This week
Critical vulnerability in Outlook
- Russian-linked threat actors have been exploiting a vulnerability in Microsoft Outlook to access government, energy, transport and military targets. It was reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT). Mandiant says they believe the issue to have been exploited for almost a year to gain access to government and critical infrastructure organisation.
- When triggered, the vulnerability (tracked as CVE-2023-23397) causes Outlook to load files remotely via SMB, which causes the user’s NTLM hash to be passed to the attacker’s server. The attacker can then replay the hash to access other resources - mailboxes, files, etc - protected by this type of authentication.
- The user doesn’t need to open or interact with the malicious message; it triggers automatically when received by Outlook. This type of ‘no interaction’ issue is extremely attractive to intelligence agencies and cybercriminals alike.
- The exploit appears to be linked to an attribute specifying the sound to play when a reminder triggers and, bafflingly, can be set by the sender.
- Microsoft has released a patch, so you should update Outlook (or the whole Office suite) as soon as possible. I’d expect this to be picked up and used by many actors in the coming weeks. For more info on the risk and mitigation options, check out Cydea’s risk advisory.
Interesting stats
$3.31 billion reported losses from investment scams in 2022, including $2.57 billion of cryptocurrency investment scams (including pig butchering scams), exceeding the $2.74 billion of losses from Business Email Compromise (BEC) scams in the same period, according to the FBI’s Internet Crime Complain Center (IC3) (PDF). By comparison, just $34.35 million was lost to ransomware (though this does not include business disruption or remediation costs).
$7,500 claimable by healthcare group Orlando Family Physicians customers who had their social security numbers stolen in a 2021 data breach under a settlement of a class-action lawsuit.
Other newsy bits
-
The ALPHV ransomware gang has claimed to have conducted a successful attack against Amzaon’s Ring doorbell division. A spokesperson for Ring told Motherboard, “We currently have no indications that Ring has experienced a ransomware event.” The incident may have occurred at a third party who processes data on Ring’s behalf. The vendor reportedly does not have access to customer data.
-
New UK security authority: The UK government has announced the creation of the National Projective Security Authority (NPSA). Part of the Security Service, MI5, the new body will be the UK’s technical authority on physical and personnel protective security, replacing and extending the remit previously undertaken by the Centre for the Protection of National Infrastructure (CPNI), with a remit to combat hostile actors trying to steal intellectual property from UK institutions.
-
TikTok: The UK government has banned using TikTok on official devices as a ‘precautionary measure’ to prevent spying. Meanwhile, the US Department of Justice is investigating TikTok-owner ByteDance over claims the company tracker journalists to identify who was leaking stories about the social media company.
-
Kali: Offensive Security has released an update to the popular Kali Linux distribution, including, for the first time, Kali Purple, an edition specifically aimed at blue and purple team defenders.
-
Phishing kits: A good write-up from Dan Goodin of how ‘attacker in the middle’ phishing kits on sale are defeating MFA by intercepting time-based one-time passcodes.
-
Adobe Sign abuse: Cybercriminals are abusing Adobe’s e-signature product to distribute malware, according to researchers at Avast. Free trials of the software allow criminals to link to documents that redirect the user to malicious payloads, including the ‘Redline’ info-stealer. The messages often circumvent phishing controls as they come from a legitimate service and contain no malicious content.
-
BianLian: The ransomware group BianLian is moving away from encrypting data o focus on extorting funds by threatening to release sensitive data, according to Redacted.
-
Emotet: The powerful malware Emotet is being distributed using Microsoft OneNote attachments to circumvent defences.
-
Samsung chip vulnerability: Google’s Project Zero has found a severe vulnerability in Samsung’s Exynos modem chips. The vulnerability will allow attackers to compromise Android devices that use the chips silently without requiring any user interaction. Until a patch is available, Google advises users to disable their phones’ Wi-Fi Calling and VoLTE capabilities. Affected devices include Samsung’s many of Samsung’s S-, M- and A-series handsets, plus other device manufacturers, including Google (who have released a patch for their Pixel 6 and Pixel 7 devices). The chips also appear in some automotive applications.
-
SAP vulnerabilities: SAP has released patches for nineteen vulnerabilities, including five rated ‘critical’, in their Business Objects and NetWeaver products. The vulnerabilities variously disclose privileged information, allow system files to be overwritten, and allow arbitrary command execution.
-
Do loose prompts sink ships? NCSC guidance reminds readers that the inputs you provide to artificial intelligence models like ChatGPT will be visible to the company in question and it may be used in line with their terms and privacy policy (though none do so automatically at the time of writing).
-
Healthcare data breach: Miami-based healthcare provider Independent Living Systems (ILS) has notified 4.2 million customers that it suffered a data breach in July 2022. Identifying the affected individuals — whose name, social security, taxpayer ID, health insurance and medical data were accessed — took six months.
-
US federal agency compromised: Nation-state-backed attackers used a vulnerability in Telerik — a toolkit for building user interfaces — to gain access to an unnamed US federal agency. The vulnerability went unpatched for four years because the tool was in a non-standard directory, and therefore the organisation’s vulnerability management tooling didn’t scan the location.
-
Anker lawsuit: A case has been brought against Anker for misrepresenting practices of their Eufy doorbell and other camera devices. The devices were sold a local-only but were found (vol. 5, iss. 49) to be transmitting thumbnails and facial recognition identifiers to Anker’s cloud environment. The identifiers were not unique across different users’ accounts.
-
SEC Cyber regulation: The US Securities and Exchange Commission (SEC) is proposing new rules that would require financial services firms to report cyber intrusions within 48 hours. Some institutions must also annually test their policies and procedures to confirm they are effective.
-
Doxxing: Two men have been convicted for breaking into a US Drug Enforcement Agency (DEA) portal that provides access to sixteen other federal databases. The men were part of a group called ‘ViLE’ whose tactics include spoofing emergency data requests against social media companies to gain leverage over and extort victims.
And finally
- Crypto mixer shutdown: Germany, United States, and Europol have taken down cryptocurrency mixer ChipMixer, seizing €44 million in cryptocurrency and 7TB of data. The service allegedly has laundered €2.73 billion of cryptocurrency for ransomware gangs, scammers, and North Korea’s Lazarus group.