The Good, the Bad and the Ugly in Cybersecurity – Week 40

The Good

Good news this week from Meta (aka Facebook). The social media giant has taken down some 1600 accounts and disrupted a Russian disinformation campaign spread across 60 fraudulent news websites. The campaign, Meta says, spread fake stories and Russian propaganda regarding the war on Ukraine. The Facebook accounts were removed for what the company calls “coordinated inauthentic behavior”.

Meta says the operation began in May and centered around impersonating legitimate websites of news organizations including Der Spiegel, The Guardian and Bild. The fake sites used a technique known as “typosquatting” to mimic legitimate domain names such as with fakes like Guardian[.]co[.]com. The fake news sites posted articles criticizing Ukraine and arguing that Western sanctions on Russia would backfire. The articles and related memes were then shared on the now-removed Facebook and Instagram accounts, as well as on Telegram and Twitter.

Russian disinformation campaign

Notably, as known domains were taken down or blocked, the actors behind the campaign attempted to set up replacement websites, “suggesting persistence and continuous investment in this activity across the internet”, the report says. In some cases, the disinformation content was amplified through the Facebook Pages of a number of Russian embassies.

Mass online disinformation campaigns have now become a regular tool of nation-state actors, and it’s unlikely we’ll see a reversal of that trend anytime soon. Of the few remedies we have to protect civil society and informed discourse aside from public awareness is active countermeasures as we’ve seen Meta take this week. Well done to them.

The Bad

The APT group variously known as TA410, Witchetty and LookingFrog has been up to some new tricks involving steganography and malware hidden in an image of the old Windows flag logo.

According to researchers, a bitmap image of the Windows flag logo was hosted on Github and laced with code for a backdoor. Hosting the image on a trusted public service avoids suspicious traffic to an attacker’s C2 (Command & Control) server, and hiding the malware in an iconic image helps the payload to remain hidden from casual inspection.

windows flag logo used to hide malware
Windows flag logo used to hide malware (Source)

The payload hidden in the image is decrypted with an XOR key and delivers a full-featured backdoor with the ability to move and delete files, start and stop processes, exfiltrate data and manipulate Windows Registry keys.

Researchers say the threat actors have been attacking targets in the Middle East, including at least one government agency, since February 2022. Initial compromise exploits the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers. The actors steal credentials by dumping the contents of LSASS from memory, and then pivot via lateral movement to install further malware on computers across the network.

Unfortunately, it remains the case that many organizations have still failed to patch against ProxyShell and ProxyLogon vulnerabilities, and until they do, they and their customers remain at high risk of compromise from both APT and cybercrime threat actors.

The Ugly

Speaking of ProxyShell and ProxyLogon, this week news broke of two new MS Exchange zero days that one researcher has dubbed ProxyNotShell. Microsoft confirmed the vulnerabilities shortly after as CVE-2022–41040 and CVE-2022–41082.

ProxyNotShell uses the same path and Server-Side Request Forgery (SSRF)/Remote Code Execution (RCE) pair as the earlier ProxyShell. However, in this case the attacker needs to be authenticated to exploit the vulnerabilities – any valid non-admin email credentials will suffice. CVE-2022-41040 enables the authenticated attacker to remotely trigger CVE-2022-41082, which allows remote code execution when PowerShell is accessible.

Researchers spotted the vulnerability being exploited in the wild in August 2022 against critical infrastructure and other targets, although attribution at this time remains unknown.

The vulnerabilities impact organizations running on-prem Microsoft Exchange Server 2013, 2016, and 2019 and a public-facing Outlook Web App. It is estimated that worldwide there could be up to 250,000 Exchange servers vulnerable to ProxyNotShell. Microsoft says it is “working on an accelerated timeline to release a fix”. In the meantime, impacted organizations should follow the mitigation advice here.