Cyber Threat Pulse
#4, January 2024
Current threat: RemcosRAT and QuasarRAT continue to spread via email
Ukraine's Government Computer Emergency Response Team (CERT-UA) reports detecting a new phishing attack to infect computers with malicious software.
The attack is carried out by sending emails with the subject "Requests" (for example, "Request for court documents"). The body of the email contains an attachment in the form of a RAR or ZIP archive, which may include one of two types of malware: ● RemcosRAT – a program for remote control of a computer that allows attackers to gain full access to the system. ● QuasarRAT – another remote control program allowing attackers to perform any actions on the infected computer.
It is worth noting that attacks using Remcos and Quasar continue to occur with some frequency, so you must be extra careful now!
Check out the research by CERT-UA at https://cert.gov.ua/article/6277063
9 new vulnerabilities in UEFI firmware threaten millions of computers and servers
A set of nine vulnerabilities, called "PixieFail", have been discovered in the network software that remotely boots up most modern computers.
Who is affected?
These vulnerabilities impact devices that use network (PXE) boot with IPv6, including those with BIOS from significant manufacturers like American Megatrends Incorporated (AMI), Insyde Software Corporation, Intel, Phoenix Technologies and Microsoft.
The most common use of PXE boot is in servers and cloud environments, though it is also possible in specialized home or office setups with specific hardware and network configurations. Regardless of the environment, any device relying on network boot requires security measures to mitigate potential risks.
What could happen?
Attackers who can see traffic on a network can use these flaws to infect computers with malware that runs before any other security software. For example,
● Attackers could take control of your computer or server (remote code execution). ● Hackers could steal your information (data leaks). ● Your computer or server could be crashed (denial of service). ● Attackers could manipulate your internet traffic (DNS cache poisoning and network session hijacking).
What should I do?
● Update UEFI firmware: Install the latest stable version of UEFI firmware that contains fixes for these vulnerabilities. Follow your device manufacturer's instructions. ● Disable Network Launch (PXE) if it is not used in your environment. ● Use network isolation to access the UEFI preboot environment only from trusted and secure networks. ● Protect the environment from unauthorized DHCP servers using Dynamic ARP Inspection and DHCP Snooping technologies.
Research link: https://www.kb.cert.org/vuls/id/132380
Novel Evasive Phishing Technique Exploits Security Product Caching
Phishing is the most common method of malware delivery. As email security technologies evolve, hackers are inventing a variety of ways to bypass security measures, such as:
● Geofencing malware: Targeting specific countries while remaining harmless elsewhere. ● Captcha cloaking: Shielding malicious payloads from automated analysis. ● IP blacklisting: Evading detection by security products on watchlists. ● QR code camouflage: Hiding phishing attacks in plain sight. ● Trellix has discovered a new way to cheat security tools, which is to manipulate the security tools cache.
New research will show:
● How OneDrive is being used as a trust Trojan horse. ● Why seemingly harmless links are anything but. ● The crucial window of opportunity attackers exploit. ● Actionable steps to strengthen your defenses and outsmart evasive threats.
Research link: https://www.trellix.com/about/newsroom/stories/research/saints-turned-evil/
"Time to Update" Section
Microsoft ● Microsoft's January security update addresses 49 vulnerabilities, 12 of which could allow remote code execution. ● Two vulnerabilities are classified as critical: bypassing the Kerberos security feature in Windows and RCE in Hyper-V.
Chrome ● The January 16, 2024 Chrome update includes 4 security fixes.
Oracle ● On January 16, Oracle released the first quarterly security update package for 2024. It contains fixes for 191 vulnerabilities (CVEs) in 389 security updates for 26 Oracle product families. ● 9.5% of fixes are categorized as "critical", 49.4% as "high", and 36.2% as "medium" severity.
Adobe ● In January, Adobe released a patch package that addresses six vulnerabilities (CVEs) in Substance 3D Stager. ● All six vulnerabilities are rated Critical. The most serious of them allows you to execute arbitrary code.