Blog entry by Les Bell

Les Bell
by Les Bell - Saturday, October 22, 2022, 6:42 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Office Web Apps Server SSRF/RCE Vulnerability

During a routine penetration test involving Microsoft's Office Online Server, MDSec found a server-side request forgery vulnerability which can be further exploited to achieve remote code execution on the server. The vulnerability is located in the /op/view.aspx API, which is normally used to retrieve Office documents for display in a browser.

The API leaks timing information which can be used to enumerate active hosts within the victim's network, but more interestingly, the connections made by the server's requests were made using the host's machine account. This can be used to exploit LDAP (to add shadow credentials) or Active Directory Certificate Services (to obtain a certificate, and from that a Ticket Granting Ticket for the server). From there, it is relatively simply to obtain a forged service ticket for the server, and thus local admin privileges on the server.

Microsoft responded that this is the way the API is intended to work, and suggested some mitigation steps.

Tanwar, Manish, Microsoft Office Online Server Remote Code Execution, blog post, 19 October 2022. Available online at https://www.mdsec.co.uk/2022/10/microsoft-office-online-server-remote-code-execution/.

Android Malware Spies on Iranian Citizens

Researchers from ESET have identified a new version of the FurBall Android malware being used by APT-C-50 top conduct surveillance operations against Iranian citizens as part of its Domestic Kitten campaign, which has been running since at least 2016.

The interesting thing about this new version of Furball is that it has no new functionality; instead, its developers slightly obfuscated class and method names, strings, logs and the C2 server URI's, as well as the names of the PHP functions that run on the server. The purpose of this appears to be to change IoC's in order to evade detection..

Another curious feature is the fact that, despite the app having comprehensive spyware functionality, most of it cannot be used because its AndroidManifest.xml file only requests the permission to access contacts. It is possible that it is simply gathering contact information which will be used in a spearphishing campaign against the real targets; alternatively, once trust is established, more permissions could be requested by an update.

Stefanko, Lukas, Domestic Kitten campaign spying on Iranian citizens with new FurBall malware, blog post, 20 October 2022. Available online at https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/.

US Government to Launch Cybersecurity Labeling Program for IoT

The Internet of Things continues to be a headache for users, bedeviled as it is by such basic vulnerabilities as unchangeable default passwords, software written by the lowest bidder, and the lack of firmware update facilities. Now, inspired by the success of the EPA and DOE's Energy Star program, the White House has announced that it will drive improved security standards for Internet-enabled devices and implement a national cybersecurity labeling program which it intends will be globally recognized (think "Energy Star for cyber").

The National Security Council held a meeting between academics, government officials and manufacturers' representative from AT&T, Cisco, Comcast, Google, Amazon, Sony, Samsung, Intel, LG and others. The FTC and NIST have been tasked with advancing improved security standards and a product labeling scheme.

Watson, Adrienne, Statement by NSC Spokesperson Adrienne Watson on the Biden-Harris Administration's Effort to Secure Household Internet-Enabled Devices, press release, 20 October 2022. Available online at https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/20/statement-by-nsc-spokesperson-adrienne-watson-on-the-biden-harris-administrations-effort-to-secure-household-internet-enabled-devices/.

UK Adopts New Architecture

Staying in the polical realm, on Thursday the British Government announced that it would now transition to a Zero Truss Architecture.

I think that's quite enough for this week . . .


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: