Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, 8 June 2023, 7:52 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Mozilla Releases Bug Fixes

Mozilla Foundation has released Firefox 114, which fixes some memory safety bugs (CVE-2023-34416)  that were potentially exploitable. The Foundation also released Firefox ESR 102.12, the Extended Support Release favoured by enterprises who value stability over novelty, which fixes another interesting vulnerability. This is CVE-2023-34414, a click-jacking vulnerability which could trick the user into proceeding past a pop-up invalid certificate warning, like those presented for expired certificates.

Click-jacking is a classic Time-of-Check/Time-of-Use vulnerability which takes advantage of the time consumer as a browser renders complex HTML, CSS, graphics and JavaScript before displaying the final content. The attacker manages to load some content which displays before the warning, hoping that the user will decide to click on it but that it will be replaced by the button they really want you to click on just in time for you to click on it. We've all had this happen - the complexity of many web pages (especially some progressive web apps) means that the window component you try to click on jumps away just as you click - so that you trigger something you didn't want.

This is a great example of a TOC/TOU vulnerability; the user checks the screen content and decides to click on a "Cancel" button or the like, but by the time the click arrives and is used, it's been switched for a different button, like "Proceed".

Uncredited, Security Vulnerabilities fixed in Firefox ESR 102.12, security advisory, 6 June 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-19/.

CISA Releases Advisory for CL0P's Exploitation of MOVEit

The Cybersecurity & Infrastructure Security Agency has released a joint Cybersecurity Advisory dealing with the MOVEit file transfer service vulnerability that we covered yesterday. The Advisory, which is part of CISA's #StopRansomware effort, provides more information on the exploitation techniques, such as infection with the LEMURLOOT web shell, and links the activity to earlier CL0P campaigns against Accellion File Transfer Appliances in 2020/21 and Fortra/Linoma GoAnywhere MFT servers in early 2023.

The advisory also provides advice on mitigation actions.

Uncredited, #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability, cybersecurity advisory AA23-158A, 7 June 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a.

US Aerospace Firms Targeted with PowerShell Malware

Adlumin Threat Research reports on an attack, by an as-yet-unidentified threat actor, on US aerospace contractors. Since the aerospace industry is engaged in increased missile R&D efforts as support for Ukraine ramps up, the threat actor is quite likely state-sponsored.

The attack uses a novel remote access trojan written as a Windows PowerShell script, which Adlumin has christened PowerDrop. In order to remain persistent, the script uses Windows Managment Instrumentation (WMI) event filters and consumer which are registered by wmic.exe commands during initial installation, and which run the script every two minutes.

Each time it is run, the PowerDrop script sends an ICMP echo request datagram as a beacon to its C2 server, which replies with one or more ICMP echo replies, which will be assembled into an encrypted command. This is then decrypted, executed using PowerShell's Invoke-Expression cmdlet, and an encrypted response sent back, also using multiple ICMP datagrams. The use of PowerShell allows the threat actor to utilise its built-in functionality such as AES crypto, while not having to install large static binaries on the victim - almost an example of a LOLbin approach - yet provides considerable flexibility. The use of ICMP datagrams for stealthy exfiltration is similarly frugal - not to mention likely to escape detection.

Adlumin's block post provides detailed analysis, along with detection rules for Snort and SIGMA.

Uncredited, PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry, blog post, 6 June 2023. Available online at https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: