Happy Monday everyone!

I am sifting through the Cisco Talos Intelligence Group "Year In Review" report that was recently published and highlighting some of the things that I found useful/interesting from my perspective.

Top Targeted Vulnerabilities:
7/10 of the top CVE's belonged to #Microsoft. Now I am not pointing fingers, I think it is there simply because the vast majority of environments are Windows.
What IS concerning is that there are multiple vulnerabilities that were being exploited that were either 10 years old or ALMOST 10 years old.
8/10 of the top CVE's had a score of 9 or above.

One of these CVE's was CVE-2021-1675, which is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. One product of this vulnerability was the #PrintNightmare exploit that was leveraged by the #Magniber ransomware group.

Stay tuned for more as we work our way through this report! Enjoy and Happy Hunting!

https://blog.talosintelligence.com/talos-year-in-review-2022/

Get up to speed on the week's infosec news before another week in the trenches:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-e05

Last week's patch Tuesday had SmartScreen bypasses and the Ping of Death, but nothing could beat the #Outlook zero-click credential leak that #Microsoft patche-er, uh, wait, no not quite patched - turns out you can still abuse it locally to harvest NTLM credentials, yikes!

Non-transitive trusts have one job - to enable cross-domain authentication between only the two domains that maintain it. Turns out, that's not the case - you can actually pivot between domains and forests, authenticating to Services well outside the intended scope of the trust. And Microsoft aren't going to fix it.

#Emotet have realised in week two of their return that there's more to life than Macros, and have joined in the abuse of #OneNote files to deliver their lures.

In the world of ransomware, #BianLian have opted to focus on exfil-and-extortion campaigns, after Avast released a pesky decryptor for their ransomware in January this year. #CISA have opened their books and shared a detailed profile on #LockBit 3.0's favoured TTPs and tooling that's worth a read.

#Google TAG have ousted Microsoft taking the easy way out in their previous patch of a SmartScreen bypass, opting to issue a half-baked patch that the #Magniber ransomware crew quickly circumvented, enabling them to deliver over 100,000 malicous lures unencumbered by the now-patched security control.

If you're running Adobe's ColdFusion, Aruba ClearPass, or SAP software - you're going to want to make sure you caught and patched these vulnerabilities that debuted last week.

#Redteam members have a new and improved AD lab environment to play in, as well as new evasion techniques for remote shells and macros to add to the toolkit!

Offensive Security have a gift for the #blueteam in the defensive Kali Purple distro, and we've caught a bunch of awesome write-ups to help in scaling Detection Engineering and mitigating common initial access vectors.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-e05

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #patchtuesday #adobe #ColdFusion #Aruba #ClearPass #SAP #Kali

#Magniber #ransomware actors used a variant of #Microsoft #SmartScreen #bypass

Financially motivated threat actors used an unpatched security bypass to deliver ransomware without any security warnings

https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/

Proof of Concept: #Malware Delivery via #appx/#msix packages.
In our test case we needed administrative permissions to install the package with putty.exe as our test payload.

We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload and that didn't look so nice on a screenshot 😅

Our .appx demo package is based off of a in-the-wild sample of #Magniber #Ransomware that was signed with a stolen signature (Jan 2022). With this change in Windows 11 it is now possible to install unsigned appx packages (given required perms).
https://twitter.com/f0wlsec/status/1481338661824307204

Detection opportunities:
- Execution out of C:\Program Files\WindowsApps\
- Looking for the special OID documented by Microsoft here: https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package

We are going to publish our #Yara rules for this tomorrow, stay tuned.

Picking up where we left off yesterday: We created two #Yara rules for the #Magniber #Ransomware delivery method. You can find them in our GitHub Repository and on @abuse_ch Yaraify ⬇️ Have a nice weekend and happy hunting 🔍

https://github.com/SIFalcon/Detection/tree/main/Yara/Malware

https://yaraify.abuse.ch/yarahub/rule/RANSOM_Magniber_ISO_Jan23/

https://yaraify.abuse.ch/yarahub/rule/RANSOM_Magniber_LNK_Jan23/

#Magniber #Ransomware is continuing to spread fake Windows Update installers (.msi), but since yesterday the threat actors are also distributing .iso archives instead of .zip files. You can find our brief analysis of the msi and the lnk file below ⬇️

AvastThreatLabs first reported about the .zip file distribution yesterday: https://twitter.com/AvastThreatLabs/status/1613248553626787842

IoC:
5G offer.lnk 5ab873527a526cd4ea2bead2b302b38a
5G-Installer 126f77e151529eeb3b2f42c49691e9c0
Binary.UpdateBinary 10ccc8f56a2894d18d71f9f32a923aa7
iso fedb6673626b89a9ee414a5eb642a9d9

We uploaded the samples mentioned above to @abuse_ch
Malware Bazaar, have fun :)

https://bazaar.abuse.ch/browse/tag/Magniber/

Something interesting with #Magniber ransomware delivery.

Seeing the previous #MagnitudeEK URI pattern again (sub domains).