Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Search Returns Malicious Loaders for Malware Attacks

Researchers at SentinelLabs have identified a series of virtualized .NET malware loaders which are being distributed via malicious ads placed through Google and displayed in search results. The researchers encounter these loaders while investigating malvertising attacks; all that was required was a simple Google search for "Blender 3D" and the ads were returned.

The loaders are implemented in .NET and use vitualization, based on the KoiVM virtualizing protector, to obfuscate their implementation and execution. Although SentinelLabs dubbed these loaders MalVirt, it seems likely that they are related to the KoiVM loader detected a few months ago by K7 Security Labs. The MalVirt malware applies an unusual level of anti-analysis and anti-detection techniques to its payloads, which include a feature-rich infostealer from the Formbook family that is capable of keylogging, screenshot theft, theft of web and other credentials and staging of other malware.

The Formbook malware is more commonly delivered as malmail attachments; switching to malverts is a response to the default blocking of MS Office VBA (Visual Basic for Applications) macros. While popular with criminal groups, it has also been used by state-affiliated groups, as reported by Ukraine's CERT.

Milenkoski, Aleksandar and Tom Hegel, MalVirt | .NET Virtualization Thrives in Malvertising Attacks, blog post, 2 Februart 2023. Available online at https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/.

Threat Actors Use Visual Studio Tools for Office to Deploy Malware

There are many other responses to Microsoft's default blocking of VBA macros: wrapping them in .ZIP and similar archives, or even .ISO images, so that the wrapper would carry the Mark of the Web, but the macro would not, or using shortcut (.LNK) files. Now, Deep Instinct researchers have uncovered a new technique: using Microsoft's Visual Studio Tools for Office (VSTO) to develop Office Add-Ins.

VSTO allows these Office application extensions to be written using .NET, and also enables the creation of Office documents which will deliver and execute them. Even better, an Office Add-In can be associated with a specific Office application and once it is installed, the Add-In will load and execute every time that application is launched - no need for persistance workarounds like creating scheduled tasks!

A VSTO Add-In can be packaged along with the Office document used to run it, but can also be fetched from a remote host when the document is opened. The latter technique is more difficult for the attacker; they would have to sign the Add-In using a trusted certificate, for example. The Deep Instinct researchers provide a proof-of-concept which can deliver a Meterpreter payload.

Vilkomir-Preisman, Shaul, No Macro? No Worries. VSTO Being Weaponized by Threat Actors, blog post, 2 February 2023. Available online at https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors.

Traffic Light Control Software Vulnerable; Could Cause Gridlock

Last week's eight industrial control systems advisories from the Cybersecurity & Infrastructure Security Agency were mostly routine, but one has caused more than the usual level of activity, largely because of the (lack of) response from the vendor concerned. According to a report in The Stack, Econolite's traffic light controller software carries a critical vulnerability (CVE-2023-0452) with a CVSS score of 9.8. The vulnerability relates to CWE-328: Use of Weak Hash, and - you guessed it - it's our old friend MD5 again, turning where it shouldn't: an authentication subsystem. In fact, this can lead to unauthenticated access to a configuration file.

According to the report, the Econolite software is used by over 400 agencies to control lights at over 57,000 intersections, although not all are Internet-accessible. Even with access, an attacker can really only adjust the timing on the lights, prioritizing traffic in one direction and causing long tailbacks in the other; fortunately it is apparently not possible to turn all lights green simultaneously.

The biggest concern, however, is that Econolite has not responded in any way to the CISA advisory and has not released a patch for the problem, unlike the firms behind the other seven vulnerabilities of the week.

Targett, Ed, Critical controller bug could trigger traffic chaos: Software vendor ignores CISA outreach, The Stack, 27 January 2023. Available online at https://thestack.technology/econolite-traffic-controller-vulnerability-cisa-ics/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.