Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 109 blog entries.

Student Loan Forgiveness Scams Are On The Rise

There’s no question that student loan debt is a major problem for many people in the U.S. In fact, researchers estimate that there are currently more than 44 million Americans with student loan debt, and the average U.S. household that has student loan debt owes just over $57,000. With so much debt, it’s no wonder that there are people out there who are looking for ways to get rid of it. And that’s where student loan forgiveness scams come in.

There are a lot of companies and individuals out there who claim they can help you get your student loans forgiven. But the truth is, most of these offers are too good to be true. And if you’re not careful, you could end up getting scammed.

Recognizing a Federal Student Loan Forgiveness Scam

There are a few different types of student loan forgiveness scams out there. Here are three of the most common:

The company promises loan forgiveness for a fee. This is probably the most common type of scam. But the truth is, you don’t need to pay anyone to get your loans forgiven. The government has a number of programs that can help you get rid of your debt, and you can apply for them for free.

The company promises to lower your monthly payments. This is something you can do for free. There are a number of government programs that can help you lower your payments, and you don’t need to pay anyone to access them.

The company promises to consolidate your loans. This can be a good thing or a bad thing, depending on the interest rate you’re currently paying. If you’re consolidating your loans at a lower interest rate, it can save you money. But if you’re consolidating your loans at a higher interest rate, it could end up costing you more in the long run.

If you’re considering student loan forgiveness watch out for:

  1. Guarantees: Be wary of any company or individual that promises to guarantee your student loan forgiveness. The truth is, there’s no such thing as guaranteed student loan forgiveness. So if someone tells you they can guarantee it, they’re probably lying.
  2. Upfront Fees: You should never have to pay any upfront fees for student loan repayment assistance. If someone asks you to pay an upfront fee, it’s a good sign that they’re a scammer.
  3. High Pressure Sales Tactics: Be wary of anyone who’s pressuring you to sign up for their program or make a decision right away. If someone is trying to rush you, it’s likely because they’re not legitimate.
  4. Promises of Quick Forgiveness: Be careful of anyone who promises quick and easy student loan forgiveness. The truth is, the process can take years. So if someone tells you they can get your loans forgiven quickly, they’re probably not being honest.
  5. Outrageous Claims: Be skeptical of anyone who makes outrageous claims about student loan forgiveness. For example, if someone tells you that you can have your loans forgiven in a matter of weeks, it’s probably too good to be true.

Immediate Action Steps

If you think you may have been a victim of a student loan forgiveness scam, it is important to take action right away to protect yourself and your finances. Here are some steps to take if you are scammed:

  • Contact the three major credit agencies: Equifax, Experian and Transunion. Although loan scammers mostly focus on the fees, your personal information is in danger. Consider placing a freeze or fraud alert on your credit report. This will prohibit the scammer from opening new accounts in your name.
  • Call your bank or credit card company right away if you paid a fee using your debit or credit card. By immediately reporting the transaction as fraudulent, you might be able to prevent paying the fee. They can also help you change any compromised accounts.
  • Get in touch with your official loan servicer. They will be able to help guide you to secure your account and can help you with repayment.
  • Update your FSA ID password right away if you gave the scam company your FSA ID.

Reporting the Scams

Reporting student loan forgiveness scams is crucial to helping others avoid being scammed. As a society, the more people that report online scams and fraud, the more national reporting data that is collected, and the better chance law enforcement has to catch the criminals and decrease cybercrime.

Whether you provided financial or personal information to scammers or not, report the incident to the following authorities:

  • The Internet Crime Complaint Center: The IC3 will review your report and refer it to the appropriate federal, state, local and international agencies if necessary.
  • Consumer Finance Protection Bureau: While the CFPB might now be able to help with specific case, they will use your complaint to shut down fraudulent companies.
  • Your State Attorney General: Many State Attorney Generals take student loan forgiveness scams very seriously.

Find Legitimate Help for Student Loan Forgiveness

There are a number of government programs that help with loan forgiveness. And you can access these programs for free. So there’s no need to pay anyone for help. The U.S. Department of Education (ED) offers free and legitimate student loan forgiveness programs. Contact your official loan servicer to find out if you qualify.

If you’re considering student loan forgiveness, make sure you do your research and be careful of scams. There are a lot of companies and individuals out there who will try to take advantage of you. But if you’re aware of the signs of a scam, you can protect yourself.

To learn more about other scams affecting students, visit our education/scholarship scams page.

Article retrieved from Fight Cybercrime. View the original article: https://fightcybercrime.org/blog/student-loan-forgiveness-scams-are-on-the-rise/

Student Loan Forgiveness Scams Are On The Rise2022-10-27T11:17:17-04:00

Phishing Attacks Increase as Facebook and Microsoft are Most Abused

I. Targeted Entities

  • Microsoft, Facebook, and other large tech brands

II. Introduction

Phishing attacks exploiting the Microsoft and Facebook brands, among others, have increased between 2021 and 2022.

III. Background Information

According to researchers at Vade, Microsoft, Facebook, and the French bank Crédit Agricole are the top abused brands.[1] The report also says that phishing attacks exploiting the Microsoft brand increased 266% in the first quarter of 2022 compared to 2021. Phony Facebook messages are up 177% in the second quarter of 2022, also compared to 2021.[1]

The research done by Vade analyzed unique instances of phishing URLs used by threat actors carrying out phishing attacks and not the number of phishing emails associated with the URLs. Their report listed the 25 most commonly phished companies, along with the most targeted industries and days of the week for phishing emails.[1] Other brands at the top of the list include Crédit Agricole, WhatsApp, and French telecommunications company Orange. PayPal, Google, and Apple also made the list.[1]

The report by Vade found that through the first half of 2022, 34% of all unique phishing attacks, that were tracked by the researchers at Vade, impersonated financial services brands. The next most popular sector was cloud service providers, with Microsoft, Google, and Adobe being prime targets. The social media sector was also popular with Facebook, WhatsApp, and Instagram at the top of the list of brands exploited in the attacks.[1] The researchers also found that the most popular days for sending phishing emails were Monday through Wednesday. The weekend did not see a lot of phishing emails sent with only 20% of the phishing emails being sent during the weekend.[1]

IV. MITRE ATT&CK

  • T1566 – Phishing
    Adversaries will send phishing messages to gain access to a victim’s machine. These phishing attempts may come via link or attachment, and typically execute malicious code on victim machines.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

This threat advisory has no indicators of compromise, but it is recommended that readers be aware of the links and attachments that they are sent to ensure their safety.

VII. References

(1) Nelson, Nate. “Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands.” Threatpost English Global, July 26, 2022. https://threatpost.com/popular-bait-in-phishing-attacks/180281/.

(2) Petitto, Natalie. “Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks.” Vade, July 26, 2022. https://www.vadesecure.com/en/blog/phishers-favorites-top-25-h1-2022.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Tural Hagverdiyev

Phishing Attacks Increase as Facebook and Microsoft are Most Abused2024-07-11T11:34:26-04:00

Google Patches Exploited Chrome Bug

I. Targeted Entities

• Google Chrome

II. Introduction

On July 4, Google quietly released a stable channel update for Google Chrome to patch an actively exploited zero-day vulnerability. This is the fourth flaw Google has released for Google Chrome this year.

III. Background Information

Chrome 103 (103.0.5060.71 for Android and 103.0.5060.114 for Windows and Mac) fixes a heap buffer overflow flaw in WebRTC. WebRTC is the engine that gives the browser its real-time communications capability.[1] The vulnerability, given the moniker CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team, is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory.”[1]

Google did not reveal any specific details about the vulnerability, but they did recommend that users upgrade their Google Chrome browsers. Because there are so few known details about the flaw, users’ most feasible protection is to upgrade their browser. Fortunately, Google Chrome updates are pushed without user intervention so most users will be protected once an update is available.[1]

Buffer overflows can lead to crashes and other attacks that make the affected program unavailable, like putting the program into an infinite loop. Attackers can take advantage of the attack by using the crash to execute arbitrary code usually outside of the scope of the program’s security policy.[1]

Along with fixing the zero-day buffer overflow flaw, the fix also patches a confusion flaw in the V8 JavaScript engine (CVE-2022-2295), which was reported on June 16th by researchers at S.S.L.[1] This is the third flaw of this nature found in the open-source engine used by Google Chrome and Chromium-based web browsers that has been patched this year. In March, a different type-confusion issue in the V8 JavaScript engine (CVE-2022-1096) required a hasty patch from Google. And in April, Google patched another type-confusion flaw (CVE-2022-1364) which affected Google Chrome’s use of V8, which attackers had already pounced on.[1]

Another flaw patched the July 4 Google Chrome update is a use-after-free flaw in Chrome OS Shell, which was reported by Khalil Zhani on May 19th and was given the moniker CVE-2022-2296, according to Google. Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google, in February, patched a zero-day use-after-free flaw in Chrome’s Animation component (CVE-2022-0609) that was under attack.[1]

IV. MITRE ATT&CK

Because the specific details of this flaw have not been announced, there are currently no MITRE ATT&CKs associated with this flaw.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.

VI. Indicators of Compromise (IOCs)

Because the specific details of this flaw have not been announced, there are currently no IOCs associated with this flaw.

VII. References

(1) Montalbano, Elizabeth. “Google Patches Actively Exploited Chrome Bug.” Threatpost English Global, July 5, 2022. https://threatpost.com/actively-exploited-chrome-bug/180118/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

Google Patches Exploited Chrome Bug2024-07-11T11:34:50-04:00

Tashya Denose (aka the Cyber Whisperer) – Senior Manager of Cybersecurity Analysis at Capital One and a builder of the most rad relationships in cyber

Tashya Denose (aka the Cyber Whisperer) - Senior Manager of Cybersecurity Analysis at Capital One and a builder of the most rad relationships in cyber

Tashya Denose is a Senior Manager of Cybersecurity Analysis at Capital One and the Director of Brand & Marketing at Black Girls in Cyber. In this episode, Tashya joins the No Password Required team to discuss her passion for making everyone feel welcome in the cybersecurity world, the state of the cybersecurity pipeline and what needs to be done, and a LOT of other rad stuff (including her feelings about the word “rad” making a comeback!) Ernie, Jack, and Pablo discuss the rogue freelancers that were taking advantage of remote work opportunities to hide their true identities and earn money for North Korea. Pablo presents the new Technologue game show where the team attempts to answer questions about the first-ever computer worm.

Tashya Denose (aka the Cyber Whisperer) – Senior Manager of Cybersecurity Analysis at Capital One and a builder of the most rad relationships in cyber2022-07-06T05:14:36-04:00

Defense Contractors: DoD Updates CMMC Timeline

The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published).

DoD plans to roll out the CMMC requirements in solicitations under a “phased approach.” During phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment and provide a positive affirmation of compliance. This stands in contrast to having a third-party certification, which will eventually be required for some contractors under CMMC. In phase two, solicitations will require either self-assessments or third-party certifications. Which approach is required depends on the type of information involved, and the required certification level. The timing of phase two is still to be determined.

DoD also has confirmed that the third-party CMMC certification will be good for three years once the certification is issued (while not required until phase 2, contractors may choose to secure certification early), but contractors will be required to provide an annual affirmation confirming compliance. The third-party certification is for those associated with critical programs and contracts involving information critical to national security. Self-assessments required for contractors not handling information critical to national security will need to be performed on an annual basis. The assessment will need to be accompanied by an associated affirmation by a senior company official.

Putting it Into Practice: It seems the time finally has come for DoD contractors and suppliers to prepare their information systems for a CMMC assessment, if they have not already. Now is time for DoD contractors to consider (1) comprehensive self-assessments, (2) appropriate remediation, and (3) updating any reported cybersecurity scores to ensure they reflect the current posture of the system.

