Sarina

I. Targeted Entities

• Microsoft Office users

II. Introduction

Microsoft has recently established a workaround for a zero-day vulnerability, known as Follina, for Microsoft Office applications, such as Word, after being originally identified back in April. This vulnerability is a remote control execution (RCE) flaw, and if successfully exploited, threat actors have the ability to install programs, view, change, or delete data on targeted systems. The RCE is associated with the Microsoft Support Diagnostic Tool (MSDT) which, ironically, collects information about bugs in the company’s products and reports them to Microsoft Support.

III. Background Information

Microsoft explained that “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word…An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application”.[1] The workaround comes about six weeks after the vulnerability was first seen by researchers from Shadow Chaser Group on April 12^th and reported to Microsoft on April 21^st. The vulnerability was noticed in a bachelor’s thesis from August 2020, with attackers seemingly targeting Russian users.[2] A Malwarebytes Threat Intelligence analyst also found the flaw back in April but could not fully identify it. The company posted a tweet on the same day, April 12^th.[2]

At first, when the flaw was first reported, Microsoft did not consider the flaw an issue. But now, it is clear that the vulnerability should be taken seriously, with Japanese security vendor Nao Sec tweeting a fresh warning, noting that the vulnerability was targeting users in Belarus. Security researcher Kevin Beaumont called the vulnerability Follina; the name comes from the zero-day code references to the Italy-based area code of Follina (0438).[2]

There is no fix for the flaw, but Microsoft recommends that affected users disable the MSDT URL to rectify the flaw for now. Disabling the MSDT URL, “prevents troubleshooters being launched as links including links throughout the operating system.”[2] To disable the MSDT URL, users should follow these steps:

1. Run Command Prompt as Administrator
2. Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOTms-msdt filename”
3. Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f” [2]

Microsoft says that the troubleshooters can still be accessed using the Get Help application and by using the system settings. Microsoft also says that if the calling application is an Office program, Office will open the document in Protected View and Application Guard for Office, which Microsoft says will “prevent the current attack.” However, Beaumont refuted that assurance in his analysis of the bug.[2] Microsoft also plans on updating CVE-2022-3019 with further information but did not specify when it would do so.[2]

Meanwhile, the unpatched flaw poses a significant threat. One reason is that the flaw affects a large number of people, given that it exists in all currently supported Windows versions and can be exploited via Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.[2] Another reason is that the flaw poses a major threat in its execution without action from the end-user. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious code payload.[2] Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks.[2]

Researchers say that this flaw is similar to last year’s zero-click MSHTML bug (CVE-2021-40444), which was pummeled by attackers, including the Ryuk ransomware gang. In fact, threat actors already pounced on this vulnerability. Proofpoint Threat Insight tweeted that threat actors were using the vulnerability to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration. Moreover, the workaround Microsoft currently offers itself has issues and won’t provide much of a long-term fix. It is not friendly for admins because the workaround requires users to change their Windows Registry, says Aviv Grafti, CTO and founder of Votiro.[2]

IV. MITRE ATT&CK

• T1219 – Remote Access Software
  An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
• T1218 – System Binary Proxy Execution
  Threat actors bypass signature-based defects by proxying the execution of malicious content with signed, or trusted binaries. This technique often involves Microsoft-signed files, which indicates that the binaries were either downloaded from Microsoft or already native to the operating system.
• T1221 – Template Injection
  Threat actors create or modify references in user document templates to conceal malicious code or force authentication attempts.
• T1566 – Phishing
  Adversaries may utilize methods like phishing that involve social engineering techniques, such as posing as a trusted source.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Disable Microsoft Support Diagnostic Tool
  Microsoft recommends the affected users disable the MSDT URL to mitigate this vulnerability, as no patch yet exists for the flaw.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Microsoft Security Response Center, ed. “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Microsoft Security Response Center, May 30, 2022. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

(2) Montalbano, Elizabeth. “Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack.” Threatpost English Global, June 1, 2022. https://threatpost.com/microsoft-workaround-0day-attack/179776/.Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Akami Technologies Incorporated and customers

II. Introduction

A recent denial of service (DDoS) campaign against a hospitality customer of Akamai, a cloud networking provider, and the defunct REvil ransomware gang claiming responsibility for it. It should be noted that researchers believe there is a high probability that the attack is not a resurgence of the infamous cybercriminal group but rather a copycat operation.

III. Background Information

Akamai researchers have been monitoring the DDoS attack since May 12^th, when a customer alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group purporting to be REvil. The requests contain demands for payment, a bitcoin wallet, and business/political demands.[1] While the attackers claim to be REvil, it is not clear if the defunct group is responsible for the attacks, given that the attacks seem smaller than previous attacks that the group claimed responsibility for. The apparent political motivation behind the DDoS campaign is also inconsistent with REvil’s M.O.

