Blog
2 NOV, 2021

The Cybersecurity Express – Issue #3

Cybourn Media Hub

You just got your ticket, and you look at your watch: Ugh, you’re late. Your fist tightens the grip on your briefcase as you start running towards the platform. A powerful whistle can be heard as the engine cranks the wheels in motion. You make a dash, grab hold of the rail, and hoist yourself up the wagon door. You made it on board the Cybersecurity Express! In front of you, the schedule reads: ‘Trojan source’ can this be your new nightmare? SQUIRRELWAFFLE, phishing is back, and it’s used to gain access to enterprise networks. Followed by a flaw in macOS found by Microsoft and a new windows LPE zero-day vulnerability found, among others.

‘Trojan Source’ The Stuff of Nightmares

Cambridge University researchers Nicholas Boucher and Ross Anderson published a paper stating that all compilers are subjectable to malicious code injection by threat actors, that goes on without detection. Researchers said that “the attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers”. Spotlighted as CVE-2021-42574 and CVE-2021-42694 they affect compilers of all popular programming languages such as C, C++, C#, JavaScript, Java, Rust, Go, and Python.

This issue takes advantage of Unicode’s bidirectional algorithm which enables support for both left-to-right (English) and right-to-left (Arabic) languages. These, however, can be used interchangeably within the same code and can allow writing left-to-right words inside a right-to-left sentence, or vice versa, thus allowing for software vulnerabilities to be injected in a practically invisible manner, further trickling down the supply chain.

Unfortunately, this is not something that one entity can fix, and will have to be eradicated with an industry joint effort.

Squirrelwaffle, from Spam Campaign to Infection

Researchers uncovered a malspam campaign used to deliver malicious Microsoft Office documents that set the stage for later infection and are “used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations around the world

Mid-September 2021 Talos engineers observed campaigns that tricked users into opening malicious payload by leveraging stolen email threads, making them appear to be replies to existing emails, typically contain hyperlinks to malicious ZIP archives. Interestingly, some sort of dynamic localization is used as the malicious emails are in the same language as detected in the thread to which they respond, making them more authentically convincing.

As it is with human engineering, there is no better protection than a well-informed employee, so make sure you and your colleagues attend those cybersecurity briefings.

MacOS Vulnerability Found by … Microsoft?!

In stranger news, it seems it’s more lucrative to find vulnerabilities in someone else’s back yard, rather than in your own. The so dubbed ‘Shotless’ flaw is already accounted for as CVE-2021-30892 and fixed with macOS Monterey Patch 12.0.1. This vulnerability allows attackers to bypass System Integrity Protection (SIP) and perform malicious activities, like gaining root privileges and installing rootkits on the device.

System Integrity Protection, also referred to as rootless, is a macOS security feature introduced in OS X El Capitan, in 2015, that restricts a root user from performing operations that may compromise system integrity. Only processes signed by Apple are allowed to modify those protected parts of the OS.

“While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.”, saidMicrosoft.

Microsoft even made a proof-of-concept (POC) exploit to override the kernel extension exclusion list:

  1. Download an Apple-signed package (using wget) that is known to have a post-install script
  2. Plant a malicious /etc/zshenv that would check for its parent process; if it’s system_installd, then it would write to restricted locations
  3. Invoke the installer utility to install the package
Microsoft PoC execution. Copyright Microsoft

LPE Zero-day Vulnerability in Windows

While Microsoft is busy finding vulnerabilities in other vendor software, researchers are finding vulnerabilities in Windows, it’s only fair. Back in August, Microsoft patched “Windows User Profile Service Elevation of Privilege Vulnerability” – CVE-2021-34484. After examining the fix, researchers were able to bypass it with a new exploit that was published on GitHub, claiming that Microsoft only fixed what was the result of the PoC, but didn’t handle the underlying issue. This exploit will cause an elevated command prompt with SYSTEM privileges to be launched while the User Account Control (UAC) prompt is displayed. The severity of this bug is downplayed by the fact that the attacker must already have two user credentials to be able to pull this off.  

We have arrived back at the station and in conclusion…

What exciting stops we have had today, but everything must draw to an end, the train must head back to fuel for new and exciting destinations, but not before visiting a few noteworthy events in the world of cybersecurity:

  • ‘Pink’ botnet malware found to have infected over 1.6 million devices, mostly from China, is one of the largest botnets ever to be observed.
  • Microsoft manages to break network printing again with KB5006674 and KB5006670 updates. Until patched, they are advising that network security and VPN solutions allow print clients to establish RPC over TCP connections to print server over the following port range:
    • Default start port: 49152
    • Default end port: 65535
    • Port Range: 16384 ports
  • Make sure to install the latest Chrome patches as they address two actively exploited 0-day bugs.

We hope you enjoyed traveling onboard the Cybersecurity Express and we await your return.

Until next time, stay safe!

Share

We Also Recommend to See:

EtherLast™
The versatile platform that allows you to promptly detect complex threats, analyse and respond to them from a single pane of glass.
Dreamlab
CyBourn's DreamLab pushes the boundaries of innovation in the cyberspace.

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.