Retrieved from https://www.natlawreview.com/article/updated-timeline-dod-s-cybersecurity-certification-program

Defense Contractors: DoD Updates CMMC Timeline2022-06-27T09:25:36-04:00

Microsoft Releases Workaround for Zero-Day Flaw

I. Targeted Entities

  • Travel Industry

II. Introduction

As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.

III. Background Information

Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent.[1] The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”[1]

The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points.[2] Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.[2]

Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.[1]

Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.

IV. MITRE ATT&CK

  • T1566 – Phishing
    Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
  • T1555 – Credentials from Password Stores
    Adversaries may search common password storage locations to obtain user credentials.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.

VII. References

(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.

(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

Microsoft Releases Workaround for Zero-Day Flaw2024-07-11T11:36:42-04:00

FIU Awarded $2 Million to Develop Artificial Intelligence Cybersecurity Tools

Florida International University’s College of Engineering and Computing researchers have received a $2 million award from the U.S. Department of Energy (DOE) to help develop technology to prevent, detect, analyze and mitigate cyberattacks against U.S. energy systems.

“Our FIU team is very experienced in cybersecurity and smart energy grids. We are proud to lead the project to advance state-of-the-art methods in cyberattack detection and to harden our power grids,” said Mohammad Ashiqur Rahman, the lead principal investigator and assistant professor and the director of the Analytics for Cyber Defense (ACyD) Lab. “Protecting the security of America’s power is crucial as we face increasing cyber threats.”

The project, entitled “Artificial Intelligence-Enabled Tools (ArtIT) for Cyber Hardening of Power Grids,” involves developing artificial intelligence techniques and analytics that identify attacks in real-time and creating intelligent controllers to enhance the bulk power system’s attack resiliency. The team will then validate and test the tools in collaboration with utility and industry partners.

FIU Awarded $2 Million to Develop Artificial Intelligence Cybersecurity Tools2022-06-15T12:54:09-04:00

Episode 25: Vice Admiral Mike McConnell – the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer

Vice Admiral Mike McConnell - the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer

Vice Admiral Mike McConnell is the former director of the National Security Agency (NSA) and the current Executive Director of Cyber Florida. In this two-part episode, VADM McConnell stuns the No Password Required team to silence with stories of his life, which just so happens to resemble a riveting Grisham novel. A few highlights include the reason he refuses to drink cheap beer (or formaldehyde), some iconic moments during his time at the NSA, and more. Ernie, Jack, and Pablo break down the Strengthening Cybersecurity Act and the biggest commitment one can make: cowboy boots. In the Technologue segment, Pablo discusses the importance of cloud vulnerability evolution.

Episode 25: Vice Admiral Mike McConnell – the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer2022-06-07T13:29:06-04:00

BONUS Episode 25: Vice Admiral Mike McConnell – the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer

Vice Admiral Mike McConnell - the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer

Vice Admiral Mike McConnell is the former director of the National Security Agency (NSA) and the current Executive Director of Cyber Florida. In this two-part episode, VADM McConnell stuns the No Password Required team to silence with stories of his life, which just so happens to resemble a riveting Grisham novel. A few highlights include the reason he refuses to drink cheap beer (or formaldehyde), some iconic moments during his time at the NSA, and more. Ernie, Jack, and Pablo break down the Strengthening Cybersecurity Act and the biggest commitment one can make: cowboy boots. In the Technologue segment, Pablo discusses the importance of cloud vulnerability evolution.

BONUS Episode 25: Vice Admiral Mike McConnell – the former NSA director, an elite storyteller whose life resembles a Grisham novel, and an appreciator of formaldehyde-free beer2022-06-07T13:29:58-04:00

Microsoft Releases Workaround for Zero-Day Flaw

I. Targeted Entities

  • Microsoft Office users

II. Introduction

Microsoft has recently established a workaround for a zero-day vulnerability, known as Follina, for Microsoft Office applications, such as Word, after being originally identified back in April. This vulnerability is a remote control execution (RCE) flaw, and if successfully exploited, threat actors have the ability to install programs, view, change, or delete data on targeted systems. The RCE is associated with the Microsoft Support Diagnostic Tool (MSDT) which, ironically, collects information about bugs in the company’s products and reports them to Microsoft Support.

