Search This Blog

Showing posts with label Microsoft. Show all posts

How Threat Actors Try and Bypass Microsoft's Antimalware Scan Interface (AMSI)?

 

With Windows 10 and recent Windows Server platforms gaining importance, the purpose of malware developers and other cybercriminals is progressively targeted to prevent detection, by removing the anti-malware traffic cop from these platforms: Microsoft's Antimalware Scan Interface. 

AMSI, launched in 2015, offers software for communicating to security devices for file scanning, memory scanning or streaming in a supplier-agnostics manner for dangerous payloads. AMSI allows permeability of anti-malware software on Microsoft components and apps, including Windows' PowerShell engine/script hosts (wscript.exe and cscript.exe), Office document macros, the existing.NET Framework (version 4.8), and Windows Management Instrumentation (WMI) — frequently used by adversaries in “living off the land” (LOL) strategies. 

AMSI has recently been improved to integrate Excel 4.0 (XLM) macro scanning in the integration of Office 365 in an attempt to address the surge in malicious macros in an infection vector. 

Sophos experts investigated the methods used to circumvent or deactivate AMSI and stated on Wednesday that threat actors will try everything from living-off-the-ground strategies to file free attacks. 

In a 2016 tweet by the security expert Matt Graeber, the possibility of AMSI-button circumvention was emphasized, Sophos said that a single line of code has swapped the PowerShell feature for AMSI integration and may have theoretically halted PowerShell-based processes from requesting scans. 

Most post-exploitation operations, especially lateral moving, seemed concentrated on detections made between 2020 and 2021. 

The very same bypass was identified back to a specific occurrence, tied to attacks using the Proxy Logon that connected to a remote server to capture a malware downloader based on PowerShell. 

The usage of a Seatbelt, an aggressive security mechanism, is another approach used to overcome AMSI. To build a delegate process using reflecting to access the .NET interface for AmsiUtils, the PowerShell script was utilized. 

Sophos notes, nevertheless, that more than 98% of AMSI circumvention efforts are carried just via manipulating the AMSI library. A variety of malware variants are present that will try to discover the pre-loaded Memory AmsiScanBuffer and then rewrite over instructions to ensure that scanning requests fail. 

The memory element that stores the code to return the buffer scans results may be modified by other versions, leading to a failure. 

Additional tactics include Cobalt Strike – This memory patch approach comes with a PowerShell invoked remote scripts in a PowerShell pre-patch in the Agent Tesla Trojan family, amongst others. One way is to fabricate DLLs to load a false AMSI version from PowerShell. Also, DLL has been an old method and now it's impossible to load unapproved engines, or in most cases virtual machines, because of better Microsoft security (VMs). 

"Given how prevalent those tactics have become, particularly in ransomware operator intrusions, AMSI can play a particularly important role in keeping Windows 10 and Windows Server systems from being compromised," Sophos says. "But AMSI is not a panacea. And while Microsoft's Windows Defender provides some protection against AMSI bypasses, attackers are continuously finding ways to obfuscate and conceal malicious content from anti-malware signature detections."

Russian Hacking Group Nobelium Attacks 150 Organizations, Hacks Mails

Nobelium, a Russian hacking group that was responsible for the 2020 SolarWinds cyberattacks, is back in the game, however, now, they've used Constant Contact, a cloud marketing service in a phishing attack that resulted in a hack of 3,000 email accounts throughout 150 organizations. Microsoft disclosed the latest attack in a blog post titled "Another Nobelium Cyberattack" which alarmed that the group aims to hack into trusted technology providers and attack their customers. 

This time, Nobelium didn't use the SolarWinds network monitoring tool for the attack but gained access to the Constant Contact Account of USAID (United States Agency for International Development). Tom Burt, Microsoft’s corporate vice president of customer security and trust, “using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.” 

After hacking the Constant Contact Account email service via a USAID account, Nobelium distributed authentic-looking phishing emails containing a link, which upon opening, attached a malicious file "NativeZone" which is used to distribute backdoor. The backdoor could allow multiple activities like data stealing and corrupting other computer networks. Constant Contact Account said that it was aware of an account breach of one of its customers. It was an isolated incident, and the agency has deactivated all the affected accounts while working with law enforcement agencies. It says that most of the attacks targetting the customers were blocked automatically by Windows Defender, which also blocked the malware used in the attack. 

