BU-CERT – Page 2 – Bournemouth University Computer Emergency Response Team

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Posted on 28 August 2024

From thehackernews.com

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT.

The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan said.

HZ RAT was first documented by German cybersecurity company DCSO in November 2022, with the malware distributed via self-extracting zip archives or malicious RTF documents presumably built using the Royal Road RTF weaponizer.

The attack chains involving RTF documents are engineered to deploy the Windows version of the malware that’s executed on the compromised host by exploiting a years-old Microsoft Office flaw in the Equation Editor (CVE-2017-11882).

New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials

Posted on 28 August 2024

From thehackernews.com

Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.

“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” Netskope Threat Labs researcher Jan Michael Alcantara said.

“Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe.”

The attacks have primarily singled out users in Asia and North America, with technology, manufacturing, and finance sectors being the most sought-after sectors.

Microsoft Sway is a cloud-based tool for creating newsletters, presentations, and documentation. It is part of the Microsoft 365 family of products since 2015.

Be careful what you pwish for – Phishing in PWA applications

Posted on 24 August 2024

From welivesecurity.com

ESET analysts dissect a novel phishing method tailored to Android and iOS users.

[They] discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising.

The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS. This was reported in a tweet, by Michal Bláha.

Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link.

Paris Olympics deals with ransomware attack

Posted on 9 August 2024

From scmagazine.com

A ransomware attack against the Paris Grand Palais exhibition hall, where Olympic events are being held, is being investigated.

According to MSN, a police investigation determined that the attackers targeted the institution’s central computer system, but the incident had not caused any disruption to Olympic events.

The computer system at the venue also handles data for 40 — mainly small — museums with which it is affiliated, the prosecutors said in an email.

Josh Jacobson, director of professional services at HackerOne called the attack unsurprising — but potentially quite creative. He said the outcome of this successful compromise could be beneficial to cybercriminals in a number of ways:

1) Because of the sheer number of venues that will be scrambling to get their operations up and running, the bad actors could be hoping to rake in ransoms across the victim pool and maximise financial gain.

Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses

Posted on 9 August 2024

From theregister.com

Defcon Secure Web Gateways (SWGs) are an essential part of enterprise security, which makes it shocking to learn that every single SWG in the Gartner Magic Quadrant for SASE and SSE can reportedly be bypassed, allowing attackers to deliver malware without Gateways ever catching on.

Using a tactic he’s dubbed “last mile reassembly,” SquareX founder and long-time security researcher Vivek Ramachandran said he’s managed to suss out more than 25 different methods to bypass SWGs, all of which boil down to the same basic exploit: They miss a lot of what’s going on in modern web browsers.

“[SWGs] were invented almost 15, 17 years back [and] it all started as SSL intercepting proxies,” Ramachandran told us. “As cloud security became more important people built out this entire security stack in the cloud.

“This is really where the problem begins.”

SWGs, Ramachandran explains, are mostly relying on their ability to infer application layer attacks from network traffic before they make it to a web browser. If, say, the traffic wasn’t recognizable as malicious, the SWG might not detect it, instead delivering it to a user’s browser.

Microsoft researchers report Iran hackers targeting US officials before election

Posted on 9 August 2024

From reuters.com

WASHINGTON, Aug 9 (Reuters) – Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a “high ranking official” on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official.

The breaches were part of Iranian groups’ increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the “official” in question.

The report follows recent statements by senior U.S. Intelligence officials that they’d seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States.

Iran’s mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were “defensive and proportionate to the threats it faces” and that it had no plans to launch cyber attacks. “The U.S. presidential election is an internal matter in which Iran does not interfere,” the mission added in response to the allegations in the Microsoft report.

Microsoft discloses Office zero-day, still working on a patch

Posted on 9 August 2024

From bleepingcomputer.com

Microsoft has disclosed a high-severity zero-day vulnerability affecting Office 2016 and later, which is still waiting for a patch.

Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information such as system status or configuration data, personal info, or connection metadata.

The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Even though Microsoft’s exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microosoft’s advisory explains.

“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

The company is developing security updates to address this zero-day bug but has yet to announce a release date.