III. Background Information

Microsoft explained that “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word…An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application”.[1] The workaround comes about six weeks after the vulnerability was first seen by researchers from Shadow Chaser Group on April 12th and reported to Microsoft on April 21st. The vulnerability was noticed in a bachelor’s thesis from August 2020, with attackers seemingly targeting Russian users.[2] A Malwarebytes Threat Intelligence analyst also found the flaw back in April but could not fully identify it. The company posted a tweet on the same day, April 12th.[2]

At first, when the flaw was first reported, Microsoft did not consider the flaw an issue. But now, it is clear that the vulnerability should be taken seriously, with Japanese security vendor Nao Sec tweeting a fresh warning, noting that the vulnerability was targeting users in Belarus. Security researcher Kevin Beaumont called the vulnerability Follina; the name comes from the zero-day code references to the Italy-based area code of Follina (0438).[2]

There is no fix for the flaw, but Microsoft recommends that affected users disable the MSDT URL to rectify the flaw for now. Disabling the MSDT URL, “prevents troubleshooters being launched as links including links throughout the operating system.”[2] To disable the MSDT URL, users should follow these steps:

  1. Run Command Prompt as Administrator
  2. Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOTms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f” [2]

Microsoft says that the troubleshooters can still be accessed using the Get Help application and by using the system settings. Microsoft also says that if the calling application is an Office program, Office will open the document in Protected View and Application Guard for Office, which Microsoft says will “prevent the current attack.” However, Beaumont refuted that assurance in his analysis of the bug.[2] Microsoft also plans on updating CVE-2022-3019 with further information but did not specify when it would do so.[2]

Meanwhile, the unpatched flaw poses a significant threat. One reason is that the flaw affects a large number of people, given that it exists in all currently supported Windows versions and can be exploited via Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.[2] Another reason is that the flaw poses a major threat in its execution without action from the end-user. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious code payload.[2] Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks.[2]

Researchers say that this flaw is similar to last year’s zero-click MSHTML bug (CVE-2021-40444), which was pummeled by attackers, including the Ryuk ransomware gang. In fact, threat actors already pounced on this vulnerability. Proofpoint Threat Insight tweeted that threat actors were using the vulnerability to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration. Moreover, the workaround Microsoft currently offers itself has issues and won’t provide much of a long-term fix. It is not friendly for admins because the workaround requires users to change their Windows Registry, says Aviv Grafti, CTO and founder of Votiro.[2]

IV. MITRE ATT&CK

  • T1219 – Remote Access Software
    An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
  • T1218 – System Binary Proxy Execution
    Threat actors bypass signature-based defects by proxying the execution of malicious content with signed, or trusted binaries. This technique often involves Microsoft-signed files, which indicates that the binaries were either downloaded from Microsoft or already native to the operating system.
  • T1221 – Template Injection
    Threat actors create or modify references in user document templates to conceal malicious code or force authentication attempts.
  • T1566 – Phishing
    Adversaries may utilize methods like phishing that involve social engineering techniques, such as posing as a trusted source.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Disable Microsoft Support Diagnostic Tool
    Microsoft recommends the affected users disable the MSDT URL to mitigate this vulnerability, as no patch yet exists for the flaw.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Microsoft Security Response Center, ed. “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Microsoft Security Response Center, May 30, 2022. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

(2) Montalbano, Elizabeth. “Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack.” Threatpost English Global, June 1, 2022. https://threatpost.com/microsoft-workaround-0day-attack/179776/.Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

Microsoft Releases Workaround for Zero-Day Flaw2024-07-11T11:37:04-04:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.