REvil, which hasn’t been seen since July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its attacks against Kaseya, JBS Foods, and Apple.[2] The disruptive nature of their attacks caused international authorities to take measures against the group, with Europol arresting a number of cybercriminals in November of 2021.[2] In March 2022, Russia, who up until then had done little to stop REvil’s operations, claimed responsibility for fully toppling the group at the behest of the U.S. government, arresting its individual members. One person arrested was instrumental in helping the ransomware group DarkSide, the group responsible for the Colonial Pipeline attack in May of 2021.[2]

The recent DDoS attack, which would be a shift in strategy for REvil, was comprised of a HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment. The victim was directed to send the bitcoin payment to a wallet address that “currently has no history and is not tied to any previously known bitcoin.”[2] The attack also has an additional geospecific demand that requested the targeted company to cease business operations across an entire country. The attackers threatened to launch follow-up attacks that would affect global business operations if the demand was not met and the ransom not paid in a specific amount of time.[2]

There is a precedent for REvil using DDos in its previous attacks, but it does not appear that this attack is the work of REvil. REvil’s M.O. was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information. The technique in this attack is different from their normal strategy. The political motivation tied to the attack, which is linked to a legal ruling about the targeted company’s business model, also goes against REvil’s normal tactics, with leaders in the past saying that they were purely profit-driven.[2] However, it is possible that REvil is seeking a resurgence by trying out a new business model of DDoS extortion. However, what is more likely is cybercriminals using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands.[2]

IV. MITRE ATT&CK

• T1498– Network Denial of Service
  This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausted the network bandwidth that Akamai customers relied on and demanded payment to end this attack.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Cashdollar, Larry. “REvil Resurgence? Or a Copycat?” Akamai Blog. Akamai Technologies, May 25, 2022. https://www.akamai.com/blog/security/revil-resurgence-or-copycat.

(2) Montalbano, Elizabeth. “Cybergang Claims Revil Is Back, Executes DDoS Attacks.” Threatpost English Global, May 26, 2022. https://threatpost.com/cybergang-claims-revil-is-back-executes-ddos-attacks/179734/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• iPhone users

II. Introduction

New attacks have been discovered on iPhones that can be executed despite the device being turned off. This is a direct result of how Apple implements wireless features in iPhones such as Bluetooth, Near Field Communications (NFC), and Ultra-wideband (UWB) technologies. These features remain active on iPhones when powered down, which makes attack scenarios, such as loading malware on an iPhone’s Bluetooth chip to be executed while powered off, possible.

III. Background Information

The features previously mentioned have access to the iPhone’s Secure Element (SE) which stores sensitive information, even when the iPhone is shut off, according to a team of researchers from Germany’s Technical University of Darmstadt.[1] Because of this, malware is able to be loaded onto a Bluetooth chip that is executed while the iPhone is off (Germans). By attacking these wireless features, cybercriminals can access secure information, including a user’s credit card data, banking details, and even digital car keys on the iPhone.[2] Although this threat is ever-present, exploiting the threat is not so easy, with the threat actors still having to load the malware when the iPhone is on for later execution when the iPhone is off. This would require system-level access or remote code execution (RCE).[3]

The researchers at Germany’s Technical University of Darmstadt say that the cause of the issue is the low power mode (LPM) for wireless chips on iPhones. The LPM issue is caused when the user turns off their iPhone or when iOS shuts down automatically due to low battery. The researchers say that this is different than the power-saving feature that can be enabled by the user in the Settings app or

the Control Center. Because LMP is based on the iPhone’s hardware, and a solution cannot be patched via software, “wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”[1]

Researchers analyzed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware-, and hardware-level security. A potential threat scenario that the researchers outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain RCE using a known Bluetooth vulnerability.[2] In this attack, a threat actor with system-level access could modify firmware of any component that supports LPM. This way, they maintain limited control of the iPhone, even when the user turns the iPhone off.[3] Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that allow for “very fine-grained configuration, including advertisement rotation intervals and contents.” This could allow an attacker to create settings that would allow them to locate a user’s device with higher accuracy than the legitimate user in the Find My app, for example. [4]

The researchers reported their research to Apple, which did not provide feedback on the issues raised. A potential solution, according to the researchers, is for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements wouldn’t have power while an iPhone is powered down.[5]

IV. MITRE ATT&CK

• T1204 – User Execution
  Adversaries must have system-level access to iPhones to conduct this kind of attack. Thus, they may attempt to social engineer iPhone users to load malware into their devices to be later executed when powered off.

• T1569 – System Services
  Adversaries that have system-level control over iPhones will be able to execute malware remotely. Having this kind of control would give adversaries the ability to modify firmware that control low power mode, Bluetooth, NFC, and other wireless communication protocols.

• T1644 – Out of Band Data
  Adversaries are capable of executing previously loaded malware on iPhones that have been powered off. Out-of-band data streams, such as Bluetooth and NFC, allow adversaries to execute malware remotely without needing any power from the device’s battery.

V. Recommendations

• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/inzlsmaxpkn72bo64sv5wya7ythbftid

VII. References

(1) Cleafy Labs. “TeaBot Is Now Spreading across the Globe.” Cleafy Labs. Cleafy Labs, January 3, 2022. https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe.

(2) Nelson, Nate. “Teabot Trojan Haunts Google Play Store, Again.” Threatpost English Global, March 2, 2022. https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.