Attackers seen spreading malware via Microsoft OneNote attachments
Attackers have been observed spreading malware utilising Microsoft OneNote attachments in phishing emails, infecting victims using remote access malware that can be used to install additional malware or steal passwords.
This move to OneNote attachments could be seen as a pivot because Microsoft has now disabled macros by default in Office documents, therefore rendering this method unreliable for distributing malware.
This spawned lots of new methods of attaching new file formats to distribute their malware, such as ISO images and password-protected ZIP files. These file formats quickly gained popularity, mainly aided by a Windows bug that allowed ISOs to bypass security warnings and the popular 7-Zip (a free and open-source file archiver) utility’s failure to propagate mark-of-the-web flags to files extracted from ZIP archives, which norm.’s 26th October threat bulletin reported on.
However, these bugs were fixed by both 7-Zip and Windows recently, preventing users from opening files in downloaded ISO and ZIP files without a security warning. This has led the attackers to start abusing OneNote attachments as their new method of delivering malicious files. Utilising OneNote has a large reach as Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format.
The actual attack vector differs slightly from a classic malicious attachment, as unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware. Instead, OneNote allows users to insert attachments into a Notebook that, when double-clicked, will launch the attachment. Threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. However, the attachments look like a file’s icon in OneNote, so the threat actors overlay a big ‘Double click to view file’ bar over the inserted VBS attachments to hide them. When you move the Click to View Document bar out of the way, you can see that the malicious attachment includes multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.
In terms of mitigation, when launching OneNote attachments, the program warns you that doing so can harm your computer and data, however without user education, history has shown that these types of prompts are commonly ignored and users just click the okay button to proceed, and in this case, doing so will launch the VBS script to download and install malware on the machine. The Cyber Safety and Phishing module from norm. can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the consequences of blindly clicking accept or okay on warning boxes.
Further reading:
Google Chrome 109 patches 17 vulnerabilities
Earlier this month, Google announced the release of Chrome 109 in the stable channel with patches for 17 vulnerabilities, 14 of which were reported by external researches. The majority of the externally reported vulnerabilities are medium and low severity with only two of them rated as high.
The highlights of the vulnerabilities patched include:
- A user-after-free issue in Overview mode (CVE-2023-0128)
- A heap buffer overflow bug in Network Service (CVE-2023-0129)
- A heap buffer overflow in Platform Apps.
- Five inappropriate implementation flaws in chrome components such as Fullscreen API, Iframe Sandbox and Permission Prompts.
- Two user-after-free issues in Cart
Because Google has a bug bounty, they paid a total of $39,000 for these vulnerabilities, however this may increase as the company has yet to determine the reward for one of the medium severity security issues.
This version of Chrome is identified as version 109.0.5414.74 for Linux, version 109.0.5414.74/.75 for Windows, and version 109.0.5414.87 for macOS. By utilising norm.’s Vulnerability Patch Management service, software is kept up-to-date meaning devices are protected against vulnerabilities and exploits such as the above.
Further reading:
Chrome 109 Patches 17 Vulnerabilities | SecurityWeek.Com
New in Chrome 109 – Chrome Developers
Royal Mail hit by Russia linked cyber attack
Royal Mail announced on January 12th that they were enduring a cyber incident that left them unable to fulfil international shipping services indefinitely. This breach was initially rumoured to be linked to the LockBit ransomware operator, infamous for Ransomware attacks across the world since emerging in 2019. LockBit was responsible for the attack on the NHS 111 service and UK insurance company Kingfisher in 2022. As of 24th January 2023, Royal Mail is still advising people not to send parcels internationally for now.
LockBitSupport, a hacking forum account used for public communication, confirmed that a member of its affiliate program was responsible for the attack, quashing rumours that Royal Mail was targeted by an unknown actor using a leaked build of LockBit 3. LockBit’s affiliate program encourages experienced attackers to detonate LockBit once access has been gained to a target system, where a portion of the ransom funds are split between the attacker and LockBit themselves at the discretion of the affiliate. Affiliates of Ransomware as a Service (RaaS) programs like this also get access to ransomware control panels to build customised payloads and view victim data in real time and receive negotiation support. RaaS attacks have become ever more popular, offering profit sharing schemes for a monthly or one-time payments.
Ransomware Detection and Response
Ransomware attacks can inflict severe amounts of damage operationally and financially to businesses while leaving little time for active response. Ensuring that endpoint protection is installed across your estate is the first line of defence to prevent and detect ransomware operations.
How about backups? Taking regular backups of key assets reduces the impact that mass file encryption will have on your business. Make sure that your backup system is means tested.
Finally, active patch management is another solution that can protect your systems from vulnerabilities both disclosed and undisclosed.
Sources:
International incidents update (royalmail.com)
Royal Mail cyberattack linked to LockBit ransomware operation (bleepingcomputer.com)
A first look at the builder for LockBit 3.0 Black (malwarebytes.com)
Ransomware as a Service (RaaS) Explained | CrowdStrike
Zoom affected by four high severity vulnerabilities
Popular video conferencing software Zoom has addressed four high severity vulnerabilities impacting its Zoom Rooms platform. The following vulnerabilities were patched:
- CVE-2022-36930 – Local privilege escalation in Rooms for Windows installers. A local low privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.
- CVE-2022-36929 – Local Privilege Escalation in Rooms for Windows Clients. A local low-privileged user could exploit this vulnerability to escalate their privileges to the SYSTEM user.
- CVE-2022-36926 – Local Privilege Escalation in Zoom Rooms for macOS Clients. The issue can be exploited by a local low-privileged user to escalate their privileges to root.
- CVE-2022-36927 – Local Privilege Escalation in Zoom Rooms for macOS Clients. The issue can be exploited by a local low-privileged user to escalate their privileges to root.
These vulnerabilities affect windows installers before 5.12.7, in addition to the MacOS clients before version 5.11.3. By utilising norm.’s Vulnerability Patch Management service, software is kept up to date meaning devices are protected against vulnerabilities and exploits such as the above.
Further reading:
Explore Zoom Security Bulletins
Get norm.’s threat bulletin direct to your inbox
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below: