Robin’s Newsletter #207

5 June 2022. Volume 5, Issue 23
Zero-day vulnerabilities in Office/Windows and Confluence. New ransowmare tactics. US federal privacy law moves a step closer.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Follina vulnerability in Office works with macros disabled

Malicious documents can use the remote templates feature in Word documents to launch Microsoft Support Diagnostic Tool (MSDT) and execute arbitrary code. MSDT has a URL schema enabling the operating system and web pages to launch help on specific topics and works even when macros and ‘active content is disabled. The user doesn’t need to complete any secondary action, such as clicking on a link or enabling/running a macro.

It appears that nation-state actors linked to China may have been using the technique for months.

Microsoft was initially slow to acknowledge the vulnerability, CVE-2022-30190 aka Follina, and now recommend disabling the MSDT URL handler. This will break support links baked into the operating system, however, the action is also reversible.

For Rich Text Format files even rendering the preview in the file explorer will trigger the code, so expect a rise in malicious attachments from attackers seeking to make hay before Microsoft fixes the issue.,,

Interesting stats

  • 36% of manufacturing groups have given a board member direct responsibility for cyber security, or report on it every year, despite rising cyber-attacks against the sector, according to research from the FT’s Longitude group

  • 92.5 hours average duration from initial access to ransomware payload deployment during 2021, according to IBM

  • 30% of 1,000 cyber security professionals surveyed by Trellis are planning on leaving the profession in the next two years

Other newsy bits

  • Unauthenticated, remote code execution zero-day vulnerability (CVE-2022-26134) in Atlassian’s Confluence Server and Confluence Data Center products lead to a ‘feeding frenzy’ amongst cyber-criminals seeking to exploit the issue before a patch is widely deployed.

  • Having declared a state of emergency, Costa Rica facing more ransomware disruption as the Hive group has attacked the country’s social security agency and affected public health services. AdvIntel has linked the Hive attack to a splinter group of Conti members as Conti ‘shutdown’ (vol. 5, iss. 21).

  • US Cyber Command chief, General Paul Nakasone, has confirmed that the US has “conducted a series of operations” to support Ukraine. The confirmation of offensive, defensive and information operations shouldn’t really come as a surprise, though it is a little unusual for them to be publicly acknowledged. The acknowledgement is, presumably, part of wider signalling that the US is not afraid to use offensive capabilities to other states, such as China, where tensions are heightened around Taiwan.

  • The city of Portland in Oregon, USA is investigating the compromise of an email account and fraudulent transaction of $1.4 million.

  • Vodafone is trialling ‘carrier-level’ personal identifiers to bypass cookie and other tracking restrictions and allow advertisers to target ads at users in Germany.

  • Tim Horton’s app tracked users’ location “every few minutes of every day” according to an investigation by Canada’s privacy commissioner. The investigation found that the app misled people into thinking their location would only be accessed when using the app. The practices, which included tracking when customers visited competitor’s store locations, were ceased in 2020 and the company says were only ever used in an “aggregated, de-identified basis to study trends in our business.” No financial penalty has been proposed.

  • ‘Federal privacy bill’ is a step closer for US citizens after compromises are reached on the draft American Data Privacy and Protection Act.

Three ransomware related developments:

  • Mandiant says the Russian cybercrime group Evil Corp is evading sanctions by using ‘off the shelf’ ransomware-as-a-service tooling to continue its business.

  • Conti ransomware group were investigating Intel’s Management Engine, looking for vulnerabilities in the out-of-band management system that would allow for greater persistence in affected computers, according to Elcypsium.

  • It’s been a while since some website defacement’ and I don’t think I’ve come across this as a tactic before: Industrial Spy’ group defaced the company website of a victim to post the ransom note for an accompanying ransomware attack.

And finally

Congrats James, Alastair and the Digital Shadows team

  • Threat intelligence firm Digital Shadows is to be acquired by detection and response company ReliaQuest for $160 million. The deal will see improved threat intel being surfaced within ReliaQuest’s OpenXDR-based GreyMatter platform. I worked with James and Alastair at Detica/BAE Systems and a few other colleagues have joined them, so massive congratulations to the whole team! 🥳

  Robin's Newsletter - Volume 5

  Microsoft Follina Atlassian Confluence Zero-day Privacy legislation Digital Shadows Website defacement Manfuacturing Governance