The Good, the Bad and the Ugly in Cybersecurity – Week 15

The Good

It’s that time of year again when security researchers get to show off their skills and reap the rewards in big cash prizes from Pwn2Own.

This year’s event was live streamed across social media sites as well as the event’s own site and featured 23 attempts targeting 10 different products from categories including Web Browsers, Virtualization software, Servers and Enterprise Communications.

So far we’ve seen big cash payouts for three separate exploits that allowed guest-to-host escape in macOS virtualization software Parallels Desktop ($40,000 each for the researchers), a $200,000 payout to two researchers who exploited a bug chain in Zoom messenger to achieve code execution on a target system, and another $200,000 payout to a researcher for exploiting a pair of bugs in Microsoft Teams. Two researchers also received a combined payout of $200,000 for combining an authentication bypass with a local privilege escalation to pwn an MS Exchange server. You can read all the details here.

Given that in this section we regularly highlight the penalties meted out to (sometimes) talented hackers for misusing their interest and skill for financial reward, we hope that highlighting this kind of competition might help to push those tempted by the Dark Side towards a more socially responsible and profitable use of their interests. CTFs, Bug Bounties, and – maybe one day – a high-dollar reward in a future Pwn2Own are all better paths for those with legitimate interest in computer hacking. May the Force be with you!

The Bad

CISA released an alert this week warning businesses running “outdated or misconfigured” SAP applications of malicious cyber activity. The alert comes on the back of research from Onapsis and SAP that found evidence of over 300 automated exploitations leveraging seven SAP-specific attack vectors.

The researchers found evidence that the exploits were in use by multiple threat actors and warned that patched vulnerabilities were being weaponized in less than 72 hours. Where enterprises deployed unpatched SAP applications in IaaS cloud environments, the researchers found evidence that the time to discovery and compromise was as little as 3 hours.


The specific bugs seen exploited were CVE-2010-5326, CVE-2016-3976, CVE-2016-9563, CVE-2018-2380, CVE-2020-6207, and CVE-2020-6287.

Once compromised, the exploited SAP applications could be used to bypass common security and compliance controls, enable the theft of sensitive data and potentially lead to a ransomware attack. CISA similarly warned that the vulnerabilities could lead to financial fraud and disruption of mission critical business processes.

As is unfortunately so often the case, these attacks rely on organizations failing to apply patches for known vulnerabilities. In some cases, patches have been available to customers for months and even years. Given the turnaround time to exploitation noted in the Onapsis report, organizations failing to keep up with updating their SAP applications are leaving themselves at high risk of compromise. Accordingly, operators of SAP systems are strongly advised to review the Onapsis research and apply all necessary updates and mitigations as a matter of urgency.

The Ugly

Job hunting is stressful enough at the best of times, and certainly that hasn’t been helped for most in the era of COVID-19. But on top of the usual anxieties, there is also the threat of being compromised by malware when opening documents pertaining to potential job offers. Any way that threat actors can lure a phishing target to open a poisoned document is going to prove attractive, and job hunters are among the most likely to be eager to do just that.

It’s thus no surprise to learn that APT34 have been using this tried and trusted technique against job hunters by posing as a fictitious U.S. based consulting firm called ‘Ntvia’ and circulating a booby-trapped Word doc named Job-Details.doc. The document advertises vacancies for a wide variety of positions including Accountants, Project Managers and IT Managers in locations such as Saudi Arabia, Kuwait and the UAE. The Iranian APT34 threat actor has been known to deliver malicious documents via LinkedIn messages in the past, but it’s not clear as yet how this most recent APT campaign is being distributed.

Analysis by researchers reveals that the Job-Details.doc uses malicious Macros with DNS tunneling to drop a backdoor dubbed ‘SideTwist’, which includes functionality for downloading payloads and exfiltrating user data. Shell command execution is also available to the attackers. The VB macros in the document are also responsible for persistence via registering a scheduled task named SystemFailureReporter, which executes the 2nd stage payload at 5 minute intervals.

Based on multiple similarities to previous campaigns as well as the content of the advertised job vacancies, the researchers attribute the campaign to Iran-backed APT34 with high confidence and believe it to be targeting Lebanese and Middle Eastern job hunters in particular.