Episode 50: March 20 2023
Links
https://heimdalsecurity.com/blog/microsoft-outlook-vulnerability/
https://cyware.com/news/hackers-use-ai-generated-youtube-videos-to-spread-info-stealers-8eefc3f6
Google Pixel flaw allowed recovery of redacted, cropped images.
- Google Pixel’s built-in image editor, Markup tool, had a vulnerability called “Acropalypse”
- The vulnerability allowed partially recovered edited or redacted images, even cropped or masked, for the past five years.
- The vulnerability was discovered by security researchers Simon Aarons and David Buchanan and reported on Twitter.
- The vulnerability was fixed by Google in an update released on March 13, 2023, tracking it as CVE-2023-21036.
- Unfortunately, any images shared in the past five years are vulnerable to the Acropalypse attack, and nothing can be done to remediate this.
- The vulnerability could expose sensitive information that the image creator redacted using Pixel’s Markup tool before sharing the media with others or posting it online.
- This applies to posting on platforms that do not compress user-uploaded media, so the sensitive data, if it exists, remains intact.
- The issue impacts all Pixel models running Android 9 Pie and later until the February 2023 security update.
- Acropalypse could impact non-Pixel smartphones using third-party Android distributions that use the Markup tool for screenshot/image editing.
- A similar issue with reversible cropping was recently discovered on Google Docs.
Actively Exploited Microsoft Outlook Vulnerability Imperils Microsoft 365 Apps
- Story
- The cyber-research community has raised concerns over a vulnerability that puts the Microsoft 365 suite at risk.
- The vulnerability, earmarked CVE-2023-23397, allows an unauthenticated threat actor to obtain the user’s credentials by passing along a crafted email package.
- The bug affects several applications from the Microsoft 365 Apps Enterprise stack, including MS Office 2019, 2016, 2013, and LTSC.
- The vulnerability itself does not require user interaction and has a high ‘wormability’ factor.
- The method involves the involuntary disclosure of the victim’s Net-NTLM v.2 hash, which results in the threat actor declining their identity with the stolen credentials via an ancillary Windows service.
- The vulnerability has a CVSS 3.1.9.8 score of 9.1 (i.e., Critical).
- Microsoft has released an official fix for the vulnerability.
- More than 70% of Heimdal® customers have already deployed Microsoft’s official fix for CVE-2023-23397, and more than 92% of customers that have enabled the Patch & Asset Management automatic patching feature have deployed the official fix during the same timeframe.
- Remediation
- Disable WebClient Service.
- This workaround will help you block any type of WebDAV attack attempt. However, bear in mind that this can severely impact both users and applications. To disable the WebClient service, please follow the steps below.
- Bypass NTLM
- The safest route to mitigate the Microsoft Outlook vulnerability is to prevent apps or users to leverage the NTLM authentication mechanism. To perform this action, you can add your users and administrators under the Protected Users Security Group. Refer to Microsoft’s documentation for additional information.
- Block NTML Messaging for Remote File Shares
- Another method to prevent this type of Pass-the-Hash attack without disabling NTML or WebClient would be to block all types of NTML Communication to and from remote file shares. This can be done by blocking the TCP 445/SMB outbound port in your firewall.
- Disable WebClient Service.
Emotet malware now distributed in Microsoft OneNote files to evade defenses
- Story
- Emotet malware historically distributed through Microsoft Word and Excel attachments that contain malicious macros.
- Emotet malware steals email contacts and content, downloads other payloads, and conducts cyberattacks against the company.
- Emotet botnet had stopped for three months and restarted with a flawed campaign that continued to use Word and Excel documents with macros.
- Emotet now distributes malware using malicious Microsoft OneNote attachments, which are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.
- Microsoft OneNote allows you to create documents that contain design elements that overlay an embedded document, and Emotet threat actors have hidden a malicious VBScript file called ‘click.wsf’ underneath the “View” button.
- If the user clicks on the OK button, the embedded click.wsf VBScript file will be executed and download the Emotet malware as a DLL and store it in the Temp folder.
- Emotet will steal email, contacts, and await further commands from the command and control server.
- Emotet commonly leads to Cobalt Strike or other malware being installed.
- Remediation
- Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.
- Windows admins can configure group policies to protect against malicious Microsoft OneNote files.
- Admins can use these group policies to either block embedded files in Microsoft OneNote altogether or allow you to specify specific file extensions that should be blocked from running.
Hackers Use AI-Generated YouTube Videos to Spread Info-steals
- Hackers are using AI-generated YouTube videos to distribute info-stealing malware such as Raccoon, RedLine, and Vidar. The videos lure users by pretending to be tutorials on how to download free or cracked versions of software, such as Adobe Photoshop, Premiere Pro, Autodesk 3ds Max, and AutoCAD, which are only available to paid users.
- What’s happening?
- CloudSEK researchers observed a 200–300% month-on-month increase in such videos containing links to stealer malware in the description section.
- Hackers often obfuscate such links either using URL shorteners such as bit[.]ly and cutt[.]ly, or file hosting platforms such as Discord, GitHub, Google Drive, MediaFire, and Telegram’s Telegra[.]ph.
- Some links directly download the malicious zip file as well.
- To make the videos appear at the top of the results, threat actors employ SEO poisoning techniques.
- Hijacking top accounts
- Hackers leverage previous data leaks and social engineering to take over popular legitimate YouTube accounts to reach a large audience in a short time span.
- They feature AI-generated personas in videos, share screen recordings, and audio walkthroughs that come off as trustworthy to users and mislead them into downloading the cracked software.
- Moreover, to evade YouTube’s algorithm and review process, threat actors use region-specific tags, write fake comments with automated processes to add legitimacy, and continuously upload videos to keep up with takedowns.
- Conclusion
- This is a worrying trend, given that YouTube has more than 2.6 billion active monthly users, and not everyone on the platform is well-versed in ways to protect themselves from such tricks. Organizations are recommended to conduct awareness campaigns and implement adaptive threat monitoring to address constantly changing threats. Users are suggested to enable multi-factor authentication and refrain from installing files from unverified sources.