Summary: The new security issue received the identifier CVE-2024-5806 and allows attackers to bypass the authentication process in the Secure File Transfer Protocol (SFTP) module, which is responsible for file transfer operations over SSH. MoveIT Transfer is a managed file transfer (MFT) solution used in enterprise environments to securely transfer files between business partners and customers using the SFTP, SCP, and HTTP protocols. An attacker leveraging this flaw could access sensitive data stored on the MoveIT Transfer server, upload, download, delete, or modify files, and intercept or tamper with file transfers.

Network scans by Censys indicate that there are currently around 2,700 internet-exposed MoveIT Transfer instances, most located in the US, UK, Germany, Canada, and the Netherlands. ShadowServer’s report of exploitation attempts comes after offensive security company watchTowr published technical details about the vulnerability, how it can be exploited, and what defenders should look for in the logs to check for signs of exploitation. watchTowr also provides a technical analysis of how attackers can manipulate SSH public key paths to force the server to authenticate using attacker-controlled paths, potentially exposing Net-NTLMv2 hashes. Additionally, proof-of-concept exploit code for CVE-2024-5806 is already publicly available from watchTowr and vulnerability researchers Sina Kheirkhah and Aliz Hammond.

Why it matters: Threat actors are already trying to exploit a critical authentication bypass flaw in Progress MoveIT Transfer, less than a day after the vendor disclosed it. Fixes were made available in MOVEit Transfer 2023.0.11, 2023.1.6, and 2024.0.2, available on the Progress Community portal. To mitigate this flaw until a fix from the third-party vendor is made available, system administrators are advised to block Remote Desktop Protocol (RDP) access to the MOVEit Transfer servers and restrict outbound connections to known/trusted endpoints. Customers without a current maintenance agreement should immediately contact the Renewals team or Progress partner representative to resolve the issue. MoveIT Cloud customers do not need to take any action to mitigate the critical flaw, as patches have already been automatically deployed.

Summary: In July 2022, Microsoft disabled macros by default in Office, causing threat actors to experiment with new file types in phishing attacks. The attackers first switched to ISO images and password-protected ZIP files, as the file types did not properly propagate Mark of the Web (MoTW) flags to extracted files. After Microsoft fixed this issue in ISO files and 7-Zip by adding the option to propagate MoTW flags, attackers were forced to switch to new attachments, such as Windows Shortcuts and OneNote files. Attackers have now switched to a new file type, Windows MSC (.msc) files, which are used in the Microsoft Management Console (MMC) to manage various aspects of the operating system or create custom views of commonly accessed tools. The abuse of MSC files to deploy malware was previously reported by South Korean cybersecurity firm Genian. Motivated by this research, the Elastic team discovered a new technique of distributing MSC files and abusing an old but unpatched Windows XSS flaw in apds.dll to deploy Cobalt Strike.

Elastic found a sample (‘sccm-updater.msc’) recently uploaded onto VirusTotal on June 6, 2024, which leverages GrimResource, so the technique is actively exploited in the wild. To make matters worse, no antivirus engines on VirusTotal flagged it as malicious. The researchers confirmed to Bleepingcomputer that the XSS flaw is still unpatched in the latest version of Windows 11 (as of June 24, 2024). The GrimResource attack begins with a malicious MSC file that attempts to exploit an old DOM-based cross-site scripting (XSS) flaw in the ‘apds.dll’ library, which allows the execution of arbitrary JavaScript through a crafted URL.

The vulnerability was reported to Adobe and Microsoft in October 2018, and while both investigated, Microsoft determined that the case did not meet the criteria for immediate fixing. As of March 2019, the XSS flaw remained unpatched, and it is unclear if it was ever addressed.

To detect a potential GrimResource attack, researchers recommend that system administrators should check:

• File operations that involve apds.dll invoked by mmc.exe.

• Suspicious executions via MCC, like processes spawned by mmc.exe with .msc file arguments.

• RWX memory allocations by mmc.exe that originate from script engines or .NET components.

• Unusual .NET COM object creation within non-standard script interpreters like JScript or VBScript.

• Temporary HTML files created in the INetCache folder as a result of APDS XSS redirection.

Why it matters: The first step in this complex process is the hackers tricking their target to click on a forged MSC file. Reportedly, researchers observed how the attackers contact their victim on Facebook and have them download a document. The document is an MSC file that disguised as a Word document. The hackers forged the file’s icon so that it looks like Word, not an MSC document. They also changed the “Run” button to “Open”, to avoid raising suspicion. When the victim clicks “Open”, the GrimResource technique exploits a cross-site scripting (XSS) vulnerability in the apds.dll library. By using it along with crafted MSC files, hackers can execute arbitrary JavaScript in the context of mmc.exe. It is important that users only click on expected links and only from trusted resources.

Summary: Summer is a time for travel for many people. While people take time off for vacation for the year, scammers take the opportunity to target these vacationers. Although scams are a year-round phenomenon, they take on different forms during summertime. Certain scams become more prominent during the travel season such as Airbnb scams, frequent flyer scams, and travel giveaways. All these scams are aimed at stealing money, information, and flyer miles people might use to normally book their vacations.

The Better Business Bureau listed tips on how to travel safely:

• Look for reviews and ask for references. While vetting hotels, travel companies, vacation rentals and more, check BBB.org for reviews and complaints. Look for photos and a variety of reviews. If the property or company doesn’t have any online reviews, ask for references and call them.

• Avoid wiring money or using a prepaid debit card. These payments are the same as sending cash. Once the money is sent, there is no way to get it back. Paying with a credit card the charges can be disputed and dramatically limit liability from a fraudulent purchase.

• A great deal probably isn’t the truth. Scammers lure in targets by guaranteeing an amazing trip at a very low price. Research it first. If the hotel, travel or tour is much cheaper than similar options, be suspicious.

• Do some snooping. Check the website for links to the company’s Twitter, Facebook, or Instagram accounts. Often, scam artists will link to Facebook.com instead of Facebook.com/THEIRCOMPANYNAME. If they do have social media accounts, check their activity and see if any other users have left reviews or voiced complaints. Also, look for typos and pixelated images. These mistakes are signs of a scammer, not a company that cares about their online presence.

Why it matters: Travel scams take advantage of people’s interests and the time-sensitive nature of bookings. During the summer, prices for flights and accommodations increase due to the volume of travel and the scarcity of ideal locations and seats. This combination allows for the ideal conditions for scammers to pressure and trick people into spending their money on non-existent or illegitimate travel packages. Although there are many vacation scams out there, it is important to remember that doing do diligence such as those listed by the Better Business Bureau above can help lower the chances of being a victim.