Get Help Now


Date: 5/31/2022

Google Discloses Zero-Click Zoom Bug Allows Code Execution with No User Interaction


Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, simply by sending a message without additional user input. 

Potential Impact

Google’s Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute.

Recommended Actions

There are a total of six security vulnerabilities found in this grouping, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:

CVE-2022-22784 (improper XML parsing)

CVE-2022-22786 (update package downgrade),

CVE-2022-22787 (insufficient hostname validation),

CVE-2022-22785 (improperly constrained session cookies)

Note, the two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. These are patched in Expat version 2.4.5.  You may find other platforms in use that utilize parts of this chain but are heretofore unidentified.

Additional Mitigations

Operationalize application security and embed it into your DevOps pipeline.  Scan libraries often and review logs regularly.  Have a patch management approach that you adhere to ardently and build out a security toolkit.  If you need assistance with your security toolkit, please contact your GreyCastle Security virtual Chief Information Security Officer or your GreyCastle Security Solutions Advisor for help. 


Frappo “Phishing-as-a-Service”


Cybersecurity organization Resecurity and their HUNTER unit identified a new underground service called “Frappo”, which is available on the Dark Web. “Frappo” acts as a Phishing-as-a-Service and enables cybercriminals to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online services to steal customer data.

The platform has been built by cybercriminals to leverage spam campaigns which distribute professional phishing content. “Frappo” is actively advertised on the Dark Web and on Telegram, where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services.

Potential Impact

“Frappo” grants cybercriminals the ability to work with stolen data anonymously and in an encrypted format. It provides anonymous billing, technical support, updates, and the tracking of collected credentials via a dashboard. “Frappo” was initially designed to be an anonymous cryptocurrency wallet based on a fork of Metamask and is completely anonymous, it doesn’t require a threat actor to register an account.

The service provides phishing pages for over 20 financial institutions (FIs), online retailers and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.

The authors of “Frappo” provide several payments plans for cybercriminals depending on their chosen duration of the subscription. Like a SaaS-based services and platform for legitimate businesses, “Frappo” allows cybercriminals to minimize costs for the development of phishing-kits and to use the same on a bigger scale.

Notably, the deployment process of phishing pages is fully automated – “Frappo” is leveraging a pre-configured Docker container and a secure channel allowing it to collect compromised credentials via API.

General Recommended Actions

The prompt awareness and responsiveness on phishing and ransomware has encouraged threat actors to reiterate their tactics, techniques, and procedures (TTPs) on both payload and delivery campaigns. This continued persistence demonstrates that the technological focus, emphasized by acquiring, deploying, and tuning security solutions, is not enough. Without a phishing defense strategy, organizations are prone not only to the ample phishing emails used to deliver ransomware, but also to the less observable emails used to deliver the same malware that has been used for years.

By getting ready for these phishing attacks, users can be empowered to act as both “human sensors” for spotting phishing attacks and partners in thwarting threat actors from gaining a foothold in the organization.

Organizations should implement a strong security awareness program that will help users to make better decisions about the content they receive through email, on what they view or click in social media, how they access the web, and so forth. It is essential to sufficiently invest in employee training so that the “human firewall” can provide an adequate first line of defense against increasingly sophisticated phishing and ransomware.

Furthermore, organizations should regularly test their employees to determine if their security awareness training is effective. Those tests should trigger an action plan and measure the organization’s successes and failures. As far as business email compromise is concerned, organizations should create communication “backchannels” for executives and other key staff that might be targeted on these types of attacks.  

Awareness programs such as those performed by GreyCastle Security offer highly customizable simulation and response components that are generally more effective than merely walking users through theory without any practice.


Linux-Specific Malware Taking a Significant Footprint Alongside Trojan Malware


Linux-specific malware is on the rising and becoming increasingly sophisticated. Security Company Intezer has identified rising malware targeting Linux operating systems from 2020 to 2022, specifically in areas like ransomware, banking trojans, and botnets. Linux-specific malware in the ransomware world almost tripled alongside a doubling footprint in Trojans. 

Potential Impact

Increasingly sophisticated Linux malware has created a major problem for organizations utilizing Linux operating systems. These new uniquely coded strands of ransomware and trojans can pose a potential for compromise much greater than before.

Recommended Actions

All is not lost, however, as organizations can look for a handful of things to watch out for and prevent Linux compromise. 

  • Firstly, being aware that most Linux ransomware targets virtual machines like VMware products. It is critical to keep virtualization products up to date and patched. 
  • Secondly, container software like Kubernetes and Docker are becoming a highly targeted asset for adversaries. Active monitoring of these products should be of importance.
  • IoT targeting malware, such as XorDDos, Mirai, and Mozi, are increasing their footprint within the IoT space; making for an impressive 22% of all IoT malware.
  • State-sponsored APT attacks against Linux environments are increasing. Russian APT group Sandworm has been specifically attributed to high-profile attacks against agencies in the UK and U.S.
  • Windows Subsystem for Linux poses an unparalleled new attack vector for Linux malware to execute against Windows machines. Endpoint Detection and Response (EDR) products are more important than ever to monitor and defend Windows machines not only against Windows malware but now also Linux variants. 


RedCanary Reports Infectious ChromeLoader for Window and Mac Machines


Researchers from RedCanary report that infections by ChromeLoader, a browser hijacker, have been on the rise over the past several months. 

Potential Impact

ChromeLoader can infect both Windows and Mac machines, and has been used to install browser extensions, the effect of which can range from browser redirection, to “malvertising”, to credential theft.  These activities are often tactics used by attackers 

Recommended Actions

ChromeLoader is spread by tricking users into downloading an ISO or DMG file which, when mounted, executes PowerShell or Bash code to perform malicious activities.  Firewall content filtering should be configured to restrict downloads only to file types necessary for business purposes.  Security software can also be used to alert on code running with certain suspicious aspects.  Threat hunting efforts should take the following into account: 

  • PowerShell or Bash code running with a browser as the parent process, . Alerting on PowerShell encoded commands is part of an effective threat hunting effort.
  • Use of PowerShell “encoded commands” should always be explained.
  • For ChromeLoader detection, RedCanary specifically recommends alerting on “PowerShell spawning chrome.exe containing load-extension and AppDataLocal within the command line”


Microsoft Office (CVE-2022-30190) Zero-Day Vulnerability Was Discovered To Achieve Remote Code Execution.


A zero-day vulnerability in Microsoft Office (CVE-2022-30190) was discovered that could be abused to achieve remote code execution on affected systems. The vulnerability leverages Microsoft Word’s external link function to load a malicious file from a remote server and executes the payload using “ms-msdt” (support diagnostics tool). This vulnerability has been dubbed “Follina”.

Potential Impact

Malicious code can be still executed even when macros are disabled. Note that Protected View could still prevent execution. However, if the malicious document is changed to RTF form, the malicious code can run without even opening the document (preview tab in Explorer). 

Recommended Actions

Multiple Office version such as Office 2016 and 2021 are affected but other versions are likely vulnerable as well. Microsoft has released work arounds for the vulnerability which includes disabling the MSDT URL protocol. RTF attachments should also be blocked if their use is not necessary.


For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us