s always a good idea to keep your system updated.

**Backup your data**

This is more of a precautionary measure than anything else. By backing up your data, you ensure that you won’t lose any important files even if your device gets infected with ransomware. Many cloud storage options are available these days that offer good security and are affordable.

**Conclusion**

Apart from these precautions, it is essential to practice safe surfing to avoid these threats from detecting your device.

Fake Updates Continue To Be A Digital Risk: What To Do?

It was discovered that a race condition existed in the network scheduling subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oem - Linux kernel for OEM systems

Details

It was discovered that a race condition existed in the network  
scheduling subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2021-39713)

Yiqi Sun and Kevin Wang discovered that the cgroups implementation in  
the Linux kernel did not properly restrict access to the cgroups v1  
release_agent feature. A local attacker could use this to gain  
administrative privileges. (CVE-2022-0492)

It was discovered that the network traffic control implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-1055)

Bing-Jhong Billy Jheng discovered that the io_uring subsystem in the  
Linux kernel contained in integer overflow. A local attacker could use  
this to cause a denial of service (system crash) or execute arbitrary  
code. (CVE-2022-1116)

It was discovered that the Linux kernel did not properly restrict access  
to the kernel debugger when booted in secure boot environments. A  
privileged attacker could use this to bypass UEFI Secure Boot  
restrictions. (CVE-2022-21499)

Kyle Zeng discovered that the Network Queuing and Scheduling subsystem  
of the Linux kernel did not properly perform reference counting in some  
situations, leading to a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-29581)

Jann Horn discovered that the Linux kernel did not properly enforce  
seccomp restrictions in some situations. A local attacker could use this  
to bypass intended seccomp sandbox restrictions. (CVE-2022-30594)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    gke - 86.3  
    gkeop - 86.3  
    ibm - 86.3  
    lowlatency - 86.3

Ubuntu 18.04 LTS  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    gke - 86.3  
    gkeop - 86.3  
    ibm - 86.3  
    lowlatency - 86.3  
    oem - 86.3

Ubuntu 16.04 ESM  
    aws - 86.3  
    azure - 86.3  
    gcp - 86.3  
    generic - 86.3  
    lowlatency - 86.3

Ubuntu 22.04 LTS  
    gcp - 86.4  
    generic - 86.4  
    gke - 86.4  
    ibm - 86.4  
    lowlatency - 86.4

Ubuntu 14.04 ESM  
    generic - 86.3  
    lowlatency - 86.3

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure - 5.4.0-1010  
    linux-gcp - 5.4.0-1009  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2021-39713  
-   CVE-2022-0492  
-   CVE-2022-1055  
-   CVE-2022-1116  
-   CVE-2022-21499  
-   CVE-2022-29581  
-   CVE-2022-30594

Kernel Live Patch Security Notice LSN-0086-1

Microweber CMS versions 1.2.15 and below suffer from an account takeover vulnerability.

    # Exploit Title: Microweber CMS 1.2.15 - Account Takeover# Date: 2022-05-09# Exploit Author: Manojkumar J# Vendor Homepage: https://github.com/microweber/microweber# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15# Version: <=1.2.15# Tested on: Windows10# CVE : CVE-2022-1631# Description:Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 OauthMisconfiguration Leads To Account Takeover.# Steps to exploit:1. Create an account with the victim's email address.Register endpoint: https://target-website.com/register#2. When the victim tries to login with default Oauth providers like Google,Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)with that same e-mail id that we created account before, via this way wecan take over the victim's account with the recently created logincredentials.

Microweber CMS 1.2.15 Account Takeover

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

By Deeba Ahmed
The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.…
This is a post from HackRead.com Read the original post: Authorities Take Down SMS-based FluBot Android Spyware

The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.

The European Cybercrime Center/EC3 of Europol and law enforcement agencies from eleven countries launched a joint operation to take down FluBot spyware. The investigation involved Australia, Finland, Belgium, Spain, Ireland, Hungary, Sweden, the Netherlands, Switzerland, and the USA law enforcement authorities while EC3 coordinated the operation.

Ireland’s Garda National Cyber Crime Bureau (GNCCB) was part of the investigation team. GNCCB Detective Superintendent Pat Ryan stated that “the investigation is ongoing to identify the individuals behind this global malware campaign.”

**Details of the Operation**

In a blog post, Europol explained that the FluBot Android malware was distributed through SMS and was capable of stealing online banking credentials, passwords, and other sensitive data. Hence, an extensive investigation was launched since FluBot spyware targeted Android smartphones across Australia, Europe, and other parts of the world.

Authorities noted that its distribution scope was widening quickly. Now the spyware is under the control of Dutch Police/Politie, which carried out the operation in May, rendering the malware strain inactive.

A Flubot alert received by one of the victims as a text message

**About FluBot**

FluBot malware is distributed as an application, making it difficult to detect it. The malware gets installed on the Android smartphone through text messages. The user is asked to click on a link and install an app for tracking a package delivery or access a fake voice mail message.

After the app is installed, it asks for accessibility permissions. The malware operators use the access to steal sensitive data from the smartphone, including banking app login details and cryptocurrency wallet credentials. It can also effectively disable the mobile phone’s built-in security mechanisms.

Furthermore, it doesn’t open when the user taps on the app icon, and an error message appears when the user tries to uninstall it. The notorious malware was detected in 2021 when it infected many devices in Spain and Finland.

According to Interpol, FluBot was excessively virulent. It could be multiplicated automatically by forwarding the SMS message to the infected smartphone’s contact list. To avoid infection, smartphone users should immediately reset their phones on factory settings if they believe a malicious app was downloaded on the device.

1.  Microsoft takes down largest botnet network “Necurs”
2.  World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
3.  Authorities take down scam campaign impersonating the WHO
4.  Dutch Police takes down 15 DDoS-for-hire services in one week
5.  Europol takes down VPN service VPNLab used by ransomware operators

Authorities Take Down SMS-based FluBot Android Spyware

The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

Tag

#microsoft