"We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," said Burt.

Cyber Attackers Hijacked Google and Microsoft Services for Malicious Phishing Emails

 

Over recent months, the cybersecurity industry has seen a huge increase in malicious attackers exploiting the networks of Microsoft and Google to host and deliver threats through Office 365 and Azure. 

The actors who are at risk are quickly moving towards cloud-based business services during the pandemic by concealing themselves behind omnipresent, trustworthy services from Microsoft and Google to make their email phishing scams appear legitimate; and it works. 

In particular, during the first three months of the year 2021, researchers discovered that 7 million malicious e-mails were sent from Microsoft's 365, and also that 45 million were transported from Google's network. The Proofpoint team said that cyber-criminals had been able to send phishing e-mails and host attacks with Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase. 

“The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders,” the report, issued on Wednesday, explained. “This authenticity perception is essential, as email recently regained its status as the top vector for ransomware; and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials and siphon funds.” 

Proofpoint estimated that 95% of cloud account organizations had been attacked, and more than half of them succeeded. Additionally, more than 30% of those organizations were compromised. 

Once attackers have access to passwords, they can easily enter or exit several services and send out more, persuasive phishing emails. 

Proofpoint offered many examples of projects behind Microsoft and Google that tried to scam users to give up or deliver their details. 

Attackers exploited Gmail to host another operation throughout March, that provided them with the message of the fake benefits together with a Microsoft Excel attachment, that delivered The Trick Bank Trojan to steal credentials whenever macros were activated. 

Another Gmail-hosted February attack seeks to persuade users to use their passwords for accessing zip-on MS Word documents. Upon opening, Xorist ransomware has been delivered. 

The use of Gmail and Microsoft by attackers to give their emails a patina of credibility is part of a broader trend: threats are developing increasingly persuasive appeals. 

“Our research demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people, as they leverage popular cloud-collaboration tools,” the Proofpoint report added. “When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.”

RevengeRAT is Targeting the Aerospace and Travel Sectors with Spear-Phishing Emails

 

Microsoft has released a warning about a remote access tool (RAT) called RevengeRAT, which it claims has been used to send spear-phishing emails to the aerospace and travel industries.

RevengeRAT is a remote access trojan (RAT) that is classified as a high-risk computer infection. This malware aims to give cybercriminals remote access to infected computers so they can manipulate them. According to research, cybercriminals spread this infection through spam email campaigns (malicious MS Office attachments). Having a trojan-type infection on your device, such as RevengeRAT, can cause a slew of problems. 

They can use RevengeRAT to monitor system services/processes/files, edit the Windows Registry and hosts file, log keystrokes, steal account passwords, access hardware (such as a webcam), run shell commands, and so on. As a result, these individuals have the potential to cause serious harm. 

RevengeRAT, also known as AsyncRAT, is spread by carefully designed email messages that instruct recipients to open a file that appears to be an Adobe PDF attachment but actually installs a malicious visual basic (VB) file. 

The two RATs were recently identified by security company Morphisec as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. The phishing emails, according to Microsoft, transmit a loader, which then delivers RevengeRAT or AsyncRAT. Morphisec claims it is also able to supply the RAT Agent Tesla. 

"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said. 

Morphisec called the cryptor service "Snip3" after a username it discovered in earlier malware variants. If Snip3 detects that a RAT is being executed inside the Windows Sandbox – a virtual machine security feature Microsoft launched in 2018 – it will not load it. Advanced users can use the Windows Sandbox to run potentially malicious executables in a secure sandbox that won't harm the host operating system.

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes. "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."

Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations

 

Microsoft discovered a large-scale business email compromise (BEC) program that attacked over 120 organizations and used typo-squatted domains that were registered only days before the attacks began. Cybercriminals continue to harass companies in order to deceive recipients into accepting fees, exchanging money, or, in this case, buying gift cards. This kind of email attack is known as business email compromise (BEC), which is a dangerous type of phishing aimed at gaining access to sensitive business data or extorting money via email-based fraud.

In this operation, Microsoft discovered that attackers used typo-squatted domains to make emails appear to come from legitimate senders in the consumer products, process manufacturing, and agriculture, real estate, distinct manufacturing, and professional services industries. 

