Date: 5/31/2022
Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, simply by sending a message without additional user input.
Google’s Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute.
There are a total of six security vulnerabilities found in this grouping, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:
CVE-2022-22784 (improper XML parsing)
CVE-2022-22786 (update package downgrade),
CVE-2022-22787 (insufficient hostname validation),
CVE-2022-22785 (improperly constrained session cookies)
Note, the two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. These are patched in Expat version 2.4.5. You may find other platforms in use that utilize parts of this chain but are heretofore unidentified.
Operationalize application security and embed it into your DevOps pipeline. Scan libraries often and review logs regularly. Have a patch management approach that you adhere to ardently and build out a security toolkit. If you need assistance with your security toolkit, please contact your GreyCastle Security virtual Chief Information Security Officer or your GreyCastle Security Solutions Advisor for help.
Sources
https://www.darkreading.com/application-security/zero-click-zoom-bug-allows-remote-code-execution-by-sending-a-message?_mc=NL_DR_EDT_DR_daily_20220526&cid=NL_DR_EDT_DR_daily_20220526&sp_aid=110909&elq_cid=39339294&sp_eh=f230e3ec3a30e1c4dff8dd95bce752ccca2811f8f45fef3bda79f30f68be2763&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Daily_05.26.22&sp_cid=45039&utm_content=DR_NL_Dark%20Reading%20Daily_05.26.22
https://bugs.chromium.org/p/project-zero/issues/detail?id=2254
Cybersecurity organization Resecurity and their HUNTER unit identified a new underground service called “Frappo”, which is available on the Dark Web. “Frappo” acts as a Phishing-as-a-Service and enables cybercriminals to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online services to steal customer data.
The platform has been built by cybercriminals to leverage spam campaigns which distribute professional phishing content. “Frappo” is actively advertised on the Dark Web and on Telegram, where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services.
“Frappo” grants cybercriminals the ability to work with stolen data anonymously and in an encrypted format. It provides anonymous billing, technical support, updates, and the tracking of collected credentials via a dashboard. “Frappo” was initially designed to be an anonymous cryptocurrency wallet based on a fork of Metamask and is completely anonymous, it doesn’t require a threat actor to register an account.
The service provides phishing pages for over 20 financial institutions (FIs), online retailers and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.
The authors of “Frappo” provide several payments plans for cybercriminals depending on their chosen duration of the subscription. Like a SaaS-based services and platform for legitimate businesses, “Frappo” allows cybercriminals to minimize costs for the development of phishing-kits and to use the same on a bigger scale.
Notably, the deployment process of phishing pages is fully automated – “Frappo” is leveraging a pre-configured Docker container and a secure channel allowing it to collect compromised credentials via API.
The prompt awareness and responsiveness on phishing and ransomware has encouraged threat actors to reiterate their tactics, techniques, and procedures (TTPs) on both payload and delivery campaigns. This continued persistence demonstrates that the technological focus, emphasized by acquiring, deploying, and tuning security solutions, is not enough. Without a phishing defense strategy, organizations are prone not only to the ample phishing emails used to deliver ransomware, but also to the less observable emails used to deliver the same malware that has been used for years.
By getting ready for these phishing attacks, users can be empowered to act as both “human sensors” for spotting phishing attacks and partners in thwarting threat actors from gaining a foothold in the organization.
Organizations should implement a strong security awareness program that will help users to make better decisions about the content they receive through email, on what they view or click in social media, how they access the web, and so forth. It is essential to sufficiently invest in employee training so that the “human firewall” can provide an adequate first line of defense against increasingly sophisticated phishing and ransomware.
Furthermore, organizations should regularly test their employees to determine if their security awareness training is effective. Those tests should trigger an action plan and measure the organization’s successes and failures. As far as business email compromise is concerned, organizations should create communication “backchannels” for executives and other key staff that might be targeted on these types of attacks.
Awareness programs such as those performed by GreyCastle Security offer highly customizable simulation and response components that are generally more effective than merely walking users through theory without any practice.
Sources
https://resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major-financial-institutions-and-online-retailers
https://www.duocircle.com/announcements/cyber-security-news-update-week-20-of-2022
Linux-specific malware is on the rising and becoming increasingly sophisticated. Security Company Intezer has identified rising malware targeting Linux operating systems from 2020 to 2022, specifically in areas like ransomware, banking trojans, and botnets. Linux-specific malware in the ransomware world almost tripled alongside a doubling footprint in Trojans.
Increasingly sophisticated Linux malware has created a major problem for organizations utilizing Linux operating systems. These new uniquely coded strands of ransomware and trojans can pose a potential for compromise much greater than before.
All is not lost, however, as organizations can look for a handful of things to watch out for and prevent Linux compromise.
Sources
https://www.csoonline.com/article/3662151/linux-malware-is-on-the-rise-6-types-of-attacks-to-look-for.html#tk.rss_all?&web_view=true
https://www.ibm.com/downloads/cas/ADLMYLAZ
Researchers from RedCanary report that infections by ChromeLoader, a browser hijacker, have been on the rise over the past several months.
ChromeLoader can infect both Windows and Mac machines, and has been used to install browser extensions, the effect of which can range from browser redirection, to “malvertising”, to credential theft. These activities are often tactics used by attackers
ChromeLoader is spread by tricking users into downloading an ISO or DMG file which, when mounted, executes PowerShell or Bash code to perform malicious activities. Firewall content filtering should be configured to restrict downloads only to file types necessary for business purposes. Security software can also be used to alert on code running with certain suspicious aspects. Threat hunting efforts should take the following into account:
Sources
https://redcanary.com/blog/chromeloader/
https://threatpost.com/chromeloader-hijacker-threats/179761/
A zero-day vulnerability in Microsoft Office (CVE-2022-30190) was discovered that could be abused to achieve remote code execution on affected systems. The vulnerability leverages Microsoft Word’s external link function to load a malicious file from a remote server and executes the payload using “ms-msdt” (support diagnostics tool). This vulnerability has been dubbed “Follina”.
Malicious code can be still executed even when macros are disabled. Note that Protected View could still prevent execution. However, if the malicious document is changed to RTF form, the malicious code can run without even opening the document (preview tab in Explorer).
Multiple Office version such as Office 2016 and 2021 are affected but other versions are likely vulnerable as well. Microsoft has released work arounds for the vulnerability which includes disabling the MSDT URL protocol. RTF attachments should also be blocked if their use is not necessary.
Sources
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html
https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html
For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.
For non-strategic clients, please reach out to your Advisor for further discussion.
Offerings
Industries
Compliance
Copyright © 2023 GreyCastle Security. All Rights Reserved
Copyright © 2022 GreyCastle Security. All Rights Reserved
Ho Chin is Chief Financial Officer at GreyCastle Security. In this role, Ho leads Finance, HR, IT and Professional Development. As part of the executive leadership team, Ho works to establish the company’s overall strategy and ensure proper execution of the supporting initiatives pertaining to the above areas of responsibility.
Prior to joining GreyCastle Security, Ho led finance and administrative functions at multiple private equity and venture-backed portfolio companies across multiple industries. Ho holds a bachelor’s degree in Accounting from Pennsylvania State University in Centre County, Pennsylvania and a master’s degree in Business Administration from the Wharton School of Business at the University of Pennsylvania in Philadelphia, Pennsylvania.
Michael Stamas is an entrepreneur, board member, Vice President and a founder of GreyCastle Security. With more than two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of cybersecurity. Mike brings a unique brand of risk-based advising to GreyCastle clients and prospects.
Mike holds certifications in numerous security and technology related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco and Microsoft.
Mike plays an active role in his community and serves as a board member and Vice President of InfraGard Albany as well as an advisory board position with the Capital Region YMCA.
Mike has been recognized for his numerous achievements through various honors including the Albany Business Review’s prestigious 40 Under 40 award.
Dan Kalil is Chief Executive Officer (CEO) and Board Chairman at GreyCastle Security. In this role, Dan provides vision, leadership and strategies that drive GreyCastle Security’s position as an industry leader. With an emphasis on customer success, Dan’s profitable growth model leverages a customer-centric business approach that balances employee wellbeing and social responsibility.
Prior to becoming CEO, Dan served as the company’s Chief Strategy Officer, during which he supported multiple acquisitions and helped the organization achieve substantial sales growth. In addition to serving as CEO at GreyCastle Security, Dan continues to hold the position of Chief Commercial Officer (CCO) at Assured information Security (AIS) in Rome, New York, a company he co-founded in 2001.
Over the course of the last 22 years, Dan has been committed to advancing the state of cybersecurity and has played an instrumental role in the identification and development of critical, next-generation cyber capabilities. He has held positions in almost every facet of cybersecurity, beginning as a computer forensic examiner and progressing through the management and executive leadership ranks. In addition to co-founding AIS, Dan has facilitated multiple cybersecurity startups, raised investment capital and has served in various lead and support roles toward the acquisition of five companies in the last eight years.
Dan has a bachelor’s degree in Cybersecurity and a master’s degree in Cybersecurity from Utica College in Utica, New York.
Dan Maynard serves as GreyCastle Security’s Chief Operating Officer, where he currently leads Sales, Marketing and Legal.
Dan has enjoyed a 30+ year career in the Information Technology and Telecommunications industry, during which time he has held various leadership positions for organizations such as Rochester Tel/RCI, Citizens Communications (Frontier), PAETEC Communications, IntegraOptics, tw telecom/Level3 and Centurylink.
In addition to various voice and data technology platforms, he possesses a strong background in leadership development, sales and marketing leadership, transformational leadership and strategic planning. Dan has a thirst for knowledge and as a committed lifelong learner, he encourages and supports professional development initiatives for his teams and continues his involvement with Vistage International.
Dan holds a bachelor’s degree in Biology from Lafayette College in Easton, Pennsylvania, where he was selected as a member of their Athletic Hall of Fame in 2016.
When not at work, Dan enjoys traveling, golfing, attending Utica Comets hockey games and relaxing in the Adirondacks on beautiful Canada Lake with family and friends.
Dan Didier is the Vice President of Solutions and board member at GreyCastle Security.
Dan has been a cybersecurity practitioner for more than 20 years and uses his knowledge and experience to develop cybersecurity solutions that ensure readiness and preparedness.
Dan received his bachelor’s degree in Telecommunications from SUNY Polytechnic Institute in Utica, New York, and graduated Summa Cum Laude with a master’s degree in Information Assurance from Norwich University in Northfield, Vermont.
Our Computer Incident Response Teams (CIRTs) have responded to hundreds of breaches, intrusions, malware infections, thefts, employee investigations, fraud cases and other incidents. Our highly-certified experts have extensive experience in command, coordination and correction of incidents in nearly every industry throughout North America, from local businesses to Fortune 500 international conglomerates.
Francesca LoPorto-Brandow is Director of Culture at GreyCastle Security. In this role, Francesca leads all social responsibility efforts and partnerships and develops effective strategies that promote organizational-wide behaviors and attitudes consistent with a culture of safety, inclusion, teamwork, motivation and high-performance.
Prior to this role, Francesca was Director of People & Culture at GreyCastle and with her leadership, the company’s culture has been recognized by Inc. Magazine as a Nationally recognized Best Workplace, Albany Business Review Best Places to Work and Albany Times Union Top Workplaces.
Before joining GreyCastle Security, Francesca worked as an OD consultant and focused on strategic culture change at The Kaleel Jamison Consulting Group, Inc. for more than six years. There, she facilitated client education sessions, coached leaders and teams, developed and executed consulting interventions and served as strategy project leader on various client engagements. Her work has taken her into Fortune 100 companies and across borders including Panama, Singapore and beyond.
Francesca is a Lean Six Sigma–certified Green Belt, a proud YWCA-GCR board member and in 2013, she coordinated and emceed the inaugural TEDx Troy—a livestream of TEDCity 2.0. Since 2012, she has coordinated and emceed the Troy 100 Forum, a biannual forum for government, religious and community leaders to discuss issues vital to the future of Troy, New York.
Bilingual in English and Italian, Francesca holds a bachelor’s degree in Management and Technology from the Rensselaer Polytechnic Institute’s Lally School of Management & Technology. She was awarded Cybersecurity Recruiter of the year North America in 2017 by the Cybersecurity Excellence Awards.
Jamie Aiello is Senior Vice President of Services and Product Management at GreyCastle Security. In this position, Jamie is responsible for leading a high performing and well-balanced team that is ultimately responsible for the identification, selection, execution and successful performance of our company’s diverse portfolio of cybersecurity offerings.
Prior to joining GreyCastle Security, Jamie has held leadership positions with Annese and Associates, ConvergeOne and BlueSky IT Partners with a focus on delivering cost effective information technology solutions for companies across multiple verticals.
Jamie holds a bachelor’s degree in Political Science from Le Moyne College in Syracuse, New York, a master’s degree in Business Administration from Gardner-Webb University in Boiling Springs, North Carolina and a master’s degree in Computer Information Systems from University of Phoenix in Phoenix, Arizona.