Neu Cyber Threats – 22nd July 2021
Fresh flaw found in Windows Print Spooler
Microsoft has warned of a new vulnerability in its Windows Print Spooler that can allow attackers to elevate privileges to gain full user rights to a system. The advisory comes hot on the heels of patches for two other remote code-execution (RCE) bugs found in the print service that became known as, ‘PrintNightmare’.
The latest bug, a Windows Print Spooler elevation-of-privilege vulnerability, tracks as CVE-2021-34481. The vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations” according to Microsoft. Attackers who successfully exploit the bug can run arbitrary code with system privileges, which allows them to install programmes, as well as viewing, changing or deleting data, or create new accounts with full user rights. The only current fix to avoid the bug is to immediately stop using and disabling the Print Spooler service, Microsoft have advised.
While Microsoft works on a brand-new patch for this bug, Neuways advises Microsoft users to install the most recent updates issued, and avoid using Print Spooler where possible to avoid falling victim to the exploit.
Vulnerability in Windows 10 login system opens users up to hacks
A vulnerability in Microsoft’s Windows 10 password-free authentication system has been discovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device.
Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, instead using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device/machine. According to Microsoft, about 85% of Windows 10 users utilise Windows Hello.
The bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it. From there, they can go on “to manipulate the authentication process by capturing or re-creating a photo of the target’s face and subsequently plugging-in a custom-made USB device to inject the spoofed images to the authenticating host,” researchers said. Exploitation of the bypass can extend beyond Windows Hello systems to any authentication system that allows a pluggable third-party USB camera to act as biometric sensor.
While researchers have no evidence that anyone has tried or used the attack in the wild at the time of writing, someone with a motive could potentially use it on a targeted espionage victim. Thankfully, Microsoft addressed the vulnerability — which affects both consumer and business versions of the feature — in its July Patch Tuesday update. Also, Windows users with Windows Hello Enhanced Sign-in Security — a new security feature in Windows that requires specialised and pre-installed hardware, drivers and firmware — are protected against any attacks “which tamper with the biometrics pipeline,” according to Microsoft.
However, researchers are unsure if the solution will fully mitigate the issue. Based on our preliminary testing of the mitigation, using Enhanced Sign-in Security with compatible hardware limits the attack surface, but this is dependent on users having specific cameras. For facial recognition, the biometric sensor is either a camera embedded in a device, such as a laptop, or connected to a computer via USB. Therefore, the entire process depends on this camera for proof of identity–which is where the vulnerability lies, particularly when a USB camera is used for authentication.
Neuways advises users to set up multi-factor authentication (MFA) where they can, to alleviate exploits like this. In doing so, you are securing your business by ensuring a secondary device, such as a mobile phone, is used to verify the identity of the user.
Mobile trojan found in Google Play applications
The Joker mobile trojan is back on Google Play, with an increase in malicious Android applications that hide the billing-fraud malware. This also uses new approaches to evade Google’s app-vetting process.
The Joker trojan has been around since 2017, disguising itself within common, legitimate apps like photography apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker silently simulates clicks and intercepts SMS messages to subscribe victims to unwanted, paid premium services controlled by attackers – a type of billing fraud that researchers file under “fleeceware.” The apps also steal SMS messages, contact lists and device information.
Malicious Joker apps are commonly found outside of the official Google Play store, too, but they’ve continued to avoid Google Play’s filter since 2019. That’s mostly because the cyber criminals running the malware keep making small changes to their attack methodology. As a result, there have been waves of Joker infestations inside the store, including an incident that saw over 1,800 Android applications infected with Joker.
In the latest wave, at least 1,000 new samples have been detected in just under a year. This persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced constantly, meaning users and businesses must stay on the ball to avoid any further problems.
The apps are cropping up not only in Google Play and unofficial third-party markets, but also in other sanctioned outlets, such as AppGallery – the official app store for Huawei Android – was recently found to be infested with apps that contained the Joker trojan.
These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) policies, and suddenly you have a new threat vector within your corporate network. Neuways advises users to beware of downloading unknown/unreputable applications that may well be hiding malware within.
Cyber criminals attempting to steal Microsoft 365 and credit card details
A new phishing email campaign has been detected that is targeting many users worldwide. The cyber criminals are aiming to steal not only their Microsoft 365 credentials, but also their credit card details. This campaign is managing to bypass several email security solutions, too, making it more likely to infect more users.
Traditionally, phishing campaigns that steal Microsoft user credentials make excuses such as “XXX shared a document with you” or “a new voicemail is waiting for you”, which lure users into clicking a malicious link and entering their Microsoft 365 credentials into a fake login page. In this case, planning to steal credit card details on top of the basic Microsoft 365 credential theft, the cyber criminals surpassed themselves and built an entirely new process to fool victims. This is how it works:
- The email subject used is either ‘Check Your Microsoft 365 Business Premium!’ or ‘Buy a subscription to keep using your product’. Both use a sense of urgency that encourages the user to open and click the email.
- The email sender is firstname.lastname@example.org, but it pretends to be either “Microsoft.com” or “Support”, which makes users believe the email is safe and coming from a legitimate sender. This is also very much in line with the fact that the email is about renewing a Microsoft 365 Premium subscription, so there is no reason to be suspicious.
- Clicking the ‘sign in’ link takes the user to a fake Microsoft login page.
- After entering their Microsoft’s user credentials, the user sees a message explaining that they need to confirm their “billing informations” and enter their credit card details.
- Only then, after clicking the ‘Confirm’ button, the user is asked to enter the credit card details:
- To reduce suspicion even more, after entering the credit card details, a payment confirmation message pops up and the user is directed to a real Microsoft webpage.
- At this stage, the attacker now holds the user’s Microsoft credentials, as well as their credit card details.
The threat actor in this case combined social engineering techniques–an approach that makes users trust the email and its sender along the journey–with tricks that allowed the email to bypass security measures. In addition, the attack was planned in a way it ensures the collection of information at each and every step – even a partial set of information is valuable for cyber criminals.
As mentioned, this particular phishing campaign is dangerous as it can evade email spam filters. Neuways recommends always verifying the user of any unexpected email before engaging with it. This could be either opening a hyperlink or attached document. It is also advisable to never enter something as personal as your login details or credit card information when asked to.