BEC emails are purposefully crafted to look like regular emails as if they were sent from someone the intended client already knows, but these campaigns are much more complicated than they seem. They necessitate planning, staging, and behind-the-scenes activities. 

"We observed patterns in using the correct domain name but an incorrect TLD, or slightly spelling the company name wrong. These domains were registered just days before this email campaign began," the Microsoft 365 Defender Threat Intelligence Team said. 

Despite the scammers' best efforts, Microsoft found that "the registered domains did not always comply with the company being impersonated in the email." The attackers' surveillance capabilities are evident when they called the targeted workers by their first names, despite their methodology being faulty at times.  

To give authenticity to the phishing emails, scammers used common phishing tactics including bogus responses (improved by also spoofing In-Reply-To and References headers), according to Microsoft.

 
"Filling these headers in made the email appear legitimate and that the attacker was simply replying to the existing email thread between the Yahoo and Outlook user," Microsoft added. "This characteristic sets this campaign apart from most BEC campaigns, where attackers simply include a real or specially crafted fake email, adding the sender, recipient, and subject, in the new email body, making appear as though the new email was a reply to the previous email." 

Though the tactics used by these BEC scammers seem crude, and their phishing messages seem to be clearly malicious, BEC attacks have resulted in record-breaking financial losses per year since 2018. The FBI formed a Recovery Asset Team in 2018 intending to retrieve money that can still be traced and freezing accounts used by fraudsters for illegal BEC transactions.

Unidentified Cyberattackers Has Put Alaska Court System Offline

 

A recent cyberattack has forced The Alaska Court System (ACS) to temporarily discontinue its online services to the public including electronic court filings, online payments, and also prevented hearings that take place via videoconference till the cybersecurity unit removes malware from its network including its working website. Due to the ongoing world pandemic, court matters were being dealt with by an online service. However, now services will be given through phone calls. 

On Saturday, a statement has been put out by the court in which the court said that its website will be inactive and people will not be able to search cases while its research unit fixes the malware that has been executed on its network, in order to prevent a further cyber attack. 

"Today, we were advised that there did appear to be some attempts to infiltrate the court system's computer system. And so we figured out a way to disconnect from the internet to stop the problem to prevent anyone from continuing to try to tinker with our network”, Alaska Supreme Court Chief Justice Joel Bolger. 

Additionally, the court told that all currently scheduled cases and other emergency hearings on critical matters will be heard on their time. 

“I think for a few days, there may be some inconveniences, there may be some hearings that are canceled or some judges who decide to shift from videoconference to teleconference proceedings or the like. We don’t have all of that figured out yet,” Alaska Supreme Court Chief Justice Joel Bolger, the court system’s top administrative officer, told the press. 

This cyberattack is just another example of cyber threats against governmental organizations. There is no doubt that because of the pandemic, cyberattacks against government organizations have been increased. Along with Government organizations, the state and local level governments, with private firms and schools, hospitals, are also being targeted massively. 

In the light of the cyber threat, the newly formed Ransomware Task Force, which works under Microsoft and Amazon experts: aims at fixing ransomware and finding solutions to combat these cyberattacks. 

In the latest report, the task force has provided some haunting statistics of ransomware attacks: 

The average downtime due to ransomware attacks is 21 days, the average number of days it takes an organization to fully recover is 287, victims paid $350 million in ransom in 2020, a 311% increase from 2019, and the average ransom payment was $312,493, a 171% increase from 2019.

Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices

 

Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 
• ARM Mbed OS, Version 6.3.0 
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 
• ARM mbed-uallaoc, Version 1.3.0 
• Cesanta Software Mongoose OS, v2.17.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3 
• Apache Nuttx OS, Version 9.1.0 
• Media Tek LinkIt SDK, versions prior to 4.6.1 
• Google Cloud IoT Device SDK, Version 1.0.2 
• Micrium OS, Versions 5.10.1 and prior 
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 
• Linux Zephyr RTOS, versions prior to 2.4.0 
• NXP MCUXpresso SDK, versions prior to 2.8.2 
• NXP MQX, Versions 5.1 and prior 
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB 
• Redhat newlib, versions prior to 4.0.0 
• Texas Instruments SimpleLink MSP432E4XX 
• Texas Instruments CC32XX, versions prior to 4.40.00.07 
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 
• Windriver VxWorks, prior to 7.0 
• Uclibc-NG, versions prior to 1.0.36 
• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.

Microsoft Discovered Several Security Flaws in IoT Operating Systems

 

Security researchers at Microsoft recently uncovered a series of critical memory allocation vulnerabilities in the Internet of Things (IoT). Microsoft researchers said that they have discovered about 25 undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. 

‘BadAlloc,’ is the name assigned by the company's Section 52 —which is the Azure Defender for IoT security research group. BadAlloc has the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center (MSRC). 

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds," says the company. "To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.”

“Our findings show that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device," Microsoft researchers stated.

Memory allocation is exactly what it sounds like–the basic set of instructions device makers give a device for how to allocate memory. The vulnerabilities stem from the usage of vulnerable memory functions across all the devices, such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the report. 

From what researchers have discovered, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations, they said. And as IoT and OT devices are highly pervasive, “these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” researchers observed. 

In 2019, a security researcher discovered a similar flaw impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices. The vulnerability affected the Sirep/WPCon communications protocol included with Windows IoT operating system.

Fake Microsoft DirectX 12 Distributes Malware

 

Cybercriminals have built a bogus Microsoft DirectX 12 download page in order to spread ransomware that steals cryptocurrency wallets and passwords. Despite the fact that the website has a contact form, a privacy policy, a disclaimer, and a DMCA infringement page, the website and the services it distributes are not valid.

Users will be routed to an external website when they press the Download buttons, which will prompt them to download a file. You'll be sent a file called '6080b4 DirectX-12-Down.zip' [VirusTotal] or '6083040a Disclaimer.zip' [VirusTotal] depending on whether you want the 32-bit or 64-bit edition. All of these files contribute to malware that attempts to steal files, passwords, and cryptocurrency wallets from their victims.

When the bogus DirectX 12 installers are launched, they silently download and execute malware from a remote site, as discovered by security researcher Oliver Hough. This malware is a data-stealing Trojan that tries to snatch a victim's cookies, directories, device records, installed programs, and even a snapshot of the current desktop. The malware authors are attempting to steal a number of cryptocurrency wallets for Windows applications, including Ledge er Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. 

All of the information is gathered in a %Temp% folder, which the malware will zip up and give back to the attacker. The data will then be analysed and used for other nefarious purposes by the attack. To spread malware, threat actors are rapidly building fake websites, some of which are much more persuasive than others.

Ficker ransomware is already spreading across websites impersonating Microsoft Store and Spotify, according to ESET. Details and user accounts stored in web browsers, email applications, and FTP clients are stolen by the malware. It can even rob from your bitcoin wallet, exfiltrate documents, and take screenshots of your running applications. 

As part of a larger ransomware campaign targeting cybersecurity experts, the Lazarus Group has set up a bogus protection firm and social media accounts. For a fictitious Turkish business called SecuriElite, the attackers built a website, as well as a Twitter and LinkedIn account. When the Google security team was focusing on tracking down the state-backed hackers, the firm was allegedly providing offensive security services.

Microsoft Fixes LPE Vulnerability Impacting Windows 7 and Server 2008

 

Microsoft quietly patched a local privilege escalation (LPE) flaw that affects both Windows 7 and Server 2008 R2 computers. This LPE flaw (which has yet to be assigned a CVE ID) is caused by a misconfiguration of two service registry keys, and it enables local attackers to escalate privileges on fully patched devices. 

On Windows 7 and Windows Server 2008R2, security researcher Clément Labro discovered that insecure permissions on the registry keys of the RpcEptMapper and DnsCache services enable attackers to trick the RPC Endpoint Mapper service into loading malicious DLLs. Attackers can execute arbitrary code in the sense of the Windows Management Instrumentation (WMI) service, which runs with LOCAL SYSTEM permissions, by leveraging this flaw. 

“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it,” 0patch co-founder Mitja Kolsek explained when the flaw was first announced as a zero-day in November. 

Labro said he discovered the zero-day after releasing an update to PrivescCheck, a method for checking basic Windows protection misconfigurations that can be used by malware for privilege escalation. Labro said he didn't realize the latest tests were highlighting an unpatched privilege escalation process until he started looking at a series of warnings that appeared days after the update on older systems like Windows 7. 

