fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows zero-day Exploited in US Local Govt Phishing Attacks

Windows zero-day Exploited in US Local Govt Phishing Attacks

European governments and US local governments were the targets of a phishing campaign using malicious Rich Text Format (RTF) documents designed to exploit a critical Windows zero-day vulnerability known as Follina.

BleepingComputer is aware of local governments in at least two US states that were targeted by this phishing campaign.

“Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit Follina/CVE_2022_30190,” security researchers at enterprise security firm Proofpoint revealed.

The attackers used salary increase promises to bait employees to open the lure documents, which would deploy a Powershell script as the final payload.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

This is used to check if the system is a virtual machine, steal information from multiple web browsers, mail clients, and file services, and collect system information that gets exfiltrated to an attacker-controlled server.

Phishing email
Phishing email (Proofpoint)

As BleepingComputer found while checking the final PowerShell payload of this attack, the threat actors are harvesting large amounts of info revealing this campaign’s reconnaissance attack nature since the collected data can be used for initial access:

  • Browser passwords: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc, and AVAST Browser.
  • Data from other apps: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat
  • Windows information: Computer information, list of usernames, Windows domain information

“While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA,” the security researchers said.

PowerShell script
PowerShell script (BleepingComputer)

The security flaw exploited in these attacks is tracked as CVE-2022-30190 and was described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug.

Also Read: How long do employers keep employee records after termination?

CVE-2022-30190 is still unpatched and it affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+).

If successfully exploited, this zero-day can be used to execute arbitrary code with the privileges of the calling app to install programs, view, change, delete data, or create new Windows accounts.

Proofpoint also revealed last week that the China-linked TA413 hacking group is now exploiting the vulnerability in attacks targeting their favorite target, the international Tibetan community.

Security researcher MalwareHunterTeam also spotted malicious documents with Chinese filenames used to deploy password-stealing trojans.

However, the first attacks targeting this zero-day were spotted more than a month ago, using sextortion threats and invitations to Sputnik Radio interviews as baits.

While Microsoft is yet to release CVE-2022-30190 patches, CISA has urged Windows admins and users to disable the MSDT protocol abused in these attacks after Microsoft reported active exploitation of the bug in the wild.

Until Microsoft releases official security updates, you can patch your systems against these ongoing attacks using unofficial patches released by the 0patch micropatching service. 

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us