All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of June 06, 2022. I’ve also included some comments on these stories.
Another nation-state actor exploits Microsoft Follina to attack European and US entities
A nation-state actor is attempting to exploit the Follina flaw in a recent wave of attacks aimed at government entities in Europe and the U.S., reports Security Affairs. The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.
DARLENE HIBBS | Security Researcher at Tripwire
The recently disclosed 0-day in Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190, nicknamed Follina, is being actively exploited by a nation-state actor to attack government entities via malicious Word documents. The 0-day can be exploited via a Word document and allows remote code execution with minimal interaction from the user. It is possible to exploit this vulnerability without the user needing to open the document which bypasses protections given by the Protected View feature of Office to limit code execution. To mitigate the risk from the vulnerability it is recommended that the registry keys relating to MSDT be deleted.
Linux botnets now exploit critical Atlassian Confluence bug
Several botnets are now using exploits targeting a critical remote code execution (RCE) vulnerability to infect Linux servers running unpatched Atlassian Confluence Server and Data Center installs. Bleeping Computer notes that successful exploitation of this flaw (tracked as CVE-2021-26084) allows unauthenticated attackers to create new admin accounts, execute commands, and ultimately take over the server remotely to backdoor Internet-exposed servers.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
CVE-2021-26084 has been actively exploited in the wild since the release of proof of concepts. This vulnerability allows attackers to remotely execute code on a vulnerable system. The vulnerability has been seen in the Kinsing, Hezb, and Dark IoT botnets.
CVE-2022-26134 is another vulnerability that allows attackers to execute arbitrary code on systems. This vulnerable had proof of concepts released and is known to be actively exploited. Atlassian has since released fixed versions and a workaround for systems that cannot be upgraded.
Tainted CCleaner Pro Cracker spreads via Black Seo campaign
Threat actors spread info-stealing malware through the search results for a pirated copy of the CCleaner Pro Windows optimization program, Security Affairs noted on June 9. Researchers from Avast uncovered the malware campaign, tracked as FakeCrack.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
Pirated copies of CCleaner Pro have been used to steal information from users. Cracked versions of the product infected systems with malware that harvested sensitive information. This malware configures a proxy and then sends data to malicious users. To resolve the proxy, you can remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Pirated software has been known to spread malicious content. Users should protect themselves by using legitimate copies of software.