Both Windows 7 and Windows Server 2008 R2 had passed their end-of-life (EOL) deadlines, and Microsoft had stopped offering free software patches for them. While the company's ESU (Extended Support Updates) paid support service included some security updates for Windows 7 users, no patch for this problem was announced at the time. 

Although Microsoft quietly solved the RpcEptMapper registry key vulnerability (as discovered by 0patch) in the April 2021 Windows Updates (ESU) release by modifying permissions for groups Authenticated Users and Users to no longer require 'Create Subkey,' the organization has yet to resolve the DnsCache vulnerability. Since February, an open-source exploit tool for the Windows 7 / 2008R2 RpcEptMapper registry key vulnerability has been available. 

However, "at this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries," as Labro said.

Fake Microsoft Store, Spotify Distribute Malware to Steal User Data

 

Attackers are promoting sites that imitate the Microsoft Store, Spotify, and an online document converter to spread malware that steals credit cards and passwords stored in web browsers. ESET, a cybersecurity company, detected the attack and posted an alert on Twitter to be on the lookout for the malicious campaign. 

On both desktops and mobile devices, Windows remains vulnerable to a significant number of malware threats, at least more than its peers and competitors. Despite having an official app store, it is almost too easy to infect a Windows PC by merely installing an app. Microsoft advises users to only download applications from the company's official networks, however, some hackers are taking advantage of this by posing as legitimate companies. Microsoft Store is an online store that sells Microsoft products. 

According to Jiri Kropac, ESET's Head of Threat Detection Labs learned that the attack is carried out by deceptive ads that promote what appear to be legitimate applications. One of the commercials used in this attack, for example, promotes an online Chess game. Users are taken to a fake Microsoft Store page for a fake 'xChess 3' online chess application, which is automatically downloaded from an Amazon AWS server when they click on the ad. 

According to this Any.Run report created by BleepingComputer, the downloaded zip file is called 'xChess v.709.zip' [VirusTotal], which is actually the 'Ficker', or 'FickerStealer,' information-stealing malware in disguise. Other ads from this malware campaign imitate Spotify or an online document converter. Their landing pages can also download a zip file containing the Ficker malware when you visit them. Instead of being greeted by a new online Chess program or the Spotify software when a user unzips the file and runs the executable, the Ficker malware would run and begin stealing the data stored on their device. 

Ficker is a data-stealing Trojan that was first posted on Russian-language hacker forums in January before the developer started renting it out to other threat actors. Threat actors will use this malware to steal passwords from web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients. The malware can also steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of active applications running on victims' computers, according to the developer.

Cybercriminals Are Using Google URLs as a Weapon to Spread Malware

 

Security researchers at Microsoft warned the organizations of a new phishing campaign, they have been tracking activity where contact forms published on websites are exploited to send malicious links to organizations via emails containing fake legal threats. The emails direct recipients to click on a link to review supposed evidence behind their allegations, but are instead led to downloading IcedID, an info-stealing malware. Microsoft Defender for Office 365 identifies and blocks these emails while shielding enterprises from this threat.

As a precautionary measure, Microsoft reported the threat to Google's security teams to warn them that threat actors are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. Seemingly, the attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.

"Attackers are abusing legitimate infrastructure, such as websites' contact forms, to bypass protections, making this threat highly evasive. Besides, attackers use legitimate URLs, in this case, Google URLs that require targets to sign in with their Google credentials," the Microsoft 365 Defender Threat Intelligence Team stated. 

Microsoft is bothered by the methodology used by threat actors to steal information and has currently detected the criminals using the URLs in an email to deliver IcedID malware. However, it could just as easily be used to deliver other malware.

IcedID is an info-stealing malware that connects to a command-and-control server to download modules that conduct functions like stealing banking credentials and other data. It achieves persistence and downloads additional tools that let remote attackers pursue other malicious actions on a target system, including credential theft, lateral movement, and delivery of additional payloads.

"We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs. We observed an influx of contact form emails targeted at enterprises by means of abusing companies' contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections. As the emails are originating from the recipient's own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft further notes.

Hackers Exploit Windows BITS Feature To Launch Malware Attack

Microsoft released the BITS (Background Intelligent Transfer Service) in Windows XP to coordinate and ease uploading and downloading files with large size. Systems and applications component, specifically update in Windows, use this BITS feature to provide application updates and OS so that they can work in minimal user disruption. BITS interact with applications to make jobs with one or more application to download or upload. The BITS feature operates in service and it can make transfers happen at any time. A local database stores file, state and job info.  

