Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label OneNote. Show all posts

Mac Users Targeted by Hackers Through Microsoft App Security Flaw

 


During the past couple of weeks, Cisco Talos, one of the world's most respected cybersecurity companies known for its cutting-edge cybersecurity products, has discovered at least eight security vulnerabilities. As a result of these bugs, researchers have found that the cameras and microphones of users of those applications may be accessed by attackers who exploit them for malicious purposes. In addition to this, a vulnerability like this could be exploited to steal other types of sensitive information, which can have a detrimental effect on the security of the system as well. 

It has been reported that many widely used Microsoft apps, including Word, Outlook, Excel, OneNote, Teams, and others, have been affected. To carry out this attack, malicious libraries to gain access to the user's entitlements and permissions are injected into Microsoft apps so that hackers can access a user's entitlements and permissions. According to the problem, this result is caused by the fact that Microsoft apps work with the Transparency and Consent framework on macOS, which allows applications to manage their permissions on a system with the Transparency Consent framework. 

The security vulnerability found in Microsoft's Mac apps made it possible for hackers to spy on Mac users without their knowledge. A security researcher from Cisco Talos posted a blog post explaining how attackers could exploit the vulnerability in Windows and what Microsoft has been doing to fix the problem. According to Cisco Talos, a security company, Microsoft's macOS apps, like Outlook, Word, Teams, OneNote, and Excel, contain a major flaw that renders them unusable. By taking advantage of this vulnerability, attackers can inject malicious libraries into these apps, which will give them access to the permissions and entitlements granted by the user. 

According to Apple's macOS framework, permission-based data collection relies on the Transparency, Consent, and Control framework, which is composed of three components. As a result, macOS will request permission from the user before running new apps and display prompts when an app asks for sensitive information, for example, contacts, photos, webcam data, etc. when the user wants to grant permission from the computer. It is important to understand that the severity of these vulnerabilities varies depending on the app and its permissions. 

There are several ways in which Microsoft Teams, which is a popular tool for professional communication, could be exploited to capture conversations or access sensitive information, for instance. As another example, the report notes that Microsoft Outlook may be used to send unauthorized emails and, ultimately, cause data breaches, according to the report. With the help of TCC, apps must request certain entitlements to access certain features such as the camera, microphone, location services, and other features on the smartphone. 

A majority of apps do not even have to ask for permission to run without these entitlements, preventing access to unauthorized users. Cisco Talos' discovery of the exploit, however, shows that malicious actors are capable of injecting malicious code into Microsoft apps, which then hijacks the permissions that were granted to those apps previously. It means that an attacker with the correct skills can successfully inject code into a software application such as Microsoft Teams or Outlook and gain access to a Mac computer's camera or microphone, allowing them to record audio or take photos without the user's knowledge to do so. 

It was found by Cisco Talo that Microsoft has made an acknowledgement of these security flaws in its applications and has classified them as low risk, in response to Cisco Talo's findings. Additionally, some of Microsoft's applications, including Teams and OneNote, have been updated to address the problem with library validation in these applications. As for other vulnerable apps from Microsoft, such as Excel, PowerPoint, Word, and Outlook, the company has not yet taken action to fix them. Security Concerns Raised Over Vulnerabilities in Microsoft Apps for macOS Recent findings by cybersecurity experts at Cisco Talos have brought to light significant vulnerabilities in popular Microsoft applications for macOS. 

These flaws, discovered in apps such as Outlook, Teams, Word, and Excel, have alarmed users and security professionals alike, as they allow hackers to potentially spy on Mac users by bypassing Apple's stringent security measures. The issue revolves around macOS's Transparency, Consent, and Control (TCC) framework, which is designed to protect users by requiring explicit consent before apps can access sensitive data, such as cameras, microphones, or contacts. However, Cisco Talos researchers uncovered that eight widely used Microsoft apps contained vulnerabilities that could be exploited by attackers to bypass the TCC system. 

This means that hackers could potentially leverage the permissions already granted to these apps to spy on users, send unauthorized emails, or even record videos—all without the user’s knowledge or consent. The researchers expressed concerns about Microsoft’s decision to disable certain security features, such as library validation. This safeguard was originally intended to prevent unauthorized code from being loaded onto an app. 

However, Microsoft’s actions have effectively circumvented the protections offered by the hardened runtime, potentially exposing users to unnecessary security risks. Despite addressing some vulnerabilities, Microsoft has not yet fully resolved the issues across all its macOS applications, leaving apps like Excel, PowerPoint, Word, and Outlook still susceptible to attacks. This partial response has led to further concerns among security experts, who question the rationale behind disabling security measures like library validation when there’s no clear need for additional libraries to be loaded. 

The Cisco Talos team also pointed out that Apple could enhance the security of the TCC framework. One suggestion is to introduce prompts for users whenever third-party plugins are loaded into apps that have already been granted sensitive permissions. This added layer of security would help ensure that users are fully aware of any unusual or unauthorized activities within their applications. Given the current state of these vulnerabilities, both Microsoft and Apple may need to take more proactive steps to protect their users from potential threats. 

As digital communication tools continue to play a critical role in our daily lives, the importance of robust security measures cannot be overstated. In the meantime, Mac users who rely on Microsoft applications are advised to remain vigilant. Keeping their software up to date and monitoring for any unusual activities can help minimize the risk of exploitation. While these companies work on strengthening their defenses, user awareness and caution remain key to navigating the ever-evolving landscape of cybersecurity threats.

Qakbot Distributes Malware Through OneNote

 


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.