F5 SIRT This Week in Security: Follina Zero Day, Karakurt, Agent Tesla RAT and more

DevCentral is very proud to present the new This Week in Security (TWIS) series written by the F5 Security Incident Response Team (SIRT). Each week, TWIS articles will cover the latest in Security news and vulnerabilities from the previous weeks.

This week, covering May 29 - June 4, Arvin Anselmo Peruda Fopalan is your editor covering "Vulnerabilities, Patching and Risk", "Follina Zero Day", "CISA and FBI Advisory on Karakurt" and "Agent Tesla RAT still striking."

Vulnerabilities are constantly being discovered and disclosed and it’s important for organizations to keep up and address them. In general, maintain good patching practices to address vulnerabilities, secure access to systems (network devices, workloads, etc..) - allow only trusted users and networks, harden authentication and authorization to systems. The more hurdles we place will likely deter attempts of exploitation, however, it’s only a matter of time before these bad actors find another gap. Thus, continuous improvement in our security practice is key.  


Vulnerabilities, Patching and Risk

From what I gather on this article, if the vulnerable software is not loaded into memory, it's not exploitable and somehow, less risky. Vulnerabilities that are actually exploitable needs to be addressed - makes sense, but, mostly not satisfactory for secure environments or even enterprise environments where government mandates vulnerabilities are fixed/patched/mitigated, especially the critical ones. Also, different organizations have varying risk appetites and procedures addressing vulnerabilities.

Having a Software Bill of Materials from a vendor and also use of automated tools, some typically used in DevOps , will help organizations assess their risks to vulnerabilities.

That critical vulnerability might not be the first you should patch. 

Additional Resources:


Follina Zero Day

A MS Office zero-day vulnerability dubbed "Follina" uses Office functionality to retrieve a HTML file which in turn makes use of the Microsoft Support Diagnostic Tool (MSDT) to run some code even when macros are disabled. This is now tracked as CVE-2022-30190 as it was initially not considered a vulnerability.

The vulnerability may allow further escalation of privilege when exploited and it manifests when Microsoft Support Diagnostic Tool (MSDT) runs a potentially malicious file thru email phishing attachments.

Zero-day vuln in Microsoft Office: 'Follina' will work even when macros are disabled

Additional Resources:


CISA and FBI Advisory on Karakurt

Ransomware gang Karakurt have been devastating organizations by holding hostage the victim organizations stolen data and raking in ransom, as high as 13M USD worth of bitcoin. Other M.O. of this gang is buying already stolen data and then extorting and harassing victims.

Joint advisory from CISA and FBI details Karakurt's activities and provided these mitigations:

Actions to take today to mitigate cyber threats from ransomware:

  • Prioritize patching known exploited vulnerabilities.
  • Train users to recognize and report phishing attempts.
  • Enforce multifactor authentication.

FBI, CISA: Don't get caught in Karakurt's extortion web

Additional Resources:


Agent Tesla RAT still striking

Suspects arrested 'Killer Bee' operation in Lagos and Nigeria by Interpol used the Agent Tesla RAT (remote access trojan) malware which was delivered thru phishing emails. Once backdoored systems are accessed, the RAT was used to reroute financial transactions and steal corporate credentials. Corporations targeted by these scammers included oil and gas companies in Southeast Asia, the Middle East, and North Africa. 

In the past year, Agent Tesla RAT was being used by scammers during the height of Covid-19 pandemic.  

Cops' Killer Bee stings credential-stealing scammer

Additional Resources:

Cops' Killer Bee stings credential-stealing scammer - The Register

Updated Sep 08, 2022
Version 4.0

Was this article helpful?

No CommentsBe the first to comment