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and exploited by hackers. When harmful apps make BITS jobs, the files are uploaded and downloaded in the service host process context. This helps hackers to avoid firewall detection that may stop suspicious or unusual activities, allowing the attacker to hide the application that requests the transfer. Besides this, the transfers in BITS can be scheduled for later, which allows them to happen at given times, saving the hacker from depending on task-scheduler or long-running processes. 

Transfers in BITS are asynchronous, resulting in a situation where the apps that made jobs may not be working after the transfers that are requested are complete. Addressing this situation, these jobs in BITS can be made through a notification command that is user-specific. The command can be used in case of errors or after a job is complete. The BITS jobs linked with this notification command may authorize any command or executable to run. The hackers have exploited this feature and used it as a technique for continuously launching harmful applications.  

For BITS jobs, the command data is stored in a database rather than the traditional directory register, this helps hackers as the tools that are used to identify persistent executables or commands by unknown actors may overlook it. The jobs in BITS can be made using the BITS-admin command lines tool or via API functions.  Cybersecurity firm FireEye reports, "the Background Intelligent Transfer Service continues to provide utility to applications and attackers alike. The BITS QMGR database can present a useful source of data in an investigation or hunting operation. BitsParser may be utilized with other forensic tools to develop a detailed view of attacker activity." 

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

EU Banking Regulator Suffers Cyberattack in a Microsoft Email Breach

A significant EU financial regulator, the EU Banking Authority said that it suffered a cyberattack where its Microsoft email systems were hacked. The US company is putting the blame on a Chinese threat actor. Recently, Microsoft said that a Chinese state-sponsored hacking group was exploiting earlier unknown security vulnerabilities in Microsoft's exchange email services to hijack government and user data. The list of victims counts to as many as tens of thousands. Microsoft earlier this week said that "Hafnium attacks were in no way connected to the separate SolarWinds-related attacks." 

Threat actor "Hafnium" is highly skilled and sophisticated, says Microsoft. Hafnium has earlier attacked companies based in the US that include cybersecurity firms, law firms, defense contractors, think tanks, defense agencies, NGOs, and universities. The EBA (EU Banking Authority) said in a statement that the inquiries have not revealed any data theft as of now. Presently, the EBA e-mail infrastructure is safe and the investigation concludes that there has been no data breach, says the statement. 

There's no evidence to suggest that the breach affected anything more than email servers.  The company says that the investigation is still in process and security measures have been set up to restore the functionality of e-mails. EBA in a statement issued on Sunday said that it had shut down its systems as a preventive measure, observing that hackers may have got access to personal data in the emails. The company has issued updates to fix the security issues. It is very much likely that the hackers may want to take the advantage of the unpatched systems, says Tom Burt, Microsoft executive. 

In this regard, Security Week reported, "Beijing typically rejects US hacking charges out of hand and last year berated Washington following allegations that Chinese hackers were attempting to steal coronavirus research. In January, the US said Russia was probably behind the massive SolarWinds hack that hit large swathes of the government and private sectors, and which experts say may constitute an ongoing threat."  

Researcher Laxman Muthiyah Awarded with $50,000 for Detecting a Flaw in Microsoft Account

 

A bug bounty hunter was awarded $50,000 by Microsoft for revealing a security vulnerability leading to account deprivation. The expert says that only ‘user accounts’ have an effect on vulnerabilities. The vulnerability has to do with launching a brute force attack to estimate that the seven-digit security code is sent via email or SMS in a reset password checking process. 

Microsoft has granted $50,000 to the Security Researcher Laxman Muthiyah for revealing a vulnerability that could allow anyone to hijack the accounts of users without permission. Researcher Laxman Muthiyah informed in a blog post on Tuesday 2nd March, about the possibility of the particular security flaw. 

“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that, we will be asked to select the email or mobile number that can be used to receive security code,” researcher Laxman Muthiyah wrote in the blog. “Once we receive the 7-digit security code, we will have to enter it to reset the password. Here, if we can brute force all the combination of 7-digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.” 

