Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).
Top stories – 11 August 2023
- EvilProxy fuels surge in successful cloud account takeovers
- Microsoft releases patches for 74 vulnerabilities in August updates
- Windows Defender vulnerability exploited: Threat of malware injection and system disruption
- Intel’s downfall vulnerability exposes data theft risk across multiple processors
- Threat actors exploit Cloudflare Tunnels for stealthy attacks
EvilProxy fuels surge in successful cloud account takeovers
- EvilProxy, a phishing platform, targets MFA-protected Microsoft 365 accounts. Successful attacks on executives seen, with 120,000 phishing emails sent, using tactics like brand impersonation and evasion.
- EvilProxy uses reverse proxies to steal credentials, sidestepping MFA. Sold for $400/month, it targets major platforms.
- A recent campaign mimicked Adobe, DocuSign, etc., focusing on C-level executives. To counter, enhance awareness, fortify email filters, and consider FIDO-based keys.
The phishing platform EvilProxy is rapidly becoming a significant threat by targeting multi-factor authentication (MFA) secured Microsoft 365 accounts. A study by Proofpoint reveals a surge of successful cloud account takeovers, with over 120,000 phishing emails sent to numerous organisations, primarily aiming at high-ranking executives. EvilProxy conducts large-scale campaigns employing tactics like brand impersonation, evading bot detection, and using open redirections.
EvilProxy functions as a phishing-as-a-service platform, utilising reverse proxies to intercept authentication requests and user credentials. By stealing authentication cookies, the attackers can sidestep multi-factor authentication, even after victims have completed the process. The platform is being marketed to cybercriminals for $400 per month, offering capabilities to target accounts across major platforms.
Recent attacks include a campaign that began in March 2023, leveraging EvilProxy to send deceptive emails posing as reputable brands such as Adobe, DocuSign, and Concur. Victims are subjected to multiple redirections to obscure the attack’s trail, ultimately reaching a convincing EvilProxy phishing page that mimics Microsoft 365 login.
One key aspect is the attackers’ strategic focus on “VIP” targets, particularly C-level executives, CEOs, vice presidents, and CFOs. A significant portion of breached accounts belonged to these roles. Compromised Microsoft 365 accounts are exploited for persistent access by the attackers, who add their own multi-factor authentication methods.
To counter this growing threat posed by EvilProxy and similar reverse proxy phishing methods, organisations are advised to enhance security awareness, fortify email filtering rules, and consider adopting FIDO-based physical keys.
Microsoft releases patches for 74 vulnerabilities in August updates
- Microsoft’s August 2023 Patch Tuesday tackles 74 vulnerabilities, down from the prior month’s 132, with 6 Critical, 67 Important, and 1 Moderate severity issues.
- A known Microsoft Office flaw targeted by the RomCom group in Ukraine is resolved, and two defence-in-depth updates are introduced.
- Vulnerabilities range across Microsoft services, including Exchange Server, requiring specific conditions for exploitation. Experts recommend prompt patching and security measures.
Microsoft’s August 2023 Patch Tuesday addresses 74 software vulnerabilities, a decrease from the previous month’s 132 fixes. These include six Critical, 67 Important, and one Moderate severity vulnerabilities. Microsoft Office’s known flaw (CVE-2023-36884) exploited by the RomCom threat group targeting Ukraine is mitigated. Two defence-in-depth updates are released for Microsoft Office (ADV230003) and the Memory Integrity System Readiness Scan Tool (ADV230004).
Patched issues span Microsoft Message Queuing, Microsoft Teams, Azure Apache services, Azure DevOps Server, and .NET Framework. Remote code execution vulnerabilities in Exchange Server (CVE-2023-35388, CVE-2023-38182, CVE-2023-38185) are noted, requiring adjacent attack vectors and valid Exchange credentials for exploitation.
A proof-of-concept exploit for a .NET and Visual Studio DoS flaw (CVE-2023-38180) is acknowledged. Patches address five privilege escalation flaws in the Windows Kernel (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, CVE-2023-38154) that allow local threat actors to attain SYSTEM privileges.
Microsoft highlights “Exploitation More Likely” for some vulnerabilities, but the need for adjacent attack vectors and valid credentials may limit their exploitation. Experts advise prompt patching and adopting necessary security measures to protect systems.
Windows Defender vulnerability exploited: Threat of malware injection and system disruption
- Microsoft’s August 2023 Patch Tuesday addresses a Windows Defender flaw (CVE-2023-24934) allowing unprivileged users to manipulate signature updates for potential malware injection and attacks.
- Inspired by the 2012 Flame campaign, SafeBreach demonstrates this using an automated tool, wd-pretender.
- The research highlights the vulnerability of signature update processes, underlining the need for improved security measures and ongoing vigilance.
In Microsoft’s August 2023 Patch Tuesday update, a Windows Defender flaw (CVE-2023-24934) has been addressed. This vulnerability allowed unprivileged users to exploit the signature-update process, potentially injecting malware, deleting benign files, and causing denial-of-service attacks. Researchers from SafeBreach created an automated tool named wd-pretender to demonstrate these attack vectors.
This investigation was spurred by the 2012 Flame cyberespionage campaign that manipulated the Windows update process. SafeBreach aimed to reproduce this without complex techniques, focusing on Windows Defender’s susceptibility to takeover by unprivileged users.
The researchers found signature updates in the Microsoft Protection Antimalware Front End (MPAM-FE[.]exe) executable. VDM files contained malware signatures, with “Base” and “Delta” files enabling merging and updates. Attempts to replace files in the MPAM file were thwarted, but manipulation of Microsoft-signed VDM files enabled hijacking.
This research spotlights the vulnerability of signature update processes, prompting further examination to enhance their security. Although Microsoft employs digitally signed files, this vulnerability revealed shortcomings in validation checks, emphasising the need for ongoing security measures and vigilance against evolving attack vectors.
Intel’s downfall vulnerability exposes data theft risk across multiple processors
- The “Downfall” vulnerability (CVE-2022-40982) affects Intel microprocessors from Skylake to Ice Lake, allowing attackers to exploit the gather instruction for stealing sensitive data.
- Google’s Daniel Moghimi devised two attack techniques, Gather Data Sampling (GDS) and Gather Value Injection (GVI), targeting Intel’s memory encryption and creating security concerns.
- While Intel released microcode updates, potential risks remain due to the vulnerability’s reach and attackers possibly using local programs for exploitation. A long-term solution may require hardware redesign.
A newly discovered vulnerability called “Downfall,” tracked as CVE-2022-40982, has been disclosed by a Google senior research scientist. This flaw impacts various Intel microprocessor families, including those based on Skylake through Ice Lake architectures. The vulnerability, classified as a transient execution side-channel issue, potentially enables attackers to steal passwords, encryption keys, and private data such as emails and banking information from users sharing the same computer.
Downfall allows attackers to exploit the gather instruction, leaking content from the internal vector register file during speculative execution. This can lead to the extraction of sensitive information protected by Intel’s hardware-based memory encryption, Software Guard eXtensions (SGX), which creates a trusted isolated environment inaccessible even to the operating system.
The Google researcher, Daniel Moghimi, devised two attack techniques named Gather Data Sampling (GDS) and Gather Value Injection (GVI), both leveraging the gather instruction. The first was able to steal AES cryptographic keys from a separate virtual machine, while the second combined GDS with the Load Value Injection technique to extract encryption data.
Despite Intel’s microcode update to mitigate this vulnerability, security concerns remain. The flaw only impacts processors based on Intel microarchitectures Skylake through Ice Lake, affecting various CPU families. While the vulnerability requires an attacker to be on the same physical processor core as the victim, potential risks persist, with attackers possibly leveraging local programs like malware to exploit this weakness.
Intel’s response has included providing threat assessment and performance analysis information for users to evaluate the impact of the vulnerability. It has also released a microcode update to address the flaw. Despite the available mitigations, software-based solutions are seen as temporary, necessitating further exploration into hardware redesign to eliminate the root cause of the issue.
Threat actors exploit Cloudflare Tunnels for stealthy attacks
- Cyber attackers are exploiting Cloudflare Tunnels for stealthy HTTPS connections, evading firewalls and maintaining persistence.
- GuidePoint’s teams have confronted such attacks involving Cloudflare Tunnels, used for data theft and remote access.
- To counter this threat, monitoring unauthorized tunnel use, tracking DNS queries, and focusing on non-standard ports like 7844 can aid detection, while legitimate users can restrict services to authorized data centers.
Cyber threat actors are adopting novel tactics to breach networks and evade traditional security measures. They are increasingly utilising Cloudflare Tunnels for their attacks, enabling them to establish stealthy HTTPS connections, bypass firewalls, and maintain long-term persistence. GuidePoint’s DFIR and GRIT teams have addressed recent engagements involving these Cloudflare Tunnels, which have been exploited by hackers for data theft and remote device access.
Cloudflare Tunnels establish outbound connections via HTTPS to Edge Servers, granting attackers access to services through configuration changes. The tunnels can be set up on various platforms including Linux, Windows, macOS, and Docker. These tunnels provide high user control over the exposed services, allowing attackers to discreetly communicate via their tunnel tokens and make real-time configuration changes. This flexibility enables threat actors to activate and deactivate functionality, such as enabling RDP for data collection and then disabling it to evade detection.
To defend against these tactics, organisations are advised to monitor unauthorised tunnel use by tracking specific DNS queries and monitoring non-standard ports like 7844. Monitoring file hashes of ‘cloudflared’ client releases can also help detect tunnel use, as installation is necessary. Legitimate users can restrict services to chosen data centres, helping to flag Cloudflared tunnels targeting unauthorised destinations and aiding in their detection.