F5 SIRT This Week in Security: Microsoft patch issue, Atlassian Criticals and more
Editor's introduction
Hello! Arvin is your editor for this edition.
Microsoft had a patching hiccup for Windows 11 where .Net framework 3.5 apps encountered issues. Workarounds were provided. To prevent malware and RDP abuse, MS has Office Macro now disabled (again) for downloaded Office documents, and an RDP lockout policy now enforced by default.
Atlassian disclosed three critical CVEs for various Atlassian products - 2 are Servlet Filter vulnerabilities . An authentication bypass and XSS (CVE-2022-26136), CORS bypass (CVE-2022-26137) and a Hard Coded Password issue (CVE-2022-26138). If you are an Administrator or a user of these Atlassian products, for instances where XSS and CORS bypass is possible where an attacker needs you to click on a link, access the related application on an isolated web browser and not browse any untrusted sites to minimize the potential abuse of an administrator or user's session to exploit the Atlassian product.
Advertised and paid password cracker for iDirectLogic PLC exploits CVE-2022-2003 retrieves its plain text password, however, it also has packaged Sality malware. The tool does have its use, however, don't simply install unverified applications to your systems. As for any systems, maintain a secure "backup" of credentials and contacts. Audit your networks and ensure secure and proper access are maintained.
Russian backed threat group Turla spoofed a Pro Ukraine domain to distribute an Android malware which aims to send ineffective DoS traffic to set russian sites - possibly taking a chunk of would be DoS nodes for sending legit DoS traffic by a true pro Ukraine DoS Android app such as 'StopWar'. In general, avoid installing unknown Android applications from unknown sites as it may likely include malware which may take over your device and utilize its resources in malicious traffic generation, loss of sensitive data - personal, financial - among other potential effects.
Patching hiccup for Windows 11
Microsoft recently released KB5015814 for their Patch Tuesday which affected windows 11 users upon install. A variety of errors - .Net framework 3.5 apps not starting, Edge browser dialog pop ups, unable to start menu - were experienced by some users. To resolve the issue, automatic run of "Troubleshooter" or re-enabling the .Net framework 3.5 and "Windows Communication Foundation". Known Issue Rollback (KIR) tool also helps. Affected users shared that temporarily disabling Malwarebytes helped while installing the update and relaunching it after.
KB5015814 security update includes improvements and issue on powershell logging.
Security updates and anti malware software are essential for securing assets. However, enterprises and end users should also be prepared to handle certain software glitches.
Microsoft's latest security patch troubles Windows 11 users (The Register)
July 12, 2022—KB5015814 (OS Build 22000.795) (Microsoft Support)
Here are some guidance - software updates (hopefully) not breaking things
Keeping devices and software up to date (The National Cyber Security Centre)
NCSC IT: Installing software updates without breaking things (The National Cyber Security Centre)
Office Macro attacks and improvement
Downloaded Office documents now have VBA Macro disabled by default to prevent abuse by embedding malware used, for example, in email phishing attacks.
"While we (MS) provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access."
HP's Wolf Security threat intelligence group this month wrote about OpenDocument files being used to distribute Windows malware. These documents were sent to marks via email, and if opened, the user would be asked whether fields with references to other files should be updated and if they click "yes," an Excel file is opened and another prompt asks whether macros should be enabled. If the user enables the macros, their systems are infected with the open-source AsyncRAT backdoor nasty.
See related MS articles on this announcement
A potentially dangerous macro has been blocked (Microsoft Support)
Macros from the internet will be blocked by default in Office (Microsoft Documentation)
Here is a sample of a simulated application of an office macro attack. Although the sample systems and office are old, the experience would be similar.
MS Office Macro Attack (Cobalt Strike)
RDP brute-forcing lockout policy enforced now by default
Lockout policy enforced by default for Remote Desktop Protocol to prevent abuse thru RDP brute-forcing and gaining a foothold on Windows end user and enterprise environments.
Snippet:
The default policy for Windows 11 builds – specifically, Insider Preview 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 attempts to sign in fail. Users can tweak this, changing the number of failed sign-in attempts that trigger a lock and how long the account will be locked.
"While there are lots of ways to break into a computer that's connected to the Internet, one of the most popular targets is the Remote Desktop Protocol (RDP), a feature of Microsoft Windows that allows somebody to use it remotely," "It's a front door to your computer that can be opened from the Internet by anyone with the right password."
Malwarebytes Labs outlined a number of ways to protect against RDP brute-force attacks, from permanently turning off RDP to using strong passwords, multi-factor authentication, and a VPN, as well as limiting the number of guesses before an account is locked. Microsoft clamps down on RDP brute-force attacks in Windows 11 (Malware Bytes)
Crowbar is tool on Kali Linux on how one can RDP brute force: https://www.kali.org/tools/crowbar/
Here's a Microsoft blog from the past on RDP Bruteforcing detection statistical analysis: Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks.
Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing (The Register)
Recent Atlassian Critical CVEs - Servlet Filter vulnerabilities and Hard Coded Password
Servlet Filter vulnerabilities:
1) CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass: an attacker can exploit this by sending a specially crafted HTTP request, and bypass custom Servlet Filters used by third-party apps to enforce authentication. The CVE allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user's browser.
2) CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim's permissions.
Hard Coded Password:
3) CVE-2022-26138 - for Confluence users, an issue on one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.
Atlassian updated the list of affected products in their FAQ document for the 1st 2 CVEs. These 3 CVEs are of critical severity per Atlassian's assessment and its recommended to update to a fixed version.
Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 (Atlassian Support)
Questions For Confluence Security Advisory 2022-07-20 (Confluence Support)
Atlassian reveals critical flaws in almost everything it makes and touches (The Register)
July 2022: Atlassian Security Advisories Overview (Confluence Support)
Sality Malware distribution via Industrial Controller Password Cracker
Exploiting CVE-2022-2003 for an iDirectLogic 06 PLC from Automation Direct (vendor) retrieve's its forgotten the password in plain-text on command. The password cracker for Industrial Controller is packaged with Sality - an approx 20 yr old malware family - which in this iteration, has crypto mining, password cracking features.
Sality employs process injection and file infection to maintain persistence on the host. for a specific variant, it can include clipboard hijacking malware that checks the clipboard for a cryptocurrency address format and If seen, the hijacker replaces the address with one owned by a threat actor. For detection evasion, it drops a kernel driver and starts a service to identify any potential security products such as antivirus systems or firewalls and terminates them. Systems that are infected with Sality are observed to have unusually high CPU resource usage and fails AV updates as it blocks it by IP filtering and multiple Windows Defender alerts.
The advertised and paid password cracking tool is installed on a windows machine with a serial COM port connection to the affected PLC and retrieves the plain text password but unknowingly includes the Sality malware.
Botnet malware disguises itself as password cracker for industrial controllers (The Register)
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators (Dragos)
Spoofed App for ineffective DoS attack
Google's Threat Analysis Group (TAG) tracked Turla, a group publicly attributed to Russia’s Federal Security Service (FSB). It recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware.
The malware infested android app in question is CyberAzov, which promises to "help stop Russian aggression against Ukraine" by deploying Denial of Service (DoS) attacks against set Russian targets.
"The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.
The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective. "
Google: Kremlin-backed goons spread Android malware disguised as pro-Ukraine app (The Register)
Continued cyber activity in Eastern Europe observed by TAG (Google)