Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows Vulnerability. Show all posts
Windows Vulnerability
corporate network breach CRON#TRAP cybersecurity threat Linux VM backdoor malware Phishing Attack QEMU ransomware tactics stealth malware virtual machine attacks Windows Vulnerability

New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.
Read more »
Windows Vulnerability
AI technology APT28 Backdoors CVE-2022-38028 Fancy Bear Forest Blizzard GooseEgg Microsoft Network Security Russian Hackers Threat Intelligence Windows Vulnerability

Microsoft Alerts Users as Russian Hackers Target Windows Systems

 

As advancements in AI technology continue to unfold, the specter of cybercrime looms larger each day. Among the chorus of cautionary voices, Microsoft, the eminent IT behemoth, adds its warning to the fray.

Microsoft's Threat Intelligence researchers have issued a stark advisory to Windows users regarding the targeted assaults orchestrated by Russian state-sponsored hackers wielding a sophisticated tool.

These hackers, known in some circles as APT28 or Fancy Bear, but tracked by Microsoft under the moniker Forest Blizzard, have close ties to Russia's GRU military intelligence agency.

GooseEgg, a tool wielded with the aim of siphoning data and surreptitiously establishing backdoors within computer systems. Forest Blizzard, alias APT28, has deployed GooseEgg in a series of calculated strikes targeting governmental entities, educational institutions, and transportation firms across the United States, Western Europe, and Ukraine.

Their modus operandi centers predominantly on the strategic acquisition of intelligence. Evidence suggests that the utilization of GooseEgg may have commenced as early as June 2020, with the possibility of earlier incursions dating back to April 2019.

In response to the threat landscape, a patch addressing a vulnerability identified as CVE-2022-38028 was released by Microsoft in October 2022. GooseEgg, the nefarious tool in the hackers' arsenal, exploits this particular weakness within the Windows Print Spooler service.

Despite its deceptively simple appearance, the GooseEgg program poses an outsized threat, granting attackers elevated permissions and enabling a litany of malicious activities. From the remote execution of malware to the surreptitious installation of backdoors and the seamless traversal of compromised networks, the ramifications are profound and far-reaching.
Read more »
Windows Vulnerability
Cybersecurity Threats Enterprise security PoC Technology Windows Windows Vulnerability

Critical Windows Event Log Vulnerability Uncovered: Enterprise Security at Risk

 

In a recent discovery, cybersecurity researchers have identified a critical zero-day vulnerability posing a significant threat to the Windows Event Log service. This flaw, when exploited, has the potential to crash the service on all supported versions of Windows, including some legacy systems, raising concerns among enterprise defenders. 

Discovered by security researcher Florian and reported to Microsoft, the zero-day vulnerability is currently without a patch. The Windows Event Log service plays a pivotal role in monitoring and recording system events, providing essential information for system administrators and security professionals. The exploitation of this vulnerability could result in widespread disruption of critical logging functions, hindering the ability to track and analyze system activities. 

In PoC testing, the team discovered that the Windows Event Log service restarts after two crashes, but if it experiences a third crash, it remains inactive for a period of 24 hours. This extended downtime poses a considerable risk, as many security controls rely on the consistent functioning of the Event Log service. The fallout includes compromised security controls and non-operational security control products. This vulnerability allows attackers to exploit known vulnerabilities or launch attacks without triggering alerts, granting them the ability to act undetected, as outlined in the blog. 

During the period when the service is down, detection mechanisms dependent on Windows logs will be incapacitated. This grants the attacker the freedom to conduct additional attacks, including activities like password brute-forcing, exploiting remote services with potentially destabilizing exploits, or executing common attacker tactics such as running the "whoami" command, all without attracting attention. 

While the vulnerability is easily exploitable locally, a remote attacker aiming to utilize the PoC must establish an SMB connection and authenticate to the target computer. Configuring Windows to prevent this attack without completely disabling SMB poses a challenge, given its role in various network functionalities like shares and printers, according to Kolsek. Internet-facing Windows systems are unlikely to have open SMB connectivity, reducing the likelihood of remote exploitation. 

The vulnerability proves advantageous for an attacker already present in the local network, especially if they have gained access to a low-privileged user's workstation. As a temporary solution until Microsoft issues a patch, users can apply a micro patch provided by Acros through the 0patch agent, tailored for multiple Windows releases and server versions. This helps mitigate potential real-time detection issues linked to the Event Log service's disablement.
Read more »
Windows Vulnerability
CryptoAPI Spoofing Proof of concept Security Patch Vulnerabilities and Exploits Windows Vulnerability

Critical CryptoAPI Spoofing Flaw in Windows PoC Exploit Released

 

Proof-of-concept (Poc) code has been made available for a high-severity security vulnerability in the Windows CryptoAPI that Microsoft was notified of by the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) last year. 

The CVE-2022-34689 spoofing vulnerability, with a CVSS score of 7.5, was fixed by the tech giant as part of Patch Tuesday updates delivered in August 2022, although it wasn't made public until October 11, 2022. 

In a then-released advisory, Microsoft warned that "an attacker might alter an existing public x.509 certificate to impersonate their identity and conduct actions such as authentication or code signing as the targeted certificate." 

The Windows CryptoAPI provides an interface for programmers to integrate cryptographic services, including as data encryption and decryption and digital certificate authentication, into their programmes.

CVE-2022-34689, according to web security firm Akamai, which published the proof-of-concept, was caused by a vulnerable piece of code that was intended to accept an x.509 certificate and conducted a check that only considered the certificate's MD5 fingerprint. 

As of December 2008, birthday attacks, a cryptanalytic technique used to identify collisions in a hash function, made it possible for MD5, a message-digest algorithm used for hashing, to be practically cryptographically broken. 

A bad actor might use this flaw to provide a modified version of a genuine certificate to a victim app, then construct a new certificate whose MD5 hash collides with the compromised certificate and use it to pose as the original entity. 

In other words, the vulnerability could be exploited by a malicious third party to launch a mallory-in-the-middle (MitM) attack and reroute users using an outdated version of Google Chrome (version 48 and earlier) to any website of the attacker's choosing simply because the vulnerable web browser trusts the malicious certificate. 

"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers," Akamai stated.

The Massachusetts-based company noted that despite the flaw's limited reach, "there is still a lot of code that utilises this API and might be susceptible to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7."
Read more »
Subscribe to: Posts (Atom)