InfoSec Weekly

Jan 02, 2023

Table Of Contents

GuLoader Malware utilizing new techniques to evade security software

Description

GuLoader is a type of malware that has been designed to evade detection by security software. It uses a Visual Basic Script (VBS) to distribute remote access trojans such as Remcos on infected machines. Recently discovered samples of GuLoader were found to use a three-stage process involving the delivery of shellcode, which incorporates anti-analysis methods, downloads a final payload from a remote server, and executes it on the compromised host. The shellcode also includes checks for remote debuggers and breakpoints, as well as scans for virtualization software. In addition, it has a “redundant code injection mechanism” to avoid detection by endpoint detection and response solutions. The researchers noted that GuLoader “remains a dangerous threat that’s been constantly evolving with new methods to evade detection.”

Infected Technology

EDR and other security software.

Source

https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html

Recommendation

Keep all software and devices up to date with the latest patches and updates. Download software and applications from legitmate source only.


CISA Warns of Active exploitation of JasperReports Vulnerabilities

Description

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified two vulnerabilities in TIBCO Software’s JasperReports product that are being actively exploited. These vulnerabilities, known as CVE-2018-5430 and CVE-2018-18809, were fixed by TIBCO in April 2018 and March 2019 respectively, but CISA has now added them to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. TIBCO JasperReports is a Java-based reporting and data analytics platform that is used for creating, distributing, and managing reports and dashboards. The first vulnerability is an information disclosure bug that allows authenticated users to gain read-only access to web application configuration files containing server credentials. The second vulnerability, CVE-2018-18809, is a directory traversal vulnerability in the JasperReports Library that allows web server users to access sensitive files on the host, potentially allowing an attacker to steal credentials and access other systems. Federal agencies in the U.S. are required to patch their systems by January 19, 2023.

Infected Technology

JasperReports

Source

https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html

Recommendation

Monitor systems and applications for unusual or suspicious activity. Patch the system as soon as the vendor releases

CVE ID

CVE-2018-18809 CVE-2018-5430


APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector

Description

In recent months, numerous threat actors have improved their attack chains as a result of Microsoft’s decision to restrict Visual Basic for Applications (VBA) macros by default for Office files obtained from the internet. According to Cisco Talos, both APT actors and commodity malware families are increasingly employing Excel add-in (.XLL) files as an initial infiltration vector. While this restriction only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, malicious actors have been experimenting with different attack pathways in order to spread malware.XLL files, which Microsoft describes as a “kind of dynamic link library (DLL) file that can only be accessed by Excel,” are one such way. According to the cybersecurity firm, threat actors are deploying a combination of native C++ add-ins and those created with a free program called Excel-DNA, a trend that began in mid-2021 and has continued this year. “As even more people adopt new versions of Microsoft Office, it is probable that threat actors will shift away from VBA-based harmful documents and instead focus on exploiting newly revealed vulnerabilities to run malicious code in the process space of Office programs,” Svajcer said.

Infected Technology

Microsoft Excel

Source

https://thehackernews.com/2022/12/apt-hackers-turn-to-malicious-excel-add.html

Recommendation

Do not execute files downloaded from random sites. Make sure to diable macros by default and enable on case to case basis and keep Anti Virus On in the device.


Critical Linux Kernel Flaw affects SMB servers with ksmbd enabled

Description

A critical Linux kernel vulnerability (CVSS score of 10) exposes SMB servers with ksmbd enabled to hack. KSMBD is a Linux kernel server that implements SMB3 protocol in kernel space for sharing files over the network. An unauthenticated, remote attacker can execute arbitrary code on vulnerable installations of the Linux Kernel. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

Infected Technology

Linux Kernel / SMB Server with KSMBD

Source

https://securityaffairs.co/140013/hacking/critical-linux-kernel-vulnerability.html

Recommendation

Update to the latest version of the system. Monitor actively exploited vulnerabilities in continious manner.


BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

Description

One of the sub-clusters of the notorious Lazarus Group, BlueNoroff, has been observed by the researchers at Kaspersky to be turning to new techniques to bypass the protections that are put in place by the Windows MOTW in order to accomplish its goals. To impersonate venture capital companies and banks, BlueNoroff created several fake domains. There were fake domains found that were imitating companies and banks such as ABF Capital, Angel Bridge, Bank of America, and ANOBAKA. Once the malicious document has been launched, it will connect to the remote server, download the payload, and launch the malicious program. Specifically, ieinstal.exe was used to bypass the User Account Control (UAC) in this case. Alternatively, it is possible to launch a batch file that contains malware embedded within it to infect Windows. The payload is fetched and executed remotely using a second-stage downloader obtained using LOLBin. Several countries and the UN have imposed economic sanctions on North Korea because of concerns over its nuclear program, leading them to use cyberwarfare as a major response. Furthermore, it has become one of the most profitable sources of income for a country that suffers from a chronic cash crisis with the help of their cyberattack capabilities, the BlueNoroff group was able to steal cryptocurrency worth millions of dollars. This evidence indicates that this group is motivated by a strong financial interest and is ultimately successful in making profits from the cyberattacks it perpetrates.

Infected Technology

Windows

Source

https://cybersecuritynews.com/bluenoroff-apt-hackers/

Recommendation

Be cautious when downloading and installing software


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us