Neu Cyber Threats – 15th April 2021
Website contact forms and Google URLs are being exploited to spread the IcedID trojan, according to Microsoft.
‘Contact us’ forms on websites are being targeted by cyber criminals to send emails targeting organisations with legal threats. The phishing messages mention a copyright infringement by a photographer, illustrator or designer, and contain a link to purported ‘evidence’ for these legal infractions. The link leads to a Google page that downloads IcedID (a.k.a. BokBot), an information-stealer and loader for other malware.
The message uses strong and urgent language akin to the HMRC phishing campaigns above too, with lines such as ‘Download it right now and check this out for yourself’, pressuring the recipient to act immediately and ultimately tempting recipients to open the links to avoid legal action.
The links sent victims to a sites.google.com page, which asks them to sign in. Once signed in, the page downloads a malicious .ZIP file, which when unpacked contains a .JS file. Microsoft explained that the .JS file is executed via WScript, and it creates a shell object that launches PowerShell and downloads the IcedID payload in the form of a .DAT file.
The file gives attackers remote control of the victim’s machine and analysis shows that the downloaded .DAT file loads via the rundll32 executable, which launches various information-gathering commands. This includes: obtaining antivirus info, getting IP, domain and system information, and swiping banking and other credentials stored in browser databases.
The use of contact forms on websites allow the campaign to evade email spam filters as the contact-form query appears trustworthy as it was sent from trusted email marketing systems. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.
Further, the use of a Google page and sign-in request aids in detection-evasion – this added authentication layer means detection technologies may fail in identifying the email as malicious altogether.
It is advisable to treat contact-form emails with an attitude of ‘safety-first’. If, as in this situation, the emails contain links to websites for no strong, apparent reason, do not click them. Until email filters can crack down on some of the common language and links used in this particular attack, businesses should be wary of communications received through their contact-form enquiries.
A privilege-escalation vulnerability with Microsoft’s Azure Functions cloud container feature could ultimately allow a user to escape the container.
The firm found that Azure Functions containers run with the –privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest – the vulnerability stems from the fact that these device files have read-write permissions for ‘others’.
The issue becomes a problem given that the Azure Functions environment contains 52 different partitions with file systems, which can be visible across users. This could become dangerous in the instance where the attackers have access to the victims’ environment, as a low-privileges user – attackers can take advantage of the vulnerability to escalate privileges and do things they should not do – read files from the file system, for example.
To probe for attack paths that could arise from this setup, researchers created a local test container and found that by using the Debugs utility, an unprivileged user can easily traverse the Azure Functions file system. And, it turns out that an unprivileged user can also directly edit any files found within. However, researchers were able to find a way around this limitation on making direct changes to files.
Microsoft have been made aware of the vulnerability, but an incoming patch hasn’t been announced at the time of writing. Cases such as this underscore that vulnerabilities are sometimes unknown or out of the cloud security consumer’s control. Neuways advise a two-pronged approach to cloud security, with fixing known vulnerabilities and toughening up systems to decrease the likelihood of getting attacked, as well as implementing runtime protection to detect and respond to post-vulnerability exploitation and other in-memory attacks as they occur.