While governments across the globe are loosening Coronavirus isolation measures, malicious parties continue to explore Covid-19 as well as other opportunities.
This week’s newsletter will cover:
- Attacks against Office 365 users bypassing MFA
- Attacks exploiting Telerik framework vulnerability
- Attacks impersonating Bluetooth devices
Attacks against Office 365 users bypassing MFA
Cybersecurity experts have spotted a campaign against Office 365 users luring them to access a file hosted on Microsoft SharePoint implying to be employment remuneration related.
Following the link, which reveals a lengthy URL in the address bar and a series of permission-requesting parameters such as “contacts.read”, “mail.read”, “notes.read.all” and “mailboxsettings.readwrite”, unsuspecting users are presented with a legitimate-looking Office 365 login screen. After signing in, victims are being asked to grant the rogue application the afore-mentioned permissions, allowing it to gain access to their accounts without user credentials or multi-factor authentication (MFA) code.
Attackers have found a way to exploit the way Office 365 access is granted to applications on behalf of users. The tactic relies on the capturing of access tokens issued by Microsoft Identity for authentication purposes and authorization codes used by Microsoft Graph for delegation purposes.
Although access tokens do expire, the malicious application has been granted permissions early in the attack cycle to obtain fresh ones i.e. to maintain access indefinitely.
Remediation: Block [hxxps://officehnoc.com/office] and create employee awareness.
Attacks exploiting Telerik framework vulnerability
According to security researchers, threat actors are exploiting a vulnerability in the Telerik framework (CVE-2019-18935) to infect public-facing servers running ASP .NET applications that are leveraging the framework for their user interface. Once the exploitation phase is over, attackers use the “Juicy Potato” technique to escalate their privileges and to maintain persistence across reboots, before installing the popular Monero cryptocurrency-mining malware – XMRRig, operated by a group dubbed Blue Mockingbird.
If online and internal network-connected IIS servers are compromised, the malicious party also attempts to spread internally via weakly-secured Remote Desktop Protocol or Server Message Block connections.
Remediation: Where updating the vulnerable application is not an option, block exploitation attempts for CVE-2019-18935 at their web firewall level or look for signs of a compromise at the server and workstation level.
Attacks impersonating Bluetooth devices
Researchers have identified a security vulnerability in Bluetooth Classic, exposing hundreds of millions of devices, that have not been updated since December 2019, to malicious parties.
The flaw allows an attacker to impersonate one of two previously paired devices, and if within wireless range, to gain full access to the other without possessing the actual pairing (link) key.
Remediation: Install latest updates from device and operating system manufacturers.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Microsoft, Cyware, ZDNet, Red Canary, Help Net Security, Cofense, The Hacker News, École Polytechnique Fédérale de Lausanne