In the past, Muthiyah found an Instagram-rate flaw that might contribute to take-up and then use the same tests to secure Microsoft's account. The researcher found out that the rates are set to reduce the number of tries and safeguard the accounts. Examination of an HTTP POST application sent to verify the code showed that the code was encrypted before it was sent, which suggests that the authentication was broken in order to optimize brutal force attacks. 

The analyst sent 1000 code requests, but only 122 were accepted, the remaining (1211 error code), resulted in an error, and all other requests prevented establishing the limit rate used for account protection. The analyst bypassed the blocking and encryption process by submitting simultaneous requests. It was found that, if all requests sent don't really arrive at the server simultaneously, the mechanism blacklists the IP address.

That being said, in an actual scenario, the attacker must submit security codes possible, about 11 million request attempts, simultaneously required to modify a Microsoft account password (including those with 2FA enabled). In order to successfully complete the attack, such an attack would need several computer resources and 1000s of IP address. 

Muthiyah has reported the problem to Microsoft that was immediately discovered and solved in November 2020. 

“I received the bounty of USD 50,000 on Feb 9th, 2021 through hacker one and got approval to publish this article on March 1st. I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue. I also like to thank Microsoft for the bounty.” concluded Muthiyah

Active Email Threat from Microsoft Hack, Warns White House

 

The administration of Biden is highly alarming about a series of recently found cyber intrusions that were associated with China as stated by Microsoft this week. The White House has cautioned that the use of newly disclosed vulnerabilities in Microsoft applications that has affected "a significant number of victims" in the US.

"This is an active threat," White House press secretary Jen Psaki said on Friday. "Everyone running these servers - government, private sector, academia - needs to act now to patch them." 

Microsoft said hackers were attacking their targets using its mail server. Tens of thousands of American organizations have indeed been confirmed to be affected. For a long time, the US has suspected the Chinese administration of cyber-espionage. 

On Saturday, the U.S. National Security Council stated, "essential that any organization with a vulnerable server take immediate measures". Later on Friday, the Cybersecurity and Infrastructure Security Agency underlined the danger in an unusually straightforward tweet saying that maltreatment could "enable an attacker to gain control of an entire enterprise network." 

White House officials encouraged private sector companies running Microsoft Exchange Server software to install several crucial upgrades, which were reported as an emergency patch. This week Microsoft announced that it was aware of many vulnerabilities that Chinese hijackers have exploited in its server program. The hacker party, which Microsoft calls Hafnium, has gone after, "infectious disease researchers," law firms, higher education institutions, defense contractors, policy think-tanks, and NGOs, Microsoft stated previously. According to Microsoft, the party concerned had not recently been identified by the public. 

In the US, over 20,000 organizations, with many more impacted globally, have been hacked, Reuters said. In recent days, an unusually active Chinese cyber spying unit has infiltrated at least 30,000 organizations in the USA — including a large number of small companies, towns, cities, and local governments — aiming at robbing e-mail from victim organizations. 

Microsoft did not confirm the figures but said that it was working closely with the US government agencies in a further statement on Friday. They advised clients that "the best protection" was "to apply updates as soon as possible across all impacted systems." However, it said that it had implemented such mitigation strategies to support those who are not able to rapidly update but cautioned that they are not "a remediation if your Exchange servers have already been compromised, nor are they full protection against attack."

Backdoor Affects 20,000 U.S Agencies Via Microsoft Vulnerability

A backdoor breached more than 20,000 US enterprises, it was installed through Microsoft Corp's recently patched flaws in the email software, said an individual aware of the U.S government's response. The hacks have already reached beyond areas than the malicious downloaded codes of Solarwinds Corp, an organization that suffered the most from the recent cyberattack in December. The recent cyberattack has left channels open that can be remotely accessed. These are spread across small businesses, city governments, and credit unions say reports from U.S investigations. 

Besides this, the records also reveal that tens of thousands of enterprises in Europe and Asia were also affected by the hack. The hacks are still present even though Microsoft issued security patches earlier this week. Earlier, Microsoft said that the hacks had "limited and targeted attacks," but now denies to comment on the current state of the problems. However, it said the company is currently working with the government authorities and security firms to deal with the issue. Reuters says, "more attacks are expected from other hackers as the code used to take control of the mail servers spreads." 

A scan revealed that, out of the connected vulnerable devices, a mere 10% of users have installed the security patches, but the numbers are going up. As the patch is not helpful to fix the backdoors, the US government is currently trying to figure out how to assist the victims and help them with the issue. The devices compromised seem to run the web version of the email client Outlook, hosting them on their devices, not using cloud providers. Experts say this might've saved many big agencies and government authorities from the attack.  

White House press secretary Jen Psaki earlier this week informed media that the vulnerabilities revealed in Microsoft's popular exchange servers are big and can have a deep impact, there is a concern that the victims may be more. "Microsoft and the person working with the U.S. response blamed the initial wave of attacks on a Chinese government-backed actor. A Chinese government spokesman said the country was not behind the intrusions," reports Reuters. 

Microsoft Lures Populate Half of Credential-Swiping Phishing Emails

 



According to the sources nearly half of the emails, phishing attacks in the year 2020 aimed to swipe credentials using Microsoft-related lures – from the Office 365 enterprise service lineup to its Teams collaboration platform. 

As per the Tuesday report by Cofense, which has studied the numbers of emails related attacks including 57 percent of attacks which were phishing emails targeting victims’ sensitive credential information such as usernames and passwords. Additionally, 45 percent of those phishing emails were Microsoft-themed, according to the researchers: threat actors are using both methods for their targets including Microsoft-themed lures for their emails, along with, ensuing phishing landing pages that will either leverage or spoof legitimate Microsoft domains or services. 

“With the number of organizations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organization as a legitimate user to go undetected,” researchers with Cofense told the press. They added that they “highly recommend organizations enable [multi-factor authentication] along with their [Office 365] migration/ implementation.” 

Malicious actors email trap can vary; sometimes it could display straightforward “‘Joe wants to share a document with you’ SharePoint alert you would normally see from Microsoft,” researchers explained — or it could attach a file with documents that will include a link to a website asking users to login with Microsoft credentials. 

In October, a phishing campaign was reported which appeared to be an automated message from the team of Microsoft telling users that they had a missed Teams chat but in reality, it was a trap, attacking Office 365 recipients’ login credentials. 

Another attack with a different patter had occurred in December which employed embedded URLs that redirect to the fake, never-seen-before Microsoft Office 365 phishing pages. For instance, the attack displayed emails that were impersonating businesses like eFax (which allows consumers to receive faxes via email or online with help of internet service.) 

“We also see [cybercriminals] giving the user options to choose from the most commonly used email platforms. The phishing emails often contain URLs hosted on legitimate domains that maintain a broad consumer base to avoid being blocked by content rules and filters.” said, researchers. 

“Other popular brands we observed asking for credentials were other various cloud hosting services such as Adobe, Dropbox, Box, DocuSign or WeTransfer,” researchers told the press. “Threat actors have been able to scour the internet looking for file-sharing websites that are deemed ‘business related’ in order to make it past the secure email gateway controls, as well as the web proxy filters.”

Microsoft made CodeQL Queries Public for SolarWinds Attack Detection

 


Microsoft has won acclaim from security researchers by making its CodeQL queries public so any association could utilize the open-source tools to analyze if they encountered any vulnerabilities from the SolarWinds hack or similar supply chain attacks. "There is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant," Microsoft says. "These should be considered as just a part in a mosaic of techniques to audit for compromise." 

CodeQL queries code as though it were information, which allows developers to compose a query that discovers all the variations of a vulnerability, and afterward share it with others. CodeQL is an open-source semantic code analysis engine that works in two stages. First, as a feature of the compilation of source code into binaries, CodeQL fabricates a database that catches the model of the compiling code.

"For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database," Microsoft notes. 

In a blog post that details how it utilized the CodeQL technique, Microsoft alluded to the SolarWinds assault as Solorigate. For this situation, the attacker got into the remote management software servers of numerous organizations and infused a backdoor into the SolarWinds Orion software update. The attacker modified the binaries in Orion and dispersed them via previously legitimate update channels. This let the assailant remotely perform vindictive activities, such as credential theft, privilege escalation, and lateral movement to steal sensitive information. 

Microsoft said the SolarWinds incident has reminded associations to reflect not just on their readiness to respond to sophisticated attacks, but also the strength of their own codebases. In the blog, Microsoft clarifies its utilization of CodeQL queries to examine its source code at scale and preclude the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.