AWS Passkey Support

Summary: AWS has added FIDO2 passkey support for multifactor authentication. FIDO2 passkeys are physical hardware or digital software-based forms of authentication that use public key cryptography to validate a challenge sent by the server. AWS set up the passkey so it can sync with existing password-less MFA authentication methods such as Apple Touch ID on an iPhone or Windows Hello on a laptop.

Passkey support follows the mandatory MFA implementation starting with root users and then expanding to others. The MFA requirement for AWS will start on July 2024 and new features are expected to be launched by the end of the year.

Why it matters: Passwords are currently the most common form of authentication, but they are often weak and vulnerable to attacks. The FIDO2 standard aims to replace these weak passwords with strong, hardware-based authentication. FIDO2 passwordless authentication primarily uses passkeys for account verification. When a user registers with a FIDO2-supported service, their client device generates a unique key pair. The public key is shared with the service, while the private key remains secure on the user’s device. Each time the user signs in, the service sends a unique challenge, which the client device signs with the private key, ensuring a secure, phishing-resistant authentication process.

Fake Software Errors

Summary: Proofpoint researchers discovered in mid-April 2024 that multiple threat actors have been observed using a new attack cluster called ClickFix in a malware distribution campaign. This campaign utilizes fake Google Chrome, Word, and OneDrive errors to deceive users into running malicious PowerShell scripts that install malware. Threat actors detected using this technique include TA571, which previously employed similar tactics with ClearFake. Like ClickFix, ClearFake also relied on fake browser updates to facilitate malware installation

The logic of ClickFix is similar to the ClearFake attack, where compromised websites use fake updates to trick users into downloading malware. The difference in this attack is that the deliveries require significant user interaction. When accessing a compromised website or downloading a malicious file via email, users receive instructions to download and run the malicious scripts via PowerShell.

Why it matters: Most attacks rely on the lack of security knowledge of the victims. By creating fake errors, it shifts the focus from the malicious file to its medium which allows threat actors to distract the victim from its suspicion. The interesting part of the alert is that it sometimes gives the users an option to click the “Auto-fix” button which in turn will download a malicious file. It is important to train users to verify with their internal IT support if there is a problem with the software and to follow guidance from their internal IT support team using the Software’s official websites as a resource. More importantly, users should know that official fixes generally do not require users to open PowerShell and create a script.

Hackers target new MOVEit Transfer Critical Auth Bypass

Summary: The new security issue received the identifier CVE-2024-5806 and allows attackers to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module, which is responsible for file transfer operations over SSH. MoveIT Transfer is a managed file transfer (MFT) solution used in enterprise environments to securely transfer files between business partners and customers using the SFTP, SCP, and HTTP protocols. An attacker leveraging this flaw could access sensitive data stored on the MoveIT Transfer server, upload, download, delete, or modify files, and intercept or tamper with file transfers.

Network scans by Censys indicate that there are currently around 2,700 internet-exposed MoveIT Transfer instances, most located in the US, UK, Germany, Canada, and the Netherlands. ShadowServer’s report of exploitation attempts comes after offensive security company watchTowr published technical details about the vulnerability, how it can be exploited, and what defenders should look for in the logs to check for signs of exploitation. watchTowr also provides a technical analysis of how attackers can manipulate SSH public key paths to force the server to authenticate using attacker-controlled paths, potentially exposing Net-NTLMv2 hashes. Additionally, proof-of-concept exploit code for CVE-2024-5806 is already publicly available from watchTowr and vulnerability researchers Sina Kheirkhah and Aliz Hammond.

Why it matters: Threat actors are already trying to exploit a critical authentication bypass flaw in Progress MoveIT Transfer, less than a day after the vendor disclosed it. Fixes were made available in MOVEit Transfer 2023.0.11, 2023.1.6, and 2024.0.2, available on the Progress Community portal. To mitigate this flaw until a fix from the third-party vendor is made available, system administrators are advised to block Remote Desktop Protocol (RDP) access to the MOVEit Transfer servers and restrict outbound connections to known/trusted endpoints. Customers without a current maintenance agreement should immediately contact the Renewals team or Progress partner representative to resolve the issue. MoveIT Cloud customers do not need to take any action to mitigate the critical flaw, as patches have already been automatically deployed.

Exploit for Fortra FileCatalyst Workflow SQLi Flaw Released

Summary: A critical SQL Injection vulnerability (CVE-2024-5276) has been discovered in Fortra FileCatalyst Workflow, a popular enterprise file transfer solution. This vulnerability could allow attackers to tamper with application data, potentially creating administrative users, deleting data, or modifying sensitive information within the application database. The vulnerability exposes sensitive data, such as private keys for certificates, within the keystore. If exploited, attackers could intercept and manipulate data during transfer, posing a significant threat to data integrity and confidentiality. This could have devastating consequences for organizations that rely on FileCatalyst for secure file transfers.

All versions of FileCatalyst Direct up to 3.8.10 Build 138 and FileCatalyst Workflow up to 5.1.6 Build 130 are susceptible to the CVE-2024-5275 vulnerability. Organizations using these products must act immediately to mitigate the risk. Fortra has released patches to address the vulnerability. FileCatalyst Direct users should upgrade to version 3.8.10 Build 144 or higher, while FileCatalyst Workflow users should upgrade to version 5.1.6 Build 133 or later. In addition, users who employ the FileCatalyst TransferAgent remotely must switch REST calls to “http” or, if “https” is necessary, generate a new SSL key and add it to the agent keystore. A detailed knowledge article, “Action Required by June 18th 2024: FileCatalyst TransferAgent SSL and localhost changes,” is available to guide users through the remediation process.

Why it matters: Tenable discovered CVE-2024-5276 on May 15, 2024, and first disclosed the issue to Fortra on May 22, along with a proof-of-concept (PoC) exploit demonstrating the vulnerability. Simultaneously to the publication of Fortra’s security bulletin, Tenable published its exploit, showcasing how an anonymous remote attacker can perform SQL injection via the ‘jobID’ parameter in various URL endpoints of the Workflow web app. The problem is that the ‘findJob’ method uses a user-supplied ‘jobID’ without sanitizing the input to form the ‘WHERE’ clause in an SQL query, allowing an attacker to insert malicious code. Eventually, it retrieves the logon token and uses the newly created admin credentials to log in on the vulnerable endpoint. There have been no reports about active exploitation of the issue, but the release of a working exploit could change that very soon.

GrimResource MSC Attack Uses 5-year-old Vulnerability

Summary: In July 2022, Microsoft disabled macros by default in Office, causing threat actors to experiment with new file types in phishing attacks. The attackers first switched to ISO images and password-protected ZIP files, as the file types did not properly propagate Mark of the Web (MoTW) flags to extracted files. After Microsoft fixed this issue in ISO files and 7-Zip by adding the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as Windows Shortcuts and OneNote files. Attackers have now switched to a new file type, Windows MSC (.msc) files, which are used in the Microsoft Management Console (MMC) to manage various aspects of the operating system or create custom views of commonly accessed tools. The abuse of MSC files to deploy malware was previously reported by South Korean cybersecurity firm Genian. Motivated by this research, the Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.dll to deploy Cobalt Strike.

Elastic found a sample (‘sccm-updater.msc’) recently uploaded onto VirusTotal on June 6, 2024, which leverages GrimResource, so the technique is actively exploited in the wild. To make matters worse, no antivirus engines on VirusTotal flagged it as malicious. The researchers confirmed to Bleepingcomputer that the XSS flaw is still unpatched in the latest version of Windows 11 (as of June 24, 2024). The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting (XSS) flaw in the ‘apds.dll’ library, which allows the execution of arbitrary JavaScript through a crafted URL.

The vulnerability was reported to Adobe and Microsoft in October 2018, and while both investigated, Microsoft determined that the case did not meet the criteria for immediate fixing. As of March 2019, the XSS flaw remained unpatched, and it is unclear if it was ever addressed.

To detect a potential GrimResource attack, researchers recommend that system administrators should check:

  • File operations that involve apds.dll invoked by mmc.exe.
  • Suspicious executions via MCC, like processes spawned by mmc.exe with .msc file arguments.
  • RWX memory allocations by mmc.exe that originate from script engines or .NET components.
  • Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.
  • Temporary HTML files created in the INetCache folder as a result of APDS XSS redirection.

Why it matters: The first step in this complex process is the hackers tricking their target to click on a forged MSC file. Reportedly, researchers observed how the attackers contact their victim on Facebook and have them download a document. The document is an MSC file that disguised as a Word document. The hackers forged the file’s icon so that it looks like Word, not an MSC document. They also changed the “Run” button to “Open”, to avoid raising suspicion. When the victim clicks “Open”, the GrimResource technique exploits a cross-site scripting (XSS) vulnerability in the apds.dll library. By using it along with crafted MSC files, hackers can execute arbitrary JavaScript in the context of mmc.exe. It is important that users only click on expected links and only from trusted resources.

TeamViewer Breach

Summary: TeamViewer announced on Thursday, June 27, 2024 that they detected an irregularity in their internal system environment. They have since launched an investigation with cyber security experts and government authorities. TeamViewer states that the breach only occurred on the internal network and did not affect any TeamViewer products. No customer information was accessed and only employee data such as encrypted passwords were breached. Despite the breach, TeamViewer has mitigated the issue in collaboration with Microsoft.

TeamViewer stated that they believe the attack started on Wednesday, June 26, 2024. “Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard.” The threat actor has previously been known to target government entities as well as being tied to SolarWinds and Microsoft breaches.

Why it matters: TeamViewer is a company that creates one of the most widely-used products that provides remote support. Although the breach did not affect the said product nor did it directly affect customer information, it did access the user’s encrypted passwords. This makes the company a target for future attacks from the threat actor which could eventually lead to affecting its remote support product. Additionally, the current investigation is ongoing and the true scope of the attack and its remediation is unknown.

Security Tip of the Month –Identity and Access Management (IAM)

Summary: Summer is a time for travel for many people. While people take time off for vacation for the year, scammers take the opportunity to target these vacationers. Although scams are a year-round phenomenon, they take on different forms during summertime. Certain scams become more prominent during the travel season such as Airbnb scams, frequent flyer scams, and travel giveaways. All these scams are aimed at stealing money, information, and flyer miles people might use to normally book their vacations.

The Better Business Bureau listed tips on how to travel safely:

  • Look for reviews and ask for references. While vetting hotels, travel companies, vacation rentals and more, check BBB.org for reviews and complaints. Look for photos and a variety of reviews. If the property or company doesn’t have any online reviews, ask for references and call them.
  • Avoid wiring money or using a prepaid debit card. These payments are the same as sending cash. Once the money is sent, there is no way to get it back. Paying with a credit card the charges can be disputed and dramatically limit liability from a fraudulent purchase.
  • A great deal probably isn’t the truth. Scammers lure in targets by guaranteeing an amazing trip at a very low price. Research it first. If the hotel, travel or tour is much cheaper than similar options, be suspicious.
  • Do some snooping. Check the website for links to the company’s Twitter, Facebook, or Instagram accounts. Often, scam artists will link to Facebook.com instead of Facebook.com/THEIRCOMPANYNAME. If they do have social media accounts, check their activity and see if any other users have left reviews or voiced complaints. Also, look for typos and pixelated images. These mistakes are signs of a scammer, not a company that cares about their online presence.

Why it matters: Travel scams take advantage of people’s interests and the time-sensitive nature of bookings. During the summer, prices for flights and accommodations increase due to the volume of travel and the scarcity of ideal locations and seats. This combination allows for the ideal conditions for scammers to pressure and trick people into spending their money on non-existent or illegitimate travel packages. Although there are many vacation scams out there, it is important to remember that doing do diligence such as those listed by the Better Business Bureau above can help lower the chances of being a victim.