Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Proof-of-Concept Exploit Code Released for Microsoft Exchange Vulns

Microsoft released patches for two Microsoft Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082, earlier this month. The two vulnerabilities, which affect Microsoft Exchange Server 2013, 2016 and 2019, are popularly known as ProxyNotShell and have been actively exploited in the wild by attackers who used them to deploy Chinese Chopper web shells.

Microsoft had advised that the vulnerabilities were being exploited since at least September 2022 and the Exchange team recommended that the patches be installed immediately.

Now Vietnamese security researcher Janggggg has released proof-of-concept code in Python, which will likely enable many more threat actors to exploit the remaining unpatched Exchange servers. In addition, Metasploit developer zeroSteiner has released an exploit for the popular pen test framework. Obviously, those who have not patched are now at increased risk.

Janggggg (testanull), ProxyNotShell-PoC, Github project, 17 November 2022. Available online at https://github.com/testanull/ProxyNotShell-PoC.

zeroSteiner, Add Exploit for CVE-2022-41082 (ProxyNotShell), Github merge, 18 November 2022. Available online at https://github.com/rapid7/metasploit-framework/pull/17275.

New Ransomware Targets Discord

Cyble Research and Intelligence Labs reports on three new ransomware families which exhibit some interesting characteristics.

Octocrypt is a new ransomware strain which targets all Windows versions. The ransomware builder, encryptor and decryptor are all written in the Go programming language, which as rapidly gained popularity among malware authors, and it is offered via a very polished web interface on the Ransomware-as-a Service model.

The Alice ransomware initially appeared on cybercrime forums as a project called "Alice in the Land of Malware" and seems more primitive, at this point. The builder creates two executables called Encryptor.exe and Decryptor.exe; successful execution of Encryptor.exe encrypts the victim's files, adding the extension .alice, and drops a ransom note file called How to Restore Your Files.txt into multiple folders.

Most interesting is AXLocker; the sample encryptor examined by Cyble encrypts only specific filetypes, but then goes on to search for Discord tokens in specific directories. It sends information such as the computer name, user name, IP address, system UUID and the Discord tokens to its operators via a C2 Discord server. This means that the attackers can take over the victim's Discord sessions - they should change their passwords, which will generate new session tokens, immediately upon discovering the infection.

Uncredited, AXLocker, Octocrypt and Alice: Leading a new wave of Ransomware Campaigns, blog post, 18 November 2022. Available online at https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/.

Google Ads Used to Distribute Batloader, Royal Ransomware

Last Wednesday, we reported on Batloader, a new malware loader which seems to have evolved from Zloader. Now comes a report from Microsoft that a threat actor which they track as DEV-0569 has been using Batloader to deploy the Royal ransomware, which was first observed in September 2022 and is also used by other threat actors.

DEV-0569 has traditionally relied on malvertising - phishing links that would be placed in front of the victim via spam emails, fake forum pages and blog comments - which pointed to the malware. However, the group's tactics have been evolving, with a number of new techniques:

• Use of contact forms on targeted organizations' websites to deliver the links
• Hosting fake installer files on legitimate-looking download sites and legitimate repositories
• Using Google Ads in campaigs, to blend in with normal ad traffic

Between August and October, DEV-0569 used Batloader, masquerading as legitimate installers for applications such as TeamViewer, Adobe Flash Player (why is that still a thing?), Zoom and AnyDesk, all hosted on legitimate-looking domains created by the threat actor.

During September, they started using Batloader to deliver a Cobalt Strike Beacon implant and, after gaining access, used this to implant the Royal ransomware. And in October, they started using Google Ads which point to the legitimate traffic distribution system Keitaro, which filters ad campaigns via tracking and user- or device-based filtering before redirecting the victim to a download site - either legitimate or delivering Batloader. By using Keitaro, DEV-0569 is able to deliver their payloads to specific targets, which also avoiding some known security sandboxing products.

Microsoft's write-up suggests a number of mitigations.

Microsoft Security Threat Intelligence, DEV-0569 finds new ways to deliver Royal ransomware, various payloads, blog post, 17 November 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.