Tag: bypass | Page 4

Attackers bypass Microsoft patch to deliver Formbook malware

December 22, 2021/in Computer Security

Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format.

The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared.

From CAB to “CAB-less” exploit to bypass the patch for CVE-2021-40444

The CVE-2021-40444 vulnerability is a critical remote code execution (RCE) vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner’s knowledge. Microsoft released an urgent mitigation followed by a patch in September. A few days later, the company shared how attackers have been exploiting the flaw to deliver custom Cobalt Strike payloads.

Sophos researchers found the 36 hours-campaign featuring the new exploit in late October. They discovered that attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, “CAB-less” form of the exploit successfully evades the original patch.

Sophos data shows that the amended exploit was used in the wild for around 36 hours. According to the researchers, the limited lifespan of the updated attack could mean it was a “dry run” experiment that might return in future incidents.

“In theory, this attack approach shouldn’t have worked, but it did,” said Andrew Brandt, principal threat researcher at Sophos.

“The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for…

Source…

Shlayer Malware Exploited macOS Zero-Day To Bypass Apple Security

May 3, 2021/in Internet Security

Apple has recently released macOS Big Sur 11.3. This update addresses numerous security flaws including a zero-day under attack. As revealed, this zero-day attracted Shlayer malware to target vulnerable macOS devices via Gatekeeper bypass.

Shlayer Malware Exploiting macOS Zero-day

Apple security firm Jamf Protect has shared details of a serious macOS zero-day that a Shlayer malware variant actively exploits.

The vulnerability first caught the attention of researcher Cedric Owens who then reported it to Apple. It was a serious security issue that allowed an adversary with a malicious app to bypass Apple’s security check Gatekeeper.

Elaborating further on this issue, Patrick Wardle explained that a logic issue existed in the way macOS evaluates an app. Due to the bug, the system even allowed unsigned apps to run uninhibited. As stated,

Any script-based application that does not contain an Info.plist file will be misclassified as “not a bundle” and thus will be allowed to execute with no alerts nor prompts.

Wardle has shared how an app could exploit this flaw in his blog post.

Following this discovery, Wardle reached out to Jamf Protect that detected active exploitation of the bug by a Shlayer variant.

Shlayer first caught attention in June 2020 when researchers noticed it actively targeting macOS devices. The malware would easily bypass Apple’s underlying security mechanisms, such as Gatekeeper, Notarization, and File Quarantine.

And now, Jamf detected a Shlayer variant already designed in a way to exploit this logic issue CVE-2021-30657. Thus, the malware now requires no user interaction (such as the right-click limitation of the previous variant) to execute. All it takes is to trick a user into downloading the malicious file on the device and attempting to install it.

The attackers are currently distributing this malware via hacked and phishing websites appearing in Google SERPs.

Another Gatekeeper Also Fixed With Other Bugs

In addition to the above, one more Gatekeeper bypass bug has also received a fix with macOS Big Sur 11.3.

This vulnerability caught the attention of F-Secure researcher Rasmus Sten who then reported it to Apple.

Elaborating on this flaw in a blog…

Source…

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems

March 29, 2021/in Computer Security

Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.

Discovered by Piotr Krysiuk of Symantec’s Threat Hunter team, the flaws — tracked as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) — impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.

While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

First documented in January 2018, Spectre and Meltdown take advantage of flaws in modern processors to leak data that are currently processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to get hold of cryptographic keys.

Put differently, the two side-channel attacks permit malicious code to read memory that they would typically not have permission to. Even worse, the attacks could also be launched remotely via rogue websites running malicious JavaScript code.

Although isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time-measuring functions, the mitigations have been at an operating system level rather than a solution for the underlying issue.

The new vulnerabilities uncovered by Symantec aim to get around these mitigations in Linux by taking advantage of the kernel’s support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.

“Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions,” Symantec said. “This could then be abused to reveal contents of the memory via side-channels.”

Specifically, the kernel (“kernel/bpf/verifier.c”) was found to perform undesirable…

Source…