Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

MS Teams Vulnerable to . . . GIF's?

Security researcher Bobby Rauch has discovered a number of vulnerabilities in Microsoft Teams, particularly the way it handles base64-encoded GIF files - not scanning these allows malicious commands to be delivered within otherwise normal-looking graphics files. By using this along with several other vulnerabilities, an attacker can bypass security controls to perform remote command execution, data exfiltration and phishing attacks.

The main component of this attack, called GIFShell, allows a threat actor to create a reverse shell which delivers malicious commands and then exfiltrates the resultant data in GIF's returned via Microsoft's own infrastructure. The result is a unique C2 infrastructure which will avoid detection by EDR and other network monitoring tools.

Recommended mitigations including turning off the default external access settings in the Teams Admin Center, and monitoring access to Microsoft Teams' log files.

Rauch, Bobby, "GIFShell" - Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs, Medium, 24 August 2022. Available online at https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7.

Bumblebee Malware Loader Uses Virtual Hard Disk, PowerShell Script

A new variant of the Bumblee malware loader is continuing the trend of obscuring malware payloads by wrapping them in contain files such as .ISO CD/DVD images. The new version has switched from using ISO's to a VHD (virtual hard disk) file which contains a .LNK shortcut. This in turn runs an obfuscated Windows PowerShell script which, after hiding its window from the user, loads a second stage.

The second stage makes use of the open source PowerSploit post-exploitation framework to perform DLL injection, loading the Bumblebee malware into the memory of the PowerShell process. This technique works entirely in the memory of the target PC and does not touch the disk, reducing the chance of detection by anti-malware software.

Toulas, Bill, Bumblebee malware adds post-exploitation tool for stealthy infections, Bleeping Computer, 8 September 2022. Available online at https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/.

Lazarus Group Targets Energy Sector

North Korean threat actor Lazarus Group has been running a campaign against energy providers around the world, including the US, Canada and Japan, according to Cisco Talos. The campaign is intended to turn an initial foothold gained via vulnerabilities in VMWare Horizon into long-term access with the likely goal of cybersepionage.

Once the attack compromises VMWare, this is followed by deployment of Lazarus Group's previously identified custom malware implants, an RCE bot called VSingle which fetches commands over HTTP and a backdoor called YamaBot which is written in Go. However, the campaign is also using a new remote access trojan Talos calls MagicRAT.

Malhotra, Asheer, Lazarus and the tale of three RATs, Talos Intelligence, 8 September 2022. Available online at https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html.

pfSense Firewall RCE Vulnerability

pfSense is a popular firewall distribution popular with consultants and resellers support SME's. A recent remote command execution vulnerability (CVE-2022-31814) could spell disaster for some of their customers if left unpatched.

Fortunately the vulnerability is in a plug-in component which is not enabled by default. pfBlockerNG is used to allow or deny entire IP address ranges, such as blocking access from entire countries, but the vulnerability will allow an unauthenticated user to execute commands on the firewall with root privilege.

pfBlockerNG 2.1.4_26 and earlier are affected and admins should upgrade to a later version or use pfBlockerNG-devel, which is unaffected. The vulnerability is due to inadequate sanitization of the PHP $_SERVER['HTTP_HOST'] variable, which passes tainted data into the PHP exec() function.

Leyden, John, Vendor disputes seriousness of firewall plugin RCE flaw, The Daily Swig, 8 September 2022. Available online at https://portswigger.net/daily-swig/vendor-disputes-seriousness-of-firewall-plugin-rce-flaw.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.