Neu Cyber Threats – 15th July 2021
Kaseya issue patch to counteract ransomware attack
After a huge cyber attack that claimed to infect over 1 million systems, Virtual System/Server Administrator (VSA) platform Kaseya have issued a patch to solve the issue. With thousands of businesses thought to have been affected, it is believed to be the largest cyber attack on record. The VSA 9.5.7a (18.104.22.16894) update was issued last Saturday to fix the three zero-day vulnerabilities (CVE-2021-30116, CV-2021-30119, CVE-2021-30120) used in the ransomware attacks. All software-as-a-service (SaaS) customers were back up and running once again while Kaseya continue to restore on-premises customers that needed any help.
The patch draws a line under the devastating incident which has caused a lot of problems for customers. The REvil gang exploited the three VSA flaws across more than 5,000 separate cyber attacks, with businesses across 22 countries affected. Typically, Kaseya’s customers use VSA to remotely monitor and manage software and network infrastructure, hosted as either a cloud service or via on-premises servers. As news of the attack began to spread, other cyber criminal gangs began to smell an opportunity. Backdoor malware was planted in a false Microsoft update, along with a malicious “SecurityUpdates” executable, as customers keen to update their VSA with the Kaseya software were looking for an answer. These fake updates would allow cyber criminals to gain remote access to a network, causing further pain.
Since the attack, several ex-employees have claimed they raised a wide-range of cyber security concerns while working for Kaseya, with features such as outdated code, the use of weak encryption and passwords in Kaseya’s products and servers. Neuways always advises businesses to ensure they have downloaded and updated their software and hardware with patches as soon as they are issued. This helps to keep systems airtight and less prone to cyber attacks, as cyber criminals look to exploit vulnerabilities and take control of corporate networks.
Microsoft solve ‘PrintNightmare’ flaw – or have they?
Following them issuing a patch, Microsoft had thought they had solved a dangerous code execution flaw (CVE-2021-1675) in the Print Spooler service, dubbed ‘PrintNightmare’. However, it is now being claimed that the patch has not properly fixed the underlying issue.
The issue has been a source of embarrassment for Microsoft over the last fortnight as security researchers highlighted major problems with the effectiveness of the update on social media. In a statement, Microsoft said:
“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses. We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system.”
The tech giant followed up with a blog post last Thursday insisting the emergency patch was ‘working as designed’ and ‘effective against the known print spooling exploits’. All the reports Microsoft have investigated have relied on the changing of default registry settings related to Point and Print to an insecure configuration. This follows hot on the heels of claims made by multiple researchers that the vulnerability still presents a code execution path in certain circumstances, with attacks on fully-patched systems going viral. A demonstration worked on Windows machines with the Point and Print capability enabled and with the “NoWarningNoElevationOnInstall” option selected.
The ‘PrintNightmare’ issue has been a continual issue for Microsoft since a patch in June misdiagnosed the severity of a Print Spooler flaw, only for Microsoft to then update its guidance a few weeks later and confirm remote code execution vectors. Print Spooler, set on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.
Microsoft is strongly recommending that Windows users follow these steps immediately:
- In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
Another option is for Windows admins to disable the Windows Print spooler service in Domain Controllers and systems that do not print. This will ensure that systems that do not need the service aren’t unnecessarily compromised.
Microsoft Office users warned of malware protection bypass
A malware campaign that uses a novel malware-obfuscation technique to disable Office defences and deliver the Zloader trojan is causing trouble for Microsoft Office users. Word and Excel documents are being used as they can avoid Office macro warnings and bypass security tools. Zloader is a banking trojan which steals credentials and other private information – it is usually distributed via email phishing messages, with Word document attachments that contain no malicious code.
The macro-obfuscation technique is key here. It leverages both Excel’s dynamic data exchange (DDE) fields and Windows-based Visual Basic for Applications (VBA) to launch attacks against systems that support legacy XLS formats. It is this that means an email security solution may not spot the malicious document. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.
Then, an instruction embedded in the Word document reads a specially crafted Excel spreadsheet cell to create a macro. That macro populates an additional cell in the same XLS document with an additional VBA macro, which disables Office defences. Once the macros are written and ready, the Word document sets the policy to ‘Disable Excel Macro Warning,’ and invokes the malicious macro function from the Excel file, which then begins the download of the Zloader payload, before it is executed.
Normally, Microsoft Office automatically disables macros, which has prompted the cyber criminals to trick recipients of the email to enable them with a message appearing inside the Word document. Malware authors leverage DDE and VBA, both standard Microsoft tools that ship with Windows, to enable them to take control. DDE is a method for transferring data between applications, such as Excel and Word. The process updates the contents of a spreadsheet cell with information from Word, which can then read specific Excel cell content of the downloaded .XLS file.
VBA is Microsoft’s programming language for Excel, Word and other Office programs. VBA allows users to create strings of commands using a tool called Macro Recorder. In this instance, as with other abuses of VBA, malware authors are creating malicious macro scripts. Malware authors achieve the warning bypass by embedding instructions in the Word document to extract the contents from the Excel cells.
Once the Excel macro is created and ready to execute, the script will modify the Windows’ RegKey to disable trust access for VBA on the victim’s machine. This allows the script to execute the function seamlessly without any Microsoft Office warnings. Then the final step of the plan is carried out, with the download of Zloader beginning.
Malicious documents have been an entry point for most cyber criminal gangs, with these attacks becoming more sophisticated and not just being limited to direct downloads of payload from VBA. This is yet another example of why it is essential businesses ensure their employees are adequately trained to identify and spot phishing threats when they land in an inbox. As soon as employees engage with phishing emails, they are essentially opening the door to cyber criminals entering their network and causing chaos. Neuways runs Phishing Awareness Training for employers who want their employees to know how to spot a serious cyber threat.
Jobseekers targeted by cyber criminals
The notorious Lazarus cyber criminal group has been identified as being behind a phishing campaign spreading malicious documents to job-seeking engineers. The ploy involves impersonating contractors seeking job candidates. Attached to the emails are Windows documents containing macro-based malware, “which has been developed and improved during the course of this campaign and from one target to another”, researchers said.
The core techniques for the malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. In February, researchers linked a 2020 spear phishing campaign to the group that aimed at stealing critical data from companies by leveraging an advanced malware called ThreatNeedle.
Previously, researchers had observed activity by Lazarus to try to lure victims with fake job opportunities from Boeing and BAE systems. They were alerted to the new campaign when Twitter users identified several documents from May to June of this year that were linked to Lazarus group using Rheinmetall, GM and Airbus as lures. Specifically, those malicious documents were: “Rheinmetall_job_requirements.doc”, “General_motors_cars.doc” and “Airbus_job_opportunity_confidential.doc”.
The campaigns using the three new documents have similarities in command and control (C&C) communication but different ways of executing malicious activity. Lazarus distributed two malicious documents related to Rheinmetall, a German engineering company. However, the second included “more elaborate content,” and thus went likely unnoticed by victims. One unique aspect of the macro contained in the initial malicious document is that it renames Certutil, a command-line program in Microsoft Docs installed as part of Certificate Services, in an attempt to obscure its activities.
The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process, researchers wrote. Attackers use a compromised domain as the C&C server in this case, while the GM document included an attack vector similar to the Rheinmetall one with minor updates in the C&C communication process, researchers found. However, the C&C domain used in relation to this malicious activity, allgraphicart[.]com, no longer appears to be compromised.
The Airbus document macro, like the Rheinmetall attack, used and renamed Certutil as an evasive manoeuvre and shared similar C&C communications tactics. However, it also demonstrated a progression of injection and execution processes that abandons the previous use of Mavinject to do its dirty work.
Once the payload has been executed, the macro in the Airbus document waits for three seconds before creating of an .inf file in the same folder. Then, whether it was successfully executed or not, the macro will proceed to send the beacon to the C&C with the execution status and delete all the temporary files, attempting to eliminate any evidence of malicious activities. Lazarus were one of the most active threat groups of 2020, and this dangerous attack doesn’t look like it’ll be the last they orchestrate this year.
To protect your business from cyber attacks from the likes of Lazarus, why not take Neuways’ Cyber Security Rating report? It’ll tell you whether or not your business’ existing cyber security provisions are appropriate for your business needs. Most businesses think they have everything they need in place already, however, it is important to be doubly sure. Not only does our report tell you where your business is succeeding in its cyber security measures, but where you need to improve. Take the test today to find out!