I have spotted some news that I thought was interesting. I keep losing the news in the timelines on Twitter, so I’m posting them here.
Operation LagTime IT
A suspected Nation State threat actor, attributed back to Chinese APT TA428 has been targeting East Asian governments. I guess there is nothing new in APT attacking governments, but I thought the method was something work putting out there as they were using a malicious RTF document:
- An email is received with a malicious RTF attached
- The sender is usually a Yahoo account and the subject line relates to training courses.
- The RTF attachment exploits a vulnerability in the Microsoft Equation Editor (LINK to CVE)
- This drops a PE file onto the target computer
- It also adds a .wll Word Add-In file to the Start-up directory
- When Word launches, the wll files renames to a dll and drops to temp
- This decrypts a Symantec PE binary named IntelGraphicsController.exe or AcroRd32.exe
This is part of the process for loading Cotx Remote Access Trojan and sometimes this also loaded Poison Ivy malware.
More can be read here (LINK to article)
As you can see, this is not a straight-forward click and phished scenario, but a complex chain.
Takeaway:
Next email you receive, especially now when we are receiving all sorts of junk mail trying to get us to the next conference etc, maybe worth looking closely before you open the attachment!
Lancaster University attack – Arrest made
Last week, Lancaster University publically announced (LINK to Lancaster comment) that an attacker had stolen data from their systems. The data was student applicant data for 2019 and 2020 and included:
- name
- address
- telephone number
- email address
The student records system was also successfully breached including the student’s:
- records, and
- iD documents
The current theory is that staff at the University were phished by email to gain their credentials.
If used maliciously, the data would be enough to commit identity theft and take over someone’s life from Passports to bank accounts, all would be fairly easy to set up using this data. However, the attacker instead sent fraudulent invoices to some undergraduate applicants. I find that bizarre as most students have any money nor would they be expecting to pay invoices. Did the attacker think they had a staff database instead? Also, how did no one notice the traffic flow out from that server?
Some good news does follow in this story in that the National Crime Agency (LINK to Graham Cluley’s blog) has made an arrest of a 25-year old man from Bradford.
Takeaway:
Again, another “don’t click the links” type news article, phishing works for sure. However, there is clear impact and warning that crime doesn’t pay. Well done to the NCA on your arrest.
Bluekeep Vulnerability
The IT news has been full of Bluekeep articles for a few weeks now (LINK to CISA).
Essentially BlueKeep is a vulnerability that exists within RDP in Microsoft Windows environments. It allows an attacker to run their own code on your machine as well as raising the privileges of a user and more. BlueKeep has been made more news-worthy as it is reported as being “wormable” as it can propagate to other systems. Microsoft very quickly created a patch for this – Note : have you patched yet?
At this point, you would expect this to be the end of the story? Well this is cyber, so there is always more ! It now appears a security company has added the exploit to their tooling. Immunity in the US (LINK to article) has added it to it’s tool red team tool called Canvas.
It really has to make you think about ethics in this situation as that means that exploit can be used by criminals. Also what was the motivation – was it to increase sales perhaps?
Immunity believes that by not releasing the exploit, it would undervalue the security testing industry. This makes that Microsoft Patch more important than ever to get installed.
Takeaway:
Patch Patch Patch.
Have you patched your Windows devices? What do you think about the exploit release? Should Immunity have published the exploit?